Edit tour
Windows
Analysis Report
73179d48.eml
Overview
General Information
| Sample name: | 73179d48.emlrenamed because original name is a hash value |
| Original sample name: | vm-autoplay-0bae73179d483ee6de0381dabb0ae3d4-58133b997985eb4be4bc3a81a0092686b34e722e0bae73179d48.eml |
| Analysis ID: | 1586145 |
| MD5: | c437dfd427b856aee2b4e7ec325ae196 |
| SHA1: | 6f5a607938deb661bbc37114d7dc94ef131738a2 |
| SHA256: | c8e11b304c0ec61a82f6297ee5c667b25d3559cc375fb1dff040960d34a3852d |
| Infos: |  |
 | |
Detection
| Score: | 48 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Email DMARC failed
Email SPF failed
Email DKIM failed
Queries the volume information (name, serial number etc) of a device
Sigma detected: Office Autorun Keys Modification
Classification
- System is w10x64
OUTLOOK.EXE (PID: 2332 cmdline: "C:\Progra m Files (x 86)\Micros oft Office \Root\Offi ce16\OUTLO OK.EXE" /e ml "C:\Use rs\user\De sktop\7317 9d48.eml" MD5: 91A5292942864110ED734005B7E005C0) 
ai.exe (PID: 5820 cmdline: "C:\Progra m Files (x 86)\Micros oft Office \root\vfs\ ProgramFil esCommonX6 4\Microsof t Shared\O ffice16\ai .exe" "D47 21AE9-B2A1 -4134-B84B -30910338B AC2" "4C0C 6B3A-1127- 4256-801A- 0012A05666 6B" "2332" "C:\Progr am Files ( x86)\Micro soft Offic e\Root\Off ice16\OUTL OOK.EXE" " WordCombin edFloatieL reOnline.o nnx" MD5: EC652BEDD90E089D9406AFED89A8A8BD)
- cleanup
⊘No configs have been found
⊘No yara matches
| Source: | Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): | ||
⊘No Suricata rule has matched
Click to jump to signature section
Show All Signature Results
Phishing |   |
|---|
| Source: | Email attachement header: | ||
| Source: | Email attachement header: | ||
| Source: | Email attachement header: | ||
| Source: | Email attachement header: | ||
| Source: | Email attachement header: | ||
| Source: | Classification label: | ||
| Source: | File created: | Jump to behavior | ||
| Source: | File created: | Jump to behavior | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Key value queried: | Jump to behavior | ||
| Source: | Window found: | Jump to behavior | ||
| Source: | Window detected: | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | File Volume queried: | Jump to behavior | ||
| Source: | Process information queried: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Key value queried: | Jump to behavior | ||
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | Windows Management Instrumentation | 1 DLL Side-Loading | 1 Process Injection | 1 Masquerading | OS Credential Dumping | 1 Process Discovery | Remote Services | Data from Local System | Data Obfuscation | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
| Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | 1 Process Injection | LSASS Memory | 13 System Information Discovery | Remote Desktop Protocol | Data from Removable Media | Junk Data | Exfiltration Over Bluetooth | Network Denial of Service |
| Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 1 DLL Side-Loading | Security Account Manager | Query Registry | SMB/Windows Admin Shares | Data from Network Shared Drive | Steganography | Automated Exfiltration | Data Encrypted for Impact |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
| Name | IP | Active | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|---|
| s-part-0017.t-0009.t-msedge.net | 13.107.246.45 | true | false | high |
⊘No contacted IP infos
| Joe Sandbox version: | 41.0.0 Charoite |
| Analysis ID: | 1586145 |
| Start date and time: | 2025-01-08 18:53:32 +01:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 4m 14s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Number of analysed new started processes analysed: | 7 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | 73179d48.emlrenamed because original name is a hash value |
| Original Sample Name: | vm-autoplay-0bae73179d483ee6de0381dabb0ae3d4-58133b997985eb4be4bc3a81a0092686b34e722e0bae73179d48.eml |
| Detection: | MAL |
| Classification: | mal48.winEML@3/3@0/0 |
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
- Excluded IPs from analysis (whitelisted): 52.109.28.46, 52.113.194.132, 20.189.173.15, 13.107.246.45, 172.202.163.200, 184.28.90.29
- Excluded domains from analysis (whitelisted): ecs.office.com, slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, prod.configsvc1.live.com.akadns.net, s-0005-office.config.skype.com, mobile.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com, ecs-office.s-0005.s-msedge.net, s-0005.s-msedge.net, config.officeapps.live.com, azureedge-t-prod.trafficmanager.net, officeclient.microsoft.com, ecs.office.trafficmanager.net, onedscolprdwus14.westus.cloudapp.azure.com, europe.configsvc1.live.com.akadns.net, mobile.events.data.trafficmanager.net, storeedgefd.dsx.mp.microsoft.com, uks-azsc-config.officeapps.live.com
- Report size getting too big, too many NtQueryAttributesFile calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
- VT rate limit hit for: 73179d48.eml
⊘No simulations
⊘No context
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| s-part-0017.t-0009.t-msedge.net | Get hash | malicious | Unknown | Browse |
| |
| Get hash | malicious | HTMLPhisher | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | HTMLPhisher | Browse |
| ||
| Get hash | malicious | HTMLPhisher | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | PureLog Stealer, RHADAMANTHYS, zgRAT | Browse |
| ||
| Get hash | malicious | XWorm | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
|
⊘No context
⊘No context
⊘No context
C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20250108T1254420084-2332.etl
Download File
| Process: | C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 106496 |
| Entropy (8bit): | 4.483441650643708 |
| Encrypted: | false |
| SSDEEP: | 768:ef76/hj9uRTZjP84krv4g+Z9u0Sj6nWTWNudXqODAk8/l:eTds4g+Z9u0SjbXtY |
| MD5: | F60E1CD86956337788AD3FD1A607DC38 |
| SHA1: | D2248E93D1B30A9A6721B39CDC8D6308A353C321 |
| SHA-256: | 3772D532E0A34064E46229A37ED882E6F97E887C0662F4DA984B860B43C50404 |
| SHA-512: | A6431F81498922AA0A0E73F699D09FA4E4E8991F174A50D2F460C463E65227F8C61E43DFDD8B8D54A14A79860370D8F96130108684A749E63B93B971256B721B |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| Process: | C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 271360 |
| Entropy (8bit): | 2.801513442140322 |
| Encrypted: | false |
| SSDEEP: | 1536:jACNvgKEqi+XOWekuasj/CZimRY1939toc/e0W53jEpEHP4qQ10PAwr1:87WYz2Wp9 |
| MD5: | 518AA249AC53880D699EA544E2D83889 |
| SHA1: | C57F384B3802078BD17CE8A369D3F4FA5A84EF6F |
| SHA-256: | E761743E4C53C30FE9E7EE4C559B1D088D8819C8C3D8DF371BC6B7E32350287D |
| SHA-512: | 27AA64DFC41209B58A50556FB31B9CB29BE9E3FA6F038E539099598C48951A7DE980717946C53C61D17E0111BF1DAAACD13501F3932D86D6FBAB3D72CF774AF3 |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| Process: | C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 131072 |
| Entropy (8bit): | 4.52928442772134 |
| Encrypted: | false |
| SSDEEP: | 1536:g+XOWeluasj/xZimRz196zqsygjOdzW53jEpEHP4qQ10PAwr1q/3Bg:VzzQ2Fp9 |
| MD5: | 04A8B04271FC85258FA15FD935FC12A4 |
| SHA1: | 90D9BAAEBF809169135FC97B47A5FCB4619FA310 |
| SHA-256: | 922E7B2A46E98EC78DB07F9D57C579DA9E1094D9CD1EE2991B1CCAADC7A016EE |
| SHA-512: | 1127947182C2311EDBDEF6A3E32DAC3BCC850980597A35F79CA24E5C75334147B59C759173F50EB65591FAFFE0BF9848715006F8510FE61F0391E916750813B7 |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| File type: | |
| Entropy (8bit): | 6.100926062052358 |
| TrID: |
|
| File name: | 73179d48.eml |
| File size: | 34'439 bytes |
| MD5: | c437dfd427b856aee2b4e7ec325ae196 |
| SHA1: | 6f5a607938deb661bbc37114d7dc94ef131738a2 |
| SHA256: | c8e11b304c0ec61a82f6297ee5c667b25d3559cc375fb1dff040960d34a3852d |
| SHA512: | defe056bda2960e2a88b98efd8bd242b569212cb5aaea4a12d87a8d90699a8da5625cc783f9d6859c4ea326e41840013d5e5e88cdf13e98165fc2d37e5b55351 |
| SSDEEP: | 768:KUbHmjiIvqt7TKhrp61SeXNfMZN8gRmHcaNIbYpmh/9nkLpC795wQDDnoP5:jbHmmt7TK9QSeds8kmH1IcpY/9nkLpEM |
| TLSH: | 1CF25C627EE26934F84635CA4E05FC0612536DE349F3E0C4A8699B591A5F0BF2F424BF |
| File Content Preview: | Received: from BN0PR16MB4399.namprd16.prod.outlook.com (2603:10b6:408:152::23).. by CH3PR16MB5303.namprd16.prod.outlook.com with HTTPS; Tue, 7 Jan 2025.. 20:31:18 +0000..ARC-Seal: i=4; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=pass;.. b=bWVa1H |
| Subject: | vm-autoplay-0bae73179d483ee6de0381dabb0ae3d4-58133b997985eb4be4bc3a81a0092686b34e722e0bae73179d483ee6de0381dabb0ae3d4- 1/7/2025-58133b997985eb4be4bc3a81a0092686b34e722e |
| From: | Gf caller service <arb@arbernard.com> |
| To: | bgleason@gf.org |
| Cc: | |
| BCC: | |
| Date: | Tue, 07 Jan 2025 20:29:39 +0000 |
| Communications: | |
| Attachments: |
| Key | Value |
|---|---|
| Received | from [127.0.0.1] (192.169.6.164) by BN1PEPF00004685.mail.protection.outlook.com (10.167.243.86) with Microsoft SMTP Server (version=TLS1_3, cipher=TLS_AES_256_GCM_SHA384) id 15.20.8335.7 via Frontend Transport; Tue, 7 Jan 2025 20:29:39 +0000 |
| ARC-Seal | i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=NdAYh+sSamvGk9S529kt2eDZzmJ43dyMN0MLJPxPCPsdrX+Zqt9/ucwbTW3QrJq3mcFVE5iO5pCZSeVOZ/wK76E8yQpvFic5FLXT5/hU/FYjklzKkuFGcDP2NbTHlHjuKfUG4G3613KUKMMQ5/bXD0MDEoh2I9L14nED0eTHgyn06GoBlM8KxxOxXp9scCR2RgElLOj+9/9fiBGZwIiZMOccHcfbazYLyza+WA7FY9+CzcQVBM555BFn7Cyd3z/pWLgdGrFhMX9MwhTipBTcsQIuMWN4I0IyVbAKzknCk5RxlMEVSwK3/h1X0GlyBQ+BQ6U/tGJWEcOH9rLVR0Hr9g== |
| ARC-Message-Signature | i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=RgJRAeAnPAA2tJxZTkNlv76Unpu9qNy9C6Dn7XulQbs=; b=Bk3ogjnJPvIhuGuzuldHKan9QbyZo9APWapfYQuOlX0msIh5I/u1e7yKox4exO94tZ2fOpj35k4K1eXLmvlPrr1krbYkKG4FH0T8mZhSN9IqU4H7eSHdjac3awQP1ySeIrURkDTSfoYus4bNIX+4bece7+KTjdKuTjt2EjMQpqG1m3GXEsSm25WncDMUMhO7kKdFPaLpPUpKNzCG60oIrfVQetXSF3+t5w1KFEHelmT3WrmeAcAYttRTrJ+bZHtDZlHYT1RN8HoZioqQFvMdV6YlnXJwFq2ezbZtVFU7EM1kuWPVDpmxy4wWLYMhkbWYRFZTc3hmDhqn2eSIkJ297Q== |
| ARC-Authentication-Results | i=1; mx.microsoft.com 1; spf=fail (sender ip is 192.169.6.164) smtp.rcpttodomain=gf.org smtp.mailfrom=arbernard.com; dmarc=fail (p=none sp=none pct=100) action=none header.from=arbernard.com; dkim=none (message not signed); arc=none (0) |
| Authentication-Results | spf=fail (sender IP is 35.174.145.124) smtp.mailfrom=arbernard.com; dkim=fail (signature did not verify) header.d=arbernard.onmicrosoft.com;dmarc=fail action=none header.from=arbernard.com;compauth=fail reason=001 |
| Received-SPF | Fail (protection.outlook.com: domain of arbernard.com does not designate 192.169.6.164 as permitted sender) receiver=protection.outlook.com; client-ip=192.169.6.164; helo=[127.0.0.1]; |
| DKIM-Signature | v=1; a=rsa-sha256; c=relaxed/relaxed; d=arbernard.onmicrosoft.com; s=selector2-arbernard-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=RgJRAeAnPAA2tJxZTkNlv76Unpu9qNy9C6Dn7XulQbs=; b=g9wKnYPN/3cGbLcIAMzaGYE+6Ph07Dm+PnipL1OO3JB62m7uA3aR+cO6q8ASSMS3qFRsogrVcDAIfyPX8VkRRIcA2QSFc4S+1dxK45uJfRSzPzOZP08qIIDjU+5dcoocm930PiQLyojumPmiAzGmxfJvWloqnvSyeOpD8shJfdw= |
| X-MS-Exchange-Authentication-Results | spf=fail (sender IP is 192.169.6.164) smtp.mailfrom=arbernard.com; dkim=none (message not signed) header.d=none;dmarc=fail action=none header.from=arbernard.com; |
| Content-Type | text; name="VM_MSG-Gf.htm" |
| Content-Transfer-Encoding | base64 |
| Content-Disposition | attachment; filename="VM_MSG-Gf.htm" |
| From | Gf caller service <arb@arbernard.com> |
| To | bgleason@gf.org |
| Subject | vm-autoplay-0bae73179d483ee6de0381dabb0ae3d4-58133b997985eb4be4bc3a81a0092686b34e722e0bae73179d483ee6de0381dabb0ae3d4- 1/7/2025-58133b997985eb4be4bc3a81a0092686b34e722e |
| Message-ID | <375db1de-3fb6-453a-27cd-732166b71120@arbernard.com>(restored) |
| Date | Tue, 07 Jan 2025 20:29:39 +0000 |
| X-EOPAttributedMessage | 2 |
| X-MS-TrafficTypeDiagnostic | BN1PEPF00004685:EE_|SJ0PR06MB7863:EE_|BL6PEPF0001AB58:EE_|SJ2PR16MB5210:EE_|SJ1PEPF00001CE7:EE_|BN0PR16MB4399:EE_|CH3PR16MB5303:EE_ |
| X-MS-Office365-Filtering-Correlation-Id | f51b8f44-bb06-44eb-42b8-08dd2f5a3b6d |
| X-MS-Exchange-SenderADCheck | 1 |
| X-MS-Exchange-AntiSpam-Relay | 0 |
| X-Microsoft-Antispam-Untrusted | BCL:0;ARA:13230040|35042699022|12062699021|8052699015|43540500003; |
| X-Microsoft-Antispam-Message-Info-Original | N+x58joauQlqRjdW9g2MTZCvyfh4tZUcW4tSpsz479DuH8WJn065kbaHsJTsU3XUzgbn6ZqvzOu7MQeDFIdN+7UsYYwxb5bh85RrP2uZxWCmolP7aktXuIuy+Rc6CFO57iwxRWr1LDwL7Ryl2avNfQuJrnUSgBtHtJTSsqG7kJ85wDSNpLC0Qp5L7BtzZfhX3YCr8pLm7WeSvTwYfgtnu5Vtzt274eHmaKWFFniudX66K8BvTxMK2Et31dilQZWAfOBBj7HIFioiN/1EfXiXcY8c4ujnxxg/Fxi0Sqg7PgJtAMmXX7nbVNNFY/4i+0zJ7sLwdA1sWNM8QPRTetmpfSEaKv++gjppVMjs/di+gvXxhdYN53oPEEUjLDpE3ZB/pHq3IjIXG+3sNncgFaK2ubLJOFSgSYDkWeJTn93yIXYt39H4Krm94R+lWQgkPiQUA7Sn8r0EwPvY0hGFqbxQ7H6i2SsOzES/QhHH2DgWhxPIxsGoKkgvBNc1JisW4iZFe4o+JDvbB3M/ROL9AwD+oHx/M+11nIv5Np66OhvLRjN8Xgl/CuUj8zVHVzAWPcG7A0uZdVRX73foeOdKsmfmSIHZcQ5m+fxIcGiQlMwAGiVwVJ8TaN/937HdNBPR1QTSainrGtR02x7xE1A0gmkt8pkeeIH5aMoiEiV+9T5jSmNLUluHVhlepGe7YdBzK1XaGAvpmzb5dmNWapyv5PoaldpVKAGj53+E6vcqDhUc2IUURURU0k1W52 y5CAdm5RIs7crxfZoBfLgYQXWOjVEoUKpYMcqNd2J2HDjQ4IRg9NYr7Nd+MRFywf9Dom5dVdu0de460tYI3anU9EOecBmyFI0pUk5TuuU4RcsaqJRBlOTamd/okt0Cz77EL8E8xa0ZmqQ5ZzCF4vBw0P5hwURmPM0FbeyFw2TpnYDSm8k6myqpkxbgueWiAFPYHYnuOQaXJn+VuCSAtBU7LpDrNC6imBuJd/ftG5QGNVysu1z2aiR7HKABlBjZu9i576pUIFS8QMdtR5zYI1nRGK8T5RrlRVa3+Z4CBBa3UwggMSJB1+Oe/1lB2D0YhcUJy9J7hq2r+Bqh6oEoSypB63CW5ZvcihCAmMFItVXXdyTPEL4/5nOPZIgP0PdOXUP+m51hH0vsLzUb03Tmj3I+QOp0Y2pnN1+peTgia32EHYMbFMAqBm13WQMaTNW2eKHAro7Ui3VVoTL02FA00tLyLwmeFUlx/zG2PiH9RDuo8ohPOp/rdNqy5jjCBy+s7bjcm4779dEgm5FJX7Tft7fpSkj2IlNSKz/Ob7micT0w7vfu/w97FWg1J/GDUiYkp1SWovByY1BFjIb63BX+2TvygdrHYjwFRZE1u6xF3ciftPvrlxm3V4/8CYYBDVT/x5QjBV4SN8Yu3P75ScdSxXsjV5/X7+/09nnSnVSS9C9vXyy6GUqTJzecBfZaNo5AdY4fZGROhL1iuLhQ5Jm2+uw5rO8roWVl+ExMawzrZ+GIFb8CFe2SOEg9H8TQyoFdx5VUToItCCnN/jhN2iCTITNL80/cCAT011mE3VXJeATxQMY88u93lH6J4mcsnpSA8xcwe1R85yuQGyYf0LsBiNFiPAuKkwBeHtQHLKpmjys1Xzv+3kyKPwD1EwbH4OvKgaJlsFWXva6/alifY4jXafpjSBx0xUKyjMV7/EkvyHULD0tiBgg9BN/Zc6DBHfpElKOlrWEw6q5MXXGBBCg8pJOn6lDJyxIk/EbRFDRQk560eHo7mpO/9H8besCAtfqJN1710G2ZUh7Thw4ojjv7aO2+Dz41ABrTt5/QsZ/PpuLACnQtwgLRxuI= |
| X-Forefront-Antispam-Report-Untrusted | CIP:40.107.220.103;CTRY:US;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:NAM11-CO1-obe.outbound.protection.outlook.com;PTR:mail-co1nam11on2103.outbound.protection.outlook.com;CAT:NONE;SFS:(13230040)(35042699022)(12062699021)(8052699015)(43540500003);DIR:INB; |
| X-MS-Exchange-Transport-CrossTenantHeadersStamped | BN0PR16MB4399 |
| X-EOPTenantAttributedMessage | 7b799807-c2b7-41d1-9ce0-c3d50675b35d:1 |
| X-MS-Exchange-Transport-CrossTenantHeadersStripped | SJ1PEPF00001CE7.namprd03.prod.outlook.com |
| X-MS-Exchange-Transport-CrossTenantHeadersPromoted | BL6PEPF0001AB58.namprd02.prod.outlook.com |
| X-MS-Office365-Filtering-Correlation-Id-Prvs | c4884dc6-4843-43f8-e5c8-08dd2f5a07fe |
| X-CLOUD-SEC-AV-Info | guggenheim,office365_emails,inline |
| X-CLOUD-SEC-AV-INT-Relay | recv<mta-outgoing-mt-prod-3-4.avanan.net> |
| X-CLOUD-SEC-AV-UUID | 5dfa5729a9f144eb934f1477d4bfcf0e:guggenheim,office365_emails,inline:a95bafe401a47810900a3504bd6da1a9 |
| X-CLOUD-SEC-AV-MTA-MTA | mta-outgoing-mt-prod-3-4.avanan.net |
| X-CLOUD-SEC-AV-Received | from ec2-3-91-66-210.compute-1.amazonaws.com (ec2-35-174-145-124.compute-1.amazonaws.com. [35.174.145.124]) |
| X-CLOUD-SEC-AV | RESTORE |
| Authentication-Results-Original | mx.avanan.net; arc=pass; dkim=pass header.d=arbernard.onmicrosoft.com; spf=pass smtp.mailfrom=arbernard.com |
| X-CLOUD-SEC-AV-MTA | mta-outgoing-mt-prod-3.avanan.net |
| Return-Path | arb@arbernard.com |
| X-MS-Exchange-Organization-ExpirationStartTime | 07 Jan 2025 20:31:14.7056 (UTC) |
| X-MS-Exchange-Organization-ExpirationStartTimeReason | OriginalSubmit |
| X-MS-Exchange-Organization-ExpirationInterval | 1:00:00:00.0000000 |
| X-MS-Exchange-Organization-ExpirationIntervalReason | OriginalSubmit |
| X-MS-Exchange-Organization-Network-Message-Id | f51b8f44-bb06-44eb-42b8-08dd2f5a3b6d |
| X-MS-Exchange-Organization-MessageDirectionality | Incoming |
| X-MS-PublicTrafficType | |
| X-MS-Exchange-Organization-AuthSource | SJ1PEPF00001CE7.namprd03.prod.outlook.com |
| X-MS-Exchange-Organization-AuthAs | Anonymous |
| X-MS-Exchange-Organization-SCL | -1 |
| X-Microsoft-Antispam | BCL:0;ARA:13230040|12062699021|82310400026|35042699022|8052699015|43540500003; |
| X-Forefront-Antispam-Report | CIP:35.174.145.124;CTRY:US;LANG:en;SCL:-1;SRV:;IPV:CAL;SFV:SKN;H:us.cloud-sec-av.com;PTR:us.cloud-sec-av.com;CAT:NONE;SFS:(13230040)(12062699021)(82310400026)(35042699022)(8052699015)(43540500003);DIR:INB; |
| X-MS-Exchange-CrossTenant-OriginalArrivalTime | 07 Jan 2025 20:31:14.2525 (UTC) |
| X-MS-Exchange-CrossTenant-Network-Message-Id | f51b8f44-bb06-44eb-42b8-08dd2f5a3b6d |
| X-MS-Exchange-CrossTenant-Id | 7b799807-c2b7-41d1-9ce0-c3d50675b35d |
| X-MS-Exchange-CrossTenant-AuthSource | SJ1PEPF00001CE7.namprd03.prod.outlook.com |
| X-MS-Exchange-CrossTenant-AuthAs | Anonymous |
| X-MS-Exchange-CrossTenant-FromEntityHeader | Internet |
| X-MS-Exchange-Transport-EndToEndLatency | 00:00:03.7750144 |
| X-MS-Exchange-Processed-By-BccFoldering | 15.20.8335.010 |
| X-Microsoft-Antispam-Mailbox-Delivery | ucf:0;jmr:0;auth:0;dest:I;ENG:(910001)(944506478)(944626604)(920097)(930097)(140003); |
| X-Microsoft-Antispam-Message-Info | 9JK8XWn/CmwQPt/1hQjYQPrprMR3f9py05gr1KVG+W2Y+yQZIPv4jGz1qPIGkXzBQpVDBkazi0L+jP6ZsjlOXg70NUAcDOwpKeM5HeUpu6MamGFQ/wCCEvLn7r6De+nIvwKsadqbJgyiGFOdiRstLusGmUaZKq0BgsXduiSsVLAoaoKpBLI+f+klaFaVA7f13k5/7V4fEiK0sUXekAMH5AJitnPE8KgOPZBqblXrJ2XhUngTuoBCFfBxMof0d/kSRO2u23NVEAEgVPcMwzc178paKp1B0y7a4dQLO3mBim2h+ixlOdV1D5sKte+aImpYmfjKkJvnkdVDB77nyoTJIfWnqILDax6q4jFj7NBr+aTyke/yPGsnq3Q0TowyZxplaftOvbo4sr2es8bcccRyUGEdBZqrcBk9wjZnfvZtwKR8qk7LFeSRWXiXDknsahG025w8kep5T/EQDHXkTOlyxApmFAxH1lhbbk4TvcqR2RnEY12EYPtkY1tatAayvIqVI0HVKszlGTKztPdfVGYB7jvYzYBYEUUS6oHBmxVvdVzunhEs1fyvwMqt1D8RES30mdWBNPTYTNcJ1SMRW1prnVTQtC/0wCa1YYxEcmUaj89OwsZXfMkPsEXgfdvXbT3zRj+0UmnU1lQqNKf9jkT2meXRLQucSfIBR2El7O00QmxEAsS6kOEI9llVG9nBfD0r/4RYEGjQJkvBoqehYrPLMLajDsLsSuZBIkXSQ7408mrWFwuA3hrL4u8xKb6giNLFXopbcLHdc664vkEhIr2HXIYDzt1iUqyfcJ5Y3Aih6n00OWqHTnRlEnYoaF+kUXHhzRbRnmtl+orJE8CKu1ZY9+Q7kmXQ196Lqx4Hk4EAc3BDw0b4RBS7dFI5PqdR/jrh+lt6yt/LKyIzn0kDXyAUCZWfD03lxJ8WY3Zv1f3uDBIQW4zF6z42KMsbNQex7lizdAy+DNt08v4XNBG3Tt8siZxrHkahR6NdlyHwXwtWMuL8yvlDleqcm9svIhj6eSU5Wm0scf0hTmX1vQt7f2PxuLpjg/Zy25S8peOtrAJTUQ4UpqxbKAZTwXt+QlQ/rL7/fcI4yEl3UkxnoqY3yEI8fJd7k2ROjSHbFhyKxwItEBEv49QYXJNMeQPAOHfMht7iT7fk8sFDjPGMbOQVeaU+eWhJ0i+opq8XNG9viG3AJxOjcDvrp3UTKEV68EQRYKcLqCc3jT/cRGVb4kPczpfEKkjjo0Z7OSAzyjvde6wOUkbcBJZiBJbKuXtTIyNCcvbdLLBX2avCTjrJPKE36R6OfsKonCNv5dz6BsXiprXSl1rmjf6lSrLKcBForiphn+KcoXkbQhWLwn/3GOAt/551oChkP/4GJyOl/OLbfZpiV9lZS9UA1q8h8ZqmEWOQmgVK2Ul9/7MTWJ1Jayl8iXPGJTuQom1xMswWk0xHkRli6ucxKvKocyS0Jn/169sAkXD/FYtslEvVCzO8kneBpLro1UjZeMTaxbMfjFOBuXztZbeWCDtTBmUjB1vipBvRqV57rnIcOkrlOnY0hS6MlKUvbp6NQZZ9TIf9mYPP6cEi9rxnGvd7t+VBrRzG8UkEyaM/Bzwbai3UGK0c4v4YwgzRt2LJLGMCmLf2WIi5SeqecLaHdAKg6AnZCw/Zcz6gd+hj0tgTX8l3eZ//GYW7TMoQksKmCIWf0m30fVYLkuVul5IwApsYxtO5cqI75fjaMgFQ+bD4bbJuUGhiB2j/fTWL6qzMwmFUjW0FAjIdRKAvbPBjySb/dOeoufA7xocfXF6HdEbPnPN6hBZWI+HAV+3aFChg19fpVJ2kDYrnanjhu/XjMmjxx9BkHR91ibXGzIm5GMWIqaBoqffZ3dmah+SUyQsjkeFuHSIAuHoui/0Hyq+o6hIwCIVdT3yCyW9XRnUCyvSByqDzOndIE7ytlbp/Anihhmz21Ec//RHYRBdd9kh+A28jCgP5l2tcpOq1NPaPrXwdHN3sOb+EgRjG9AJrNhSEs5yh7tXw4xU/afDEaVDrgI0jxiZ3hVJASk+RgzwLIJ0Vh8UZ7BlGgxMSFQUHLE7o3UU/lCjLZpaBu4fmeAPySuj7iRqkyiXn5LycfQOiHzZqU93bGsAWoLmrmJ3vqblP1cC6hKZ2h1RAICmjaZvXRevYK01J10qNaK+IMaijrgV50OwvDPdc2V95ff1CtUczZeNav6RkvCrsTZfejlOY4Dypn/XtXRdjy5vRCzGGkY1DH5dyZwXuVf9UQfNLnRLqKkn9QeGlQ1hyOY2n86KfgT554KBuGy9hWZn2utxUsLnFaR6uG3+pCRhZ2ptMcx6RSchztffA7wJgPkDXKca/jX8Clz9NbsDdCs+oO7FJITuzca85M3lfZeIABoBmdTtRU00ElrdgQK4ZfrZz0SgLzxvgz/oCWTQNWoD/r6rj3V6alNF6zPPQ/jv68+y9NfpVwPzKk23WIT+vuWOP5AOGiVmUkqhRm/fgQewV0Sju5SxUKsdxi1fHtqDNBqLO4Hvb7Dw92ftIeoV0tMLa7eirV9wRvGdt5J4sKQLD3ImMW5mSyCAzwYo+lPnQNQFeT5WGdIhk/TCvUSLjcy9sf1xRmmO5m07CFZ6/9yKKCVn/Hdbiqb2B9TnAzTJK273VdnYQ8BoOFjlvfFJdT9UzlCu3EttEvv6RyABMTqpUL/WNpWkeaejKzXfpSdEbuhAV4n77Ard8zkuuouTAVbengmXbe4fgpzI+9YMDs573iJeTOr3p/G/RwcWShzbcZRZGQPOOxpXJhn+BYgi83Z55uOJq56jzn0hs0Go6COyevGd8rLIgC4PH01kDOhFI/m1tqrkpUGfjQ6ySjnSa5YFRPeOAkIbYuM3xyAN9mcYvukSm/GrQae91o9vZhMPQ7o/Xr02tHR5/sbDS1ES+mMLn//pSWnM9ISfQZTQTxkeXUq3+bvknTG8PmCdpYhcZHKAsRw== |
| MIME-Version | 1.0 |
 | |
| Icon Hash: | 46070c0a8e0c67d6 |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node| Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|---|---|
| Jan 8, 2025 18:54:34.829921007 CET | 1.1.1.1 | 192.168.2.6 | 0xd61b | No error (0) | s-part-0017.t-0009.t-msedge.net | CNAME (Canonical name) | IN (0x0001) | false | ||
| Jan 8, 2025 18:54:34.829921007 CET | 1.1.1.1 | 192.168.2.6 | 0xd61b | No error (0) | 13.107.246.45 | A (IP address) | IN (0x0001) | false |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
| Target ID: | 2 |
| Start time: | 12:54:38 |
| Start date: | 08/01/2025 |
| Path: | C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x8b0000 |
| File size: | 34'446'744 bytes |
| MD5 hash: | 91A5292942864110ED734005B7E005C0 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | false |
| Target ID: | 5 |
| Start time: | 12:54:47 |
| Start date: | 08/01/2025 |
| Path: | C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff72c800000 |
| File size: | 710'048 bytes |
| MD5 hash: | EC652BEDD90E089D9406AFED89A8A8BD |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | false |
⊘No disassembly