Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Here is the completed and scanned document.eml

Overview

General Information

Sample name:Here is the completed and scanned document.eml
Analysis ID:1585304
MD5:09d8f89832aa9ae45c3a14668c2ac9b8
SHA1:921b0f7dfd7e7d85d281d76f2f586897d1cfa2b7
SHA256:79669b97f54feea0d5433ab17a05a4e4574b34defd94d98aacb20561ee46ca73
Infos:

Detection

Score:48
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

AI detected potential phishing Email
Email DMARC failed
Detected non-DNS traffic on DNS port
Queries the volume information (name, serial number etc) of a device
Sigma detected: Office Autorun Keys Modification
Stores large binary data to the registry

Classification

Process Tree

  • System is w10x64
  • OUTLOOK.EXE (PID: 7576 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\Here is the completed and scanned document.eml" MD5: 91A5292942864110ED734005B7E005C0)
    • ai.exe (PID: 7952 cmdline: "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "D3888E2E-DFB7-4B28-A5D6-C2ED926F97C1" "C557A7C3-8F6F-4EDD-9631-70AA295F5615" "7576" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx" MD5: EC652BEDD90E089D9406AFED89A8A8BD)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

Sigma detected: Office Autorun Keys Modification
Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE, ProcessId: 7576, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Addins\OneNote.OutlookAddin\1

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Phishing

barindex
AI detected potential phishing Email
Source: EmailJoe Sandbox AI: Detected potential phishing email: Suspicious sender domain 'tools2winretail.com' doesn't match the claimed service. Deceptive display name attempting to impersonate a document sharing service. Suspicious HTML attachment likely containing malicious links or scripts
Email DMARC failed
Source: Here is the completed and scanned document.emlEmail attachement header: ARC-Authentication-Results: fail (p=none sp=none pct=100) action=none header.from=tools2winretail.com
Source: Here is the completed and scanned document.emlEmail attachement header: X-MS-Exchange-Authentication-Results: fail action=none header.from=tools2winretail.com
Source: EmailClassification: Credential Stealer
Source: global trafficTCP traffic: 192.168.2.5:62259 -> 1.1.1.1:53
Source: global trafficTCP traffic: 192.168.2.5:52440 -> 1.1.1.1:53
Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficDNS traffic detected: DNS query: 212.20.149.52.in-addr.arpa
Source: OUTLOOK_16_0_16827_20130-20250107T0741540767-7576.etl.0.drString found in binary or memory: https://login.windows.localR
Source: OUTLOOK_16_0_16827_20130-20250107T0741540767-7576.etl.0.drString found in binary or memory: https://login.windows.localnull
Source: OUTLOOK_16_0_16827_20130-20250107T0741540767-7576.etl.0.drString found in binary or memory: https://login.windows.localrosR
Source: classification engineClassification label: mal48.winEML@3/3@1/0
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile created: C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmpJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile created: C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20250107T0741540767-7576.etlJump to behavior
Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\Here is the completed and scanned document.eml"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "D3888E2E-DFB7-4B28-A5D6-C2ED926F97C1" "C557A7C3-8F6F-4EDD-9631-70AA295F5615" "7576" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "D3888E2E-DFB7-4B28-A5D6-C2ED926F97C1" "C557A7C3-8F6F-4EDD-9631-70AA295F5615" "7576" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: c2r64.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: userenv.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{F959DBBB-3867-41F2-8E5F-3B8BEFAA81B3}\InprocServer32Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEWindow found: window name: SysTabControl32Jump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\CommonJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\outlook\ConfigContextData 1Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile Volume queried: C:\Windows\SysWOW64 FullSizeInformationJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information queried: ProcessInformationJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeQueries volume information: C:\Program Files (x86)\Microsoft Office\root\Office16\AI\WordCombinedFloatieLreOnline.onnx VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation11
Browser Extensions		1
Process Injection		1
Masquerading		OS Credential Dumping1
Process Discovery		Remote ServicesData from Local System1
Non-Application Layer Protocol		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/Job1
DLL Side-Loading		1
DLL Side-Loading		1
Modify Registry		LSASS Memory13
System Information Discovery		Remote Desktop ProtocolData from Removable Media1
Application Layer Protocol		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Process Injection		Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
DLL Side-Loading		NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://login.windows.localrosR0%Avira URL Cloudsafe
https://login.windows.localR0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
bg.microsoft.map.fastly.net
199.232.214.172
truefalse
    		high
    212.20.149.52.in-addr.arpa
    		unknown
    		unknownfalse
      		unknown

      URLs from Memory and Binaries

      NameSourceMaliciousAntivirus DetectionReputation
      https://login.windows.localnullOUTLOOK_16_0_16827_20130-20250107T0741540767-7576.etl.0.drfalse
        		high
        https://login.windows.localrosROUTLOOK_16_0_16827_20130-20250107T0741540767-7576.etl.0.drfalse
        • Avira URL Cloud: safe
        		unknown
        https://login.windows.localROUTLOOK_16_0_16827_20130-20250107T0741540767-7576.etl.0.drfalse
        • Avira URL Cloud: safe
        		unknown

        World Map of Contacted IPs

        No contacted IP infos

        General Information

        Joe Sandbox version:41.0.0 Charoite
        Analysis ID:1585304
        Start date and time:2025-01-07 13:40:55 +01:00
        Joe Sandbox product:CloudBasic
        Overall analysis duration:0h 4m 13s
        Hypervisor based Inspection enabled:false
        Report type:full
        Cookbook file name:default.jbs
        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
        Number of analysed new started processes analysed:6
        Number of new started drivers analysed:0
        Number of existing processes analysed:0
        Number of existing drivers analysed:0
        Number of injected processes analysed:0
        Technologies:
        • HCA enabled
        • EGA enabled
        • AMSI enabled
        Analysis Mode:default
        Analysis stop reason:Timeout
        Sample name:Here is the completed and scanned document.eml
        Detection:MAL
        Classification:mal48.winEML@3/3@1/0
        EGA Information:Failed
        HCA Information:
        • Successful, ratio: 100%
        • Number of executed functions: 0
        • Number of non-executed functions: 0
        Cookbook Comments:
        • Found application associated with file extension: .eml

        Warnings

        • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
        • Excluded IPs from analysis (whitelisted): 52.109.89.18, 52.113.194.132, 52.109.89.19, 2.16.168.119, 2.16.168.101, 199.232.214.172, 13.89.179.11, 20.190.160.22, 4.245.163.56, 13.107.246.45, 40.69.42.241, 52.149.20.212, 40.126.32.68
        • Excluded domains from analysis (whitelisted): omex.cdn.office.net, slscr.update.microsoft.com, weu-azsc-000.roaming.officeapps.live.com, weu-azsc-config.officeapps.live.com, eur.roaming1.live.com.akadns.net, ecs-office.s-0005.s-msedge.net, roaming.officeapps.live.com, osiprod-weu-buff-azsc-000.westeurope.cloudapp.azure.com, ocsp.digicert.com, login.live.com, officeclient.microsoft.com, wu-b-net.trafficmanager.net, a1864.dscd.akamai.net, ecs.office.com, self-events-data.trafficmanager.net, otelrules.azureedge.net, ctldl.windowsupdate.com.delivery.microsoft.com, prod.configsvc1.live.com.akadns.net, self.events.data.microsoft.com, onedscolprdcus15.centralus.cloudapp.azure.com, ctldl.windowsupdate.com, prod.roaming1.live.com.akadns.net, s-0005-office.config.skype.com, fe3cr.delivery.mp.microsoft.com, s-0005.s-msedge.net, config.officeapps.live.com, ecs.office.trafficmanager.net, omex.cdn.office.net.akamaized.net, europe.configsvc1.live.com.akadns.net
        • Report size getting too big, too many NtQueryAttributesFile calls found.
        • Report size getting too big, too many NtQueryValueKey calls found.
        • Report size getting too big, too many NtReadVirtualMemory calls found.
        • VT rate limit hit for: Here is the completed and scanned document.eml

        Simulations

        Behavior and APIs

        No simulations

        Joe Sandbox View / Context

        IPs

        No context

        Domains

        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
        bg.microsoft.map.fastly.netfile_83f986ef2d0592ef993924a8cc5b8d6a_2025-01-07_10_04_01_718000.zipGet hashmaliciousUnknownBrowse
        • 199.232.214.172
        c2.htaGet hashmaliciousRemcosBrowse
        • 199.232.210.172
        sfqbr.ps1Get hashmaliciousDcRat, KeyLogger, StormKitty, Strela Stealer, VenomRATBrowse
        • 199.232.214.172
        Vernales Restaurant-encrypted.pdfGet hashmaliciousHTMLPhisherBrowse
        • 199.232.210.172
        KHK0987.xlsxGet hashmaliciousUnknownBrowse
        • 199.232.214.172
        new.batGet hashmaliciousUnknownBrowse
        • 199.232.214.172
        fiyati_teklif 615TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
        • 199.232.210.172
        #Employee-Letter.pdfGet hashmaliciousUnknownBrowse
        • 199.232.210.172
        Agent381.msiGet hashmaliciousUnknownBrowse
        • 199.232.210.172
        build.exeGet hashmaliciousRedLineBrowse
        • 199.232.214.172

        ASNs

        No context

        JA3 Fingerprints

        No context

        Dropped Files

        No context

        Created / dropped Files

        C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20250107T0741540767-7576.etl

        Download File
        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
        File Type:data
        Category:dropped
        Size (bytes):135168
        Entropy (8bit):4.659942166122125
        Encrypted:false
        SSDEEP:768:cYSn5Rg6pOZo1kCtwv94Gf+J9Y+ANa6esdaYUCINdSdXcnAkjIlgmpGkX/VptnC6:In0Zn94GmJ9Y+AaNdSdm/nmpHXm4
        MD5:DF74A1055858B8CE892E2678B11554B4
        SHA1:CC86B8B28567FE19333086D5B0CAA20CE470CC7D
        SHA-256:9D16A0698A2311EBC3EC8C80EF381795F9F274EAD9232EDB0A8F690B65CE3149
        SHA-512:21179E28B1E92A75F25FA3AC707507DA510D6AB43D22BD35AA8705CAC88A0B1D7F5BFA79754DBAE52D59DC27A59CFD447DBA069E7C4CC4DE15E97D509D80CEE7
        Malicious:false
        Reputation:low
        Preview:............................................................................d...........W.T..a..................eJ..............Zb..2...................................,...@.t.z.r.e.s...d.l.l.,.-.1.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.1.1.1...........................................................0..............W.T..a..........v.2._.O.U.T.L.O.O.K.:.1.d.9.8.:.c.0.3.c.2.8.2.8.a.a.f.3.4.e.0.a.9.a.a.f.9.5.d.0.1.5.f.b.8.0.8.7...C.:.\.U.s.e.r.s.\.a.l.f.o.n.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.O.u.t.l.o.o.k. .L.o.g.g.i.n.g.\.O.U.T.L.O.O.K._.1.6._.0._.1.6.8.2.7._.2.0.1.3.0.-.2.0.2.5.0.1.0.7.T.0.7.4.1.5.4.0.7.6.7.-.7.5.7.6...e.t.l...........P.P.........W.T..a..................................................................................................................................................................................................................................................................................................

        C:\Users\user\Documents\Outlook Files\Outlook Data File - NoEmail.pst

        Download File
        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
        File Type:Microsoft Outlook email folder (>=2003)
        Category:dropped
        Size (bytes):271360
        Entropy (8bit):2.9707872763944314
        Encrypted:false
        SSDEEP:1536:5miTgRmN9sYNcBPV3dkZf3MG5qTC9AJLNqKVW53jEpEHPVQ10BAwrCUCvxW53jEP:k6xcJeuToAXpjP/pj
        MD5:218805640FC7E0CE034CC8D681A14E98
        SHA1:EF76E66EF7DECCB824F11FB6607B1B6C4B4C1FF0
        SHA-256:6D7DD828DDFE8779BC6EA556969FA5B349D2B69249B16DF0DB3206B1F44EFA98
        SHA-512:3CAA3286C1439E4852A1BBF13C3CC4F5B2E1C8D242B1140CCF2FE75F589BF3CDA798F4C313611AD9498A49043D681962873086897063AFBBAE5286EBBE6ACB82
        Malicious:true
        Reputation:low
        Preview:!BDN.w..SM......\....<..........C.......h................@...........@...@...................................@...........................................................................$.......D......................?...............B...................................................................................................................................................................................................................................................................................................^..Lv.d.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

        C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmp

        Download File
        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
        File Type:data
        Category:dropped
        Size (bytes):131072
        Entropy (8bit):3.776854688601513
        Encrypted:false
        SSDEEP:1536:5X6B3MJ5qTZBT9AGiW53jEpEHPVQ10BAwrRwKTg4wK+v:s3TZvAGApj6q
        MD5:99D40857DF4440832D0082355063780E
        SHA1:AF51B926E1D0C506B644D1513F85F05E769185A6
        SHA-256:2963378174C78240FE143919961D21EE8C69680E401AE854DFD2A596D54A2FF7
        SHA-512:BC533092D0A195C50E4FC41B4541C6B7B4ED29EB26DD10F82F54E2C9722C248D9012E1202891173373F11FE76ED84EA7B12FF104168BE5E520B9FC28A3200377
        Malicious:true
        Reputation:low
        Preview:k..>C...q.............#..a....................#.!BDN.w..SM......\....<..........C.......h................@...........@...@...................................@...........................................................................$.......D......................?...............B...................................................................................................................................................................................................................................................................................................^..Lv.d...#..a..............@.....#......AAAAAAA...A&AAA.d.A.A.A%ALAAA.AAAAAAA.6#.tA.ntA...A...6..LA..bA...A...A6#.A..bA...A.bbAb..A...A...A6!.A*.HA..bA.w.A..bA.w#A..bA.SAA.AbA.S.A.6?.AA.AAA..AAAAAAV.AA6AAA..AAbAAA..AA.AAA?A.A!AAAQA.AnAAA.A.A.AAAOA.A.AAA..AA]AAA.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA6.AV.AAnAAAXAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.A?.AA.AAA.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.A..AA.AAAA

        Static File Info

        General

        File type:SMTP mail, ASCII text, with very long lines (347)
        Entropy (8bit):6.15032807018834
        TrID:
        • E-Mail message (Var. 1) (20512/2) 100.00%
        File name:Here is the completed and scanned document.eml
        File size:28'972 bytes
        MD5:09d8f89832aa9ae45c3a14668c2ac9b8
        SHA1:921b0f7dfd7e7d85d281d76f2f586897d1cfa2b7
        SHA256:79669b97f54feea0d5433ab17a05a4e4574b34defd94d98aacb20561ee46ca73
        SHA512:783b01ab6ed50b2987a26670c6aa072c2b676fa5ea2b4173e4b54defa6db61787bbe893bb132a1484b40a8a6390e7bb1833045994504b4aed986184597a6b647
        SSDEEP:768:T3QrbCp7kuL01ePSYEpNJPDn3GTNgxDlT0WzmMjCqJbpCGzYRZbG7QDY:T3SCtkubS3pNBC0VSMuqJ9CGzybjY
        TLSH:B4D2BF14D736AD0D76A3D97D3C997C0C414026A8EBBFF950CAAD200816DF6D072DEAE9
        File Content Preview:Return-Path: <7jxOn.noreply@tools2winretail.com>.Received: from out7.antispamcloud.com ([94.75.244.176])..by mail.coredc.com (Kerio Connect 10.0.6 patch 2) with ESMTPS..(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256 bits))..for ama@coredc.com;..Mo

        Static Mail

        General

        Subject:Here is the completed and scanned document
        From:eDoc Coredc | zcqtfspv <7jxOn.noreply@tools2winretail.com>
        To:ama@coredc.com
        Cc:
        BCC:
        Date:Mon, 06 Jan 2025 11:02:39 -0800
        Communications:
        • Your document has been completed. Please download the document to preview it. ama@coredc.com All parties have completed the document! Please fill this out and sign it when possible, thanks!
        Attachments:
        • Onedrive Shared document.html

        Headers

        Key Value
        Return-Path<7jxOn.noreply@tools2winretail.com>
        Receivedfrom clouldfare.com (139.99.165.139) by MWH0EPF000971E8.mail.protection.outlook.com (10.167.243.68) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8335.7 via Frontend Transport; Mon, 6 Jan 2025 19:02:39 +0000
        ARC-Seali=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=Ue4QvJaoW/zfHvFIE4Dxp5Pqxofox/EL7cfKPMV/gldBTlnC/ym8qleeQ/6/lXd7IJNzsH1BQsk9niYgVfQM5cMc8skdpYy8BoosNaSL2M3vKUkjne+XrEfwZ4GcX4pZpYcVeCKZ+pzfP/j5Pwl8VMGBt2GPX14E2mEle5DuRfAn1LDJknRQfSi1Bf4q1L6raLoYfgTQPy2JDJD0XiHMfW8dW5C7gACBL7AxwwsEZso7tNm89bczadkBkNbsFPp4gL+j4pUOGBLiRMsQL/GaZOxr2cIPEqELsjtPtQlyL43xkZn/aqOg3cQDAJcYzhfnmkCoIzOcLx/4mKyrLtqYVA==
        ARC-Message-Signaturei=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=IMUy4sAt961kNl11k2HM49XQc0L2uNeEdQmKwyXul08=; b=boI8tUjLptWtivZwqRpPdF6MiY83HX27XU+O1F9I72LKDb71R34TPG0xhL/73CyKYmvKZDPG5Ppbyn9Sj8K09jey9ZDQuAd5x8lTAi+JRc8EFRXjeG2MaxwYVqljfAJ0eD1wQCNhh0+fh/zr57vVJUHGbp3ejGZ4Cvd88w8MmTU8XWCx/E/S++nfpFov4Xt2csM4BK8zOaaHlmBJuXTL+reS1Pvz4up6U5qcGSKRQQntcmj0eAE+e4EgATO+0PhgjZ8hVWXV+OI6AaqGF3wC/eVRIYNbUnHgXxvC2Xu9vyQCCmUgMysO2iaWi04tApYezZCPLWZuldLOifSB+6biGQ==
        ARC-Authentication-Resultsi=1; mx.microsoft.com 1; spf=softfail (sender ip is 139.99.165.139) smtp.rcpttodomain=coredc.com smtp.mailfrom=tools2winretail.com; dmarc=fail (p=none sp=none pct=100) action=none header.from=tools2winretail.com; dkim=none (message not signed); arc=none (0)
        X-MS-Exchange-Authentication-Resultsspf=softfail (sender IP is 139.99.165.139) smtp.mailfrom=tools2winretail.com; dkim=none (message not signed) header.d=none;dmarc=fail action=none header.from=tools2winretail.com;
        Received-SPFpass (mx269.antispamcloud.com: domain of tools2winretail.com designates 2a01:111:f403:d800:: as permitted sender) client-ip=2a01:111:f403:d800::; envelope-from=7jxOn.noreply@tools2winretail.com; helo=BYAPR05CU005.outbound.protection.outlook.com;
        FromeDoc Coredc | zcqtfspv <7jxOn.noreply@tools2winretail.com>
        SubjectHere is the completed and scanned document
        Toama@coredc.com
        Content-Typemultipart/mixed; boundary="wF17Y=_oO3w4erqEFKwsbyLAYUAGvIvIBh"
        MIME-Version1.0
        DateMon, 06 Jan 2025 11:02:39 -0800
        Message-Id<063720250102111205524308-AD5285EFB1@tools2winretail.com>
        X-MailerOutlook Express 6.00.2900.2527
        X-EOPAttributedMessage0
        X-MS-PublicTrafficTypeEmail
        X-MS-TrafficTypeDiagnosticMWH0EPF000971E8:EE_|SJ0PR04MB8421:EE_
        X-MS-Office365-Filtering-Correlation-Id923da074-7b11-4618-2ded-08dd2e84b0f2
        X-MS-Exchange-SenderADCheck1
        X-MS-Exchange-AntiSpam-Relay0
        X-Microsoft-Antispam BCL:0;ARA:13230040|36860700013|82310400026|376014|61400799027|16072699012|563134004|36310999015;
        X-Microsoft-Antispam-Message-Info sEtauOSbLJso/JyvafEbz0Cfwe5snGoX2Mgl3qP9YRgC6dv1jUzrp6JJeW3egAL1Am5Y6Qpm+X7K7G8+AyiZIuFhrzFldV474Y83bLieSiO6bg/0wduU4uRAi2yE/FEh5VYzMXbCkPZCLUxgcQxRm0bJeokl4Co5CiQvhAyw8eTwi+80yJtXAkofcZVxtOy0NFzICRejfQL8/bLTiKFetsWTmbptDrV0gsoMkztE1zDBt9yMY9d9KhSgETkHB/Rp7da6RJA/t8KoZCrjcBTYfBP60fUe4n44ztQxUmmB5JSvL7Sb08FTqjAJJBXjkepAXJcUYrWC31W3M2gszI4TfOOWmUq+C15WDrPSPzvCGcWRxTr5wAQHsXI2/R4x7qa19WLHtNVjTQHgtKbsdkagkDnrakVp7voB2i8zM54BmD+Xt68zGqRUN0s7Guft1kTgbJ+8mDEofG14f7/JhFweycMEQxdxu80q0cPd5bUb877RvzxKDpjvbBf4Bzo4+W/p90FSBGa0W2Gxcnu+IPU81iN6JsSi9SErmfHVEX/Zh16D81BdEqpj0LcGNSwtTq296FmPJvWNSbhuQRDMtCZfUva2q/vWx4tujdoanjgs8XMgxXatxmnDP7g3I85CJRlEv65Lm5D8hbVEMxJ+R/xeoAypV8e6MlPB5uST4X1/hhUkG8np91ZVnEZ4TGbIcAXcOqE+GDV7Fnmo8nSW8TVit1m8v9baVIz23eq1WNFl+fthSjVozSkkl5xWMhtKQXcF1kayws5JkZIMcEYU03Y5QUFZT5C+mYs1n42/Hj8QebXcji7YtufJm5gnq/ZURtVgtVzPm9+L0hPjCVtiHGdu0med7s8jPpsNmbaSw9xvxJBPWLkwnYlzJdQYNQEnMZHwqdUhoEG0O0g/l8HhkorOwJjCu5caU0e9lkN/kA0Shrppf7N+ElSijE89D6tpeVOAo0iqGu6r59BIGeLB0Y+hLDDfrHdSSePMmgpVzbvUs2WIRgo7Ikt7YOecH0uqBH85jfEFk5TjZAUUVzNB8SsI2Q6tKfXheju2vISm1eTpRlDOTTiCdpjTkSwVFFukub5v2T1ZgVTVSl1r6m2IQVMw/MqfKzKw9b4UJv/8A4p8sE3c2A0ie0MY6WPF4silo/hSHbyR7pvxi4Io9DKr81C6u2Fcxofn4InpiaKqgDx8hKGPKvrSFQ/Yea29mkcePSMvdRBU0R4fENOttYHrKI8dngIf8TKCzkxbwvSvEDZBmJ6MotejMI8cJmldmLNvQMF43Vi3AN7g7dWqqsaq1xTDegz2LIxhvgGLu02AfQkiwKLfsDWFy+Ri1iVg9CtFgITU6I0a3ARFFtr4llJ4dtFjtjJbIyhHEUVtgWWTF2jwCEr55pTAuaItSbPJz55l2/GJtctwB/hJdiXCe4t13hB9Z7yiu7bHMIgCrCj2WZitG5xI5UQQ5cMbZykfBxXzhx4jjuBrVhl06xopOz/qrJseW1KX0ZEsOEvSVem1HbXO5ni158+H2Cf8p3LcB86B0xbbfLwzcC2omW40W26chxNK5dib1R1Eou+fyex5+Om6kCdcXXPQAGQCDjRddZm7/qdk7W7M8/lmH8efphmnaOPIwoM5BuCBynZKHXo9sxeyJiiLXqsa/hLRo1kfykNgvkTpKPMft+t5yn8IZIEk7jT1UDfBvNbBHLiP/RHqbtpsr55l3rBgXhXR0+6w7FENK1HXCOmNqaeZW6IBcZ0qRrDrXOJjCaK9L8Ew1+96PR4TeQAirWGaDekU5ZHHS7RPN2WTagFroz1M0WhEZGusGK54B0taNW/9FqZQZFJBAp15qCRIV3zTFe6ILkS4f3rgiEYtHW8BY224nAHNsrCOkntdSsPe4sHlZWwHzbVBEp4VM417ICd1ATxwbyZ6H5a2707iy7ob4T6oOU7kdTmwAcleG1WcpW4oia9Aca5ncXujP04K2De/yu4DtPGG2EZaODVeqsWTUiv9ymhUyJ4tgDeRfU8qRPb1DEhFv/vdMoUEj11a6sbzQXXZu3NPmrLh8egBefaROwMTIh0KrAGlqSDK41CbwD/Lw2rmJuJSpuQhBH2u7I6FRdPShLPLkVBs1Py78D3ZpE9eocd/Ya1BamJeIGaS4Oa8mAXZAdqNehDIirOJ7vjdnqEjMzA1wAJPYGzwISsQXd1U7VK/n/Hy1s+MZJyOUSxbK4v1zP3Zoa9mOLODbBXaqzmm6wdq4xRze/Z+DnYsShbgH2m6Q2PWcuJYbzNe0ZJDXH2P6WCyt56mIIEVDGfVZZuVdW95SGns1sdBRpyHVIBLgaikYrkndFcf0QyGLd2yZeM3tTFGXyl9xmVUyoSTJg6q4yb+qXftE8JZrxc7QFi55grkI04KAluwygn9/gGSFnWyo8onT29kaiwbYtr5if2ihRHH4/VNreuyflIXfPx6PT2LPgV8h8W3oJnYBInrMqlPgH6kAY0iou4=
        X-Forefront-Antispam-Report CIP:139.99.165.139;CTRY:AU;LANG:en;SCL:8;SRV:;IPV:NLI;SFV:SPM;H:clouldfare.com;PTR:ip139.ip-139-99-165.net;CAT:OSPM;SFS:(13230040)(36860700013)(82310400026)(376014)(61400799027)(16072699012)(563134004)(36310999015);DIR:OUT;SFP:1501;
        X-OriginatorOrgtools2winretail.com
        X-MS-Exchange-CrossTenant-OriginalArrivalTime06 Jan 2025 19:02:39.0388 (UTC)
        X-MS-Exchange-CrossTenant-Network-Message-Id923da074-7b11-4618-2ded-08dd2e84b0f2
        X-MS-Exchange-CrossTenant-Id4da6a4ed-1de0-45d6-9b28-5d1efea2bb10
        X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIpTenantId=4da6a4ed-1de0-45d6-9b28-5d1efea2bb10;Ip=[139.99.165.139];Helo=[clouldfare.com]
        X-MS-Exchange-CrossTenant-AuthSource MWH0EPF000971E8.namprd02.prod.outlook.com
        X-MS-Exchange-CrossTenant-AuthAsAnonymous
        X-MS-Exchange-CrossTenant-FromEntityHeaderHybridOnPrem
        X-MS-Exchange-Transport-CrossTenantHeadersStampedSJ0PR04MB8421
        X-SPF-Resultmx269.antispamcloud.com: domain of tools2winretail.com designates 2a01:111:f403:d800:: as permitted sender
        Authentication-Resultsantispamcloud.com; spf=pass smtp.mailfrom=7jxOn.noreply@tools2winretail.com
        X-Spampanel-Classunsure
        X-Spampanel-EvidenceCombined (0.75)
        X-Recommended-Actionaccept
        X-Filter-IDMvzo4OR0dZXEDF/gcnlw0W1qM9OcPzJ9YbzMuV3suMKpSDasLI4SayDByyq9LIhVPVXONZorfVPm Ig8yjvyL1kTNWdUk1Ol2OGx3IfrIJKywOmJyM1qr8uRnWBrbSAGDO2rLyLEFG+efsqHSEwilrpj9 EvBvwu01uVCaGVBWGqtjx1nGv9wcVQHIG1zkAV9W2kDN/MHG/tk+OBQVEowst1c8kLCTErh90CU3 /ps/n2TJOeIu1y7EbyRWksEZ9x0jK5uN4Nhp7uOkWlmbQCkb22ZahCgUvTCueR5bi0bHK/zq20Ir djTsEn8SSkbQKzz72uNIutGUgOOU1d7zP0IzRJc2U9pupMpV7IKkiJNmJEfskbZmeZzTL1YTEdfH u1rCSQ9g0nnV4fDFlhJr2ODpv1DBaLChQHOQr/kVk71YZ+M4lUhleGxK1cXYP3CiRw1Tugk/TNbL VqFE8m0alOSe9N9fxN2oReTDHAyOynaY0ClcqmlN0Am+3nOtnembDnMBmdySlZou9qHIGOZDEEo7 Owe4HWYH/z7sdXOfHCsVEZouMGQ4DiUkiT/mRx1mtCEM9ngl7EKICrwmSWNWIze1fPlwf46ajxCs 2fE9/cuikhDiXSby+2vXVLZ/ZdwU3ORj++DuIQUs/5JJj4C/n4CILlTRndWJl2Xl/Y8qCTk2Czv9 b2bcVafhhZs1gMEioif465aNI5FZUTvT1f1cTePU/DzYqp/CxNV/mRDVAfTZCIHsxBoFbdIyTZwD 0tTyhMSscJvXbl3jeSR1QgqmNVi1EGhZVOisvoJ744rs3lbZorTYU5QgjZ82d+iyZzpIMDv8KGRv QEF3FLFrOnxRiVjTMNH+BtxsajLDh58wUAFSXY8u1P1Sv0JAAhMee4sPjNWvIbtf63VNbf0lrvss Y+k7ABo9D2tqf4DULohY1lyI1zZWX1tc21uQB7LzHSfmcfLKyJk4O6DtrI4CX/tu77cn+JMqrDBz 8bmo/O1i1/VBoF1RAYGGs10R0L+0q1wNBANdDee5A8esHIlnr+yJWwdEQ5s77ycxFgv2R6RUvh2H HTqJ+cv73CChOPjKA0/DVd83NKZx1/egxD/lODh+l6xrFg==
        X-Report-Abuse-Tospam@quarantine14.antispamcloud.com

        File Icon

        Icon Hash:46070c0a8e0c67d6

        Network Behavior

        Network Port Distribution

        TCP Packets

        TimestampSource PortDest PortSource IPDest IP
        Jan 7, 2025 13:42:07.318691015 CET6225953192.168.2.51.1.1.1
        Jan 7, 2025 13:42:07.323543072 CET53622591.1.1.1192.168.2.5
        Jan 7, 2025 13:42:07.323659897 CET6225953192.168.2.51.1.1.1
        Jan 7, 2025 13:42:07.328438997 CET53622591.1.1.1192.168.2.5
        Jan 7, 2025 13:42:07.768351078 CET6225953192.168.2.51.1.1.1
        Jan 7, 2025 13:42:07.773449898 CET53622591.1.1.1192.168.2.5
        Jan 7, 2025 13:42:07.773704052 CET6225953192.168.2.51.1.1.1
        Jan 7, 2025 13:42:09.865349054 CET5244053192.168.2.51.1.1.1
        Jan 7, 2025 13:42:09.870151043 CET53524401.1.1.1192.168.2.5
        Jan 7, 2025 13:42:09.870274067 CET5244053192.168.2.51.1.1.1
        Jan 7, 2025 13:42:09.875070095 CET53524401.1.1.1192.168.2.5
        Jan 7, 2025 13:42:10.312880039 CET5244053192.168.2.51.1.1.1
        Jan 7, 2025 13:42:10.318248987 CET53524401.1.1.1192.168.2.5
        Jan 7, 2025 13:42:10.318334103 CET5244053192.168.2.51.1.1.1

        UDP Packets

        TimestampSource PortDest PortSource IPDest IP
        Jan 7, 2025 13:42:07.318320036 CET53644991.1.1.1192.168.2.5
        Jan 7, 2025 13:42:09.864921093 CET53644131.1.1.1192.168.2.5
        Jan 7, 2025 13:42:11.964227915 CET6298953192.168.2.51.1.1.1
        Jan 7, 2025 13:42:11.971460104 CET53629891.1.1.1192.168.2.5

        DNS Queries

        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
        Jan 7, 2025 13:42:11.964227915 CET192.168.2.51.1.1.10x7712Standard query (0)212.20.149.52.in-addr.arpaPTR (Pointer record)IN (0x0001)false

        DNS Answers

        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
        Jan 7, 2025 13:42:00.496326923 CET1.1.1.1192.168.2.50x7323No error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
        Jan 7, 2025 13:42:00.496326923 CET1.1.1.1192.168.2.50x7323No error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
        Jan 7, 2025 13:42:11.971460104 CET1.1.1.1192.168.2.50x7712Name error (3)212.20.149.52.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false

        Statistics

        CPU Usage

        Click to jump to process

        Memory Usage

        Click to jump to process

        High Level Behavior Distribution

        Click to dive into process behavior distribution

        Behavior

        Click to jump to process

        System Behavior

        General

        Target ID:0
        Start time:07:41:51
        Start date:07/01/2025
        Path:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
        Wow64 process (32bit):true
        Commandline:"C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\Here is the completed and scanned document.eml"
        Imagebase:0xf0000
        File size:34'446'744 bytes
        MD5 hash:91A5292942864110ED734005B7E005C0
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:high
        Has exited:false

        General

        Target ID:2
        Start time:07:41:58
        Start date:07/01/2025
        Path:C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe
        Wow64 process (32bit):false
        Commandline:"C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "D3888E2E-DFB7-4B28-A5D6-C2ED926F97C1" "C557A7C3-8F6F-4EDD-9631-70AA295F5615" "7576" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
        Imagebase:0x7ff765180000
        File size:710'048 bytes
        MD5 hash:EC652BEDD90E089D9406AFED89A8A8BD
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:high
        Has exited:false

        Disassembly

        No disassembly