Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
29617afb-25a0-12a3-3c27-9464d2b37792.eml

Overview

General Information

Sample name:29617afb-25a0-12a3-3c27-9464d2b37792.eml
Analysis ID:1591861
MD5:d44d580e9af5848585576091a15552ce
SHA1:4530bd82e15d9d44be6eff34a273c37900232747
SHA256:5b10160290170cd09edb3efd221754d7ef818b060390078009f42e4a05a19964
Infos:

Detection

Score:48
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

AI detected suspicious elements in Email content
AI detected suspicious elements in Email header
Detected non-DNS traffic on DNS port
Queries the volume information (name, serial number etc) of a device
Sigma detected: Office Autorun Keys Modification

Classification

Process Tree

  • System is w10x64
  • OUTLOOK.EXE (PID: 7928 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\29617afb-25a0-12a3-3c27-9464d2b37792.eml" MD5: 91A5292942864110ED734005B7E005C0)
    • ai.exe (PID: 7568 cmdline: "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "6BCD92BA-89E1-4AC4-A144-A6AF915C0CD0" "098CFE64-8583-40F6-B0EB-8DF779353267" "7928" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx" MD5: EC652BEDD90E089D9406AFED89A8A8BD)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

Sigma detected: Office Autorun Keys Modification
Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE, ProcessId: 7928, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Addins\OneNote.OutlookAddin\1

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Phishing

barindex
AI detected suspicious elements in Email content
Source: EmailJoe Sandbox AI: Detected potential phishing email: The email contains repetitive content which is suspicious and likely due to content manipulation. The login link contains a suspicious tracking URL with multiple redirects and encoded parameters. The sender domain 'swmansion.com' seems suspicious for a legitimate IDE portal
AI detected suspicious elements in Email header
Source: EmailJoe Sandbox AI: Detected suspicious elements in Email header: High SCL (Spam Confidence Level) of 8 in X-Forefront-Antispam-Report. CAT:HPHISH indicator in antispam report suggests phishing detection. Suspicious routing through 'uzpiutmionwuvyybiztr.supabase.co' with unknown origin. SendGrid IP (149.72.120.62) being used, but with suspicious configuration and high spam scores. Complex bounce path structure suggesting potential obfuscation. Multiple spam filter triggers indicated in SFS values. Mismatch between return path domain (swmansion.com) and sending infrastructure (sendgrid.net)
Source: EmailClassification: Credential Stealer
Source: global trafficTCP traffic: 192.168.2.7:60942 -> 1.1.1.1:53
Source: global trafficTCP traffic: 192.168.2.7:50163 -> 1.1.1.1:53
Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
Source: 29617afb-25a0-12a3-3c27-9464d2b37792.emlString found in binary or memory: http://url3790.swmansion.com/ls/click?upn=3Du001.3GDPIpklFYEGBJY=
Source: 29617afb-25a0-12a3-3c27-9464d2b37792.emlString found in binary or memory: http://url3790.swmansion.com/wf/open?upn=3Du001.ZXIXror6SSnlIvn=
Source: classification engineClassification label: mal48.winEML@3/3@0/0
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile created: C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmpJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile created: C:\Users\user~1\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20250115T0900200030-7928.etlJump to behavior
Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\29617afb-25a0-12a3-3c27-9464d2b37792.eml"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "6BCD92BA-89E1-4AC4-A144-A6AF915C0CD0" "098CFE64-8583-40F6-B0EB-8DF779353267" "7928" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "6BCD92BA-89E1-4AC4-A144-A6AF915C0CD0" "098CFE64-8583-40F6-B0EB-8DF779353267" "7928" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: c2r64.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: userenv.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{F959DBBB-3867-41F2-8E5F-3B8BEFAA81B3}\InprocServer32Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEWindow found: window name: SysTabControl32Jump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\CommonJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile Volume queried: C:\Windows\SysWOW64 FullSizeInformationJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information queried: ProcessInformationJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeQueries volume information: C:\Program Files (x86)\Microsoft Office\root\Office16\AI\WordCombinedFloatieLreOnline.onnx VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation11
Browser Extensions		1
Process Injection		1
Masquerading		OS Credential Dumping1
Process Discovery		Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/Job1
DLL Side-Loading		1
DLL Side-Loading		1
Process Injection		LSASS Memory13
System Information Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
DLL Side-Loading		Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://url3790.swmansion.com/ls/click?upn=3Du001.3GDPIpklFYEGBJY=0%Avira URL Cloudsafe
http://url3790.swmansion.com/wf/open?upn=3Du001.ZXIXror6SSnlIvn=0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
s-part-0017.t-0009.fb-t-msedge.net
13.107.253.45
truefalse
    		high

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    http://url3790.swmansion.com/ls/click?upn=3Du001.3GDPIpklFYEGBJY=29617afb-25a0-12a3-3c27-9464d2b37792.emlfalse
    • Avira URL Cloud: safe
    		unknown
    http://url3790.swmansion.com/wf/open?upn=3Du001.ZXIXror6SSnlIvn=29617afb-25a0-12a3-3c27-9464d2b37792.emlfalse
    • Avira URL Cloud: safe
    		unknown

    World Map of Contacted IPs

    No contacted IP infos

    General Information

    Joe Sandbox version:42.0.0 Malachite
    Analysis ID:1591861
    Start date and time:2025-01-15 14:59:05 +01:00
    Joe Sandbox product:CloudBasic
    Overall analysis duration:0h 4m 59s
    Hypervisor based Inspection enabled:false
    Report type:full
    Cookbook file name:default.jbs
    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
    Number of analysed new started processes analysed:8
    Number of new started drivers analysed:0
    Number of existing processes analysed:0
    Number of existing drivers analysed:0
    Number of injected processes analysed:0
    Technologies:
    • HCA enabled
    • EGA enabled
    • AMSI enabled
    Analysis Mode:default
    Analysis stop reason:Timeout
    Sample name:29617afb-25a0-12a3-3c27-9464d2b37792.eml
    Detection:MAL
    Classification:mal48.winEML@3/3@0/0
    EGA Information:Failed
    HCA Information:
    • Successful, ratio: 100%
    • Number of executed functions: 0
    • Number of non-executed functions: 0
    Cookbook Comments:
    • Found application associated with file extension: .eml

    Warnings

    • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
    • Excluded IPs from analysis (whitelisted): 52.109.32.97, 52.113.194.132, 184.28.90.27, 52.111.231.23, 52.111.231.26, 52.111.231.24, 52.111.231.25, 52.168.117.169, 13.107.253.45, 52.149.20.212, 20.190.160.20, 40.126.31.67, 52.165.164.15, 184.28.90.29
    • Excluded domains from analysis (whitelisted): azurefd-t-fb-prod.trafficmanager.net, slscr.update.microsoft.com, otelrules.afd.azureedge.net, onedscolprdeus10.eastus.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, mobile.events.data.microsoft.com, ecs-office.s-0005.s-msedge.net, login.live.com, e16604.g.akamaiedge.net, officeclient.microsoft.com, ukw-azsc-config.officeapps.live.com, prod.fs.microsoft.com.akadns.net, storeedgefd.dsx.mp.microsoft.com, ecs.office.com, fs.microsoft.com, otelrules.azureedge.net, prod.configsvc1.live.com.akadns.net, s-0005-office.config.skype.com, fe3cr.delivery.mp.microsoft.com, prod1.naturallanguageeditorservice.osi.office.net.akadns.net, nleditor.osi.office.net, prod-eu-resolver.naturallanguageeditorservice.osi.office.net.akadns.net, s-0005.s-msedge.net, config.officeapps.live.com, azureedge-t-prod.trafficmanager.net, ecs.office.trafficmanager.net, europe.configsvc1.live.com.akadns.net, mobile.events.data.tr
    • Not all processes where analyzed, report is missing behavior information
    • Report size getting too big, too many NtQueryAttributesFile calls found.
    • Report size getting too big, too many NtQueryValueKey calls found.
    • Report size getting too big, too many NtReadVirtualMemory calls found.

    Simulations

    Behavior and APIs

    No simulations

    Joe Sandbox View / Context

    IPs

    No context

    Domains

    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
    s-part-0017.t-0009.fb-t-msedge.nethttps://eventor.orienteering.asn.au/Home/RedirectToLivelox?redirectUrl=https%3A%2F%2Farchive1.diqx8fescpsb0.amplifyapp.com%2Fm1%2Fenvelope%2Fdocument%2Fcontent%2F4086Get hashmaliciousUnknownBrowse
    • 13.107.253.45
    9179390927_20250115_155451.htmlGet hashmaliciousHTMLPhisherBrowse
    • 13.107.253.45
    https://www.pdfforge.org/pdfcreator?srsltid=AfmBOoq1lpA5qNxfcLUyxjmEXAioeKYtqPTpBsIbZ5VOdq3uhOg1WclGGet hashmaliciousUnknownBrowse
    • 13.107.253.45
    http://jfdhq.offerpeercheck.comGet hashmaliciousUnknownBrowse
    • 13.107.253.45
    DHL AWB CUSTOM CLEARANCE.xlsGet hashmaliciousUnknownBrowse
    • 13.107.253.45
    QUOTATION REQUIRED_Enatel s.r.l..exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
    • 13.107.253.45
    PlusPrivStoreAtt116.exeGet hashmaliciousUnknownBrowse
    • 13.107.253.45
    https://forms.office.com/e/xknrfCPQkRGet hashmaliciousHTMLPhisherBrowse
    • 13.107.253.45
    q9JZUaS1Gy.docGet hashmaliciousUnknownBrowse
    • 13.107.253.45
    https://www.tiktok.com/link/v2?aid=1988&lang=en&scene=bio_url&target=https%3A%2F%2Fgoogle.com%2Furl%3Fq%3Dhttps%3A%2F%2Fwww.google.com%2Furl%3Fq%3Dhttps%3A%2F%2Fwww.google.com%2Furl%3Fq%253Dhttps%3A%2F%2Fwww.google.com%2Furl%3Fq%3D.%2F%2F%2F%2Famp%2Fs%2Fjobuli.in%2Fwinner%2FsXtxg%2FbWFyc2hhLnJvd2xhbmRAY2hlcm9rZWVicmljay5jb20=?0s57db=MTMmMTMmMTMmMTMmQjEmRjQmb2JxdEczJkQ0Jk11bHdyVGhHeUtZLi45SjNYNlJyamY6ckY0JjMzJnV5ZnUub2ZlZWppMzMmRTQmdHRibWQxMyZvYnF0RDQmQjEmRjQmbW51aUczJkQ0JkIxJkY0JnplcGNHMyZENCZCMSZGNCZ6ZXBjRDQmQjEmRjQmZWJmaUczJkQ0JkIxJkY0JmZtenV0RzMmRDQmMTMmMTMmMTMmMTMmQjEmRTgmMTMmMTMmMTMmMTMmMTMmMTMmMTMmMTMmQjEmQzQmb2ZlZWppMTMmQjQmenVqbWpjanRqdzEzJjEzJjEzJjEzJjEzJjEzJjEzJjEzJjEzJjEzJjEzJjEzJkIxJkM0JmZ1aml4MTMmQjQmc3BtcGQxMyYxMyYxMyYxMyYxMyYxMyYxMyYxMyYxMyYxMyYxMyYxMyZCMSZDOCYxMyZ1eWZ1Lm9mZWVqaS8xMyYxMyYxMyYxMyYxMyYxMyYxMyYxMyZCMSZGNCZmbXp1dEQ0JjEzJjEzJjEzJjEzJkIxJkY0JmZtdWp1RzMmRDQmZm5wSUY0JmZtdWp1RDQmMTMmMTMmMTMmMTMmQjEmRzMmKzEzJmZzMTMmZWViMTMmRTQmRTQmRTQmRTQmRTQmRTQmRDQmMTMmK0czJjEzJjEzJkY0JjMzJkI6NjMmMTk2MyYzRjYzJkRCNjMmMzk2MyYzRjYzJjRCNjMmNEQ2MyY1MyY1MyZCOjYzJjE5NjMmM0Y2MyZEQjYzJjM5NjMmM0Y2MyY0QjYzJjRENjMmRTQmRTQmeGN6Nnpka21IZXtHSGN4MlRaelM0Wm1HSFJpT1hidkdIZXs2VFp2R25bbVM0ZEczJkROUEVHMyZ6ZndzdnR0c2Z6YkczJmx2L3BkL3pmd3N2dHRzZnpiRzMmRzMmQjQmdHF1dWlFNCZtc3ZDNCYzMzMmRTQmdW9mdW9wZDEzJjMzJml0ZnNnZnMzMyZFNCZ3anZyZi5xdXVpMTMmYnVmbkQ0JjEzJjEzJjEzJjEzJkIxJkY0JjMzJjkuR1VWMzMmRTQmdWZ0c2JpZDEzJmJ1Zm5ENCYxMyYxMyYxMyYxMyZCMSZGNCZlYmZpRDQmQjEmRjQmbW51aUQ0JkIxJkY0Jm9icXRHMyZENCZkazdoWlZENCZ0ezVNRTQmTFhteDFPUWdkWFBZc3s1d0c5e1FFNiZDT0Y0JjMzJnV5ZnUub2ZlZWppMzMmRTQmdHRibWQxMyZvYnF0RDQmQjEmGet hashmaliciousHTMLPhisherBrowse
    • 13.107.253.45

    ASNs

    No context

    JA3 Fingerprints

    No context

    Dropped Files

    No context

    Created / dropped Files

    C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20250115T0900200030-7928.etl

    Download File
    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
    File Type:data
    Category:dropped
    Size (bytes):106496
    Entropy (8bit):4.5208493474050115
    Encrypted:false
    SSDEEP:3072:lz4kZWh6f0+iJYsESvEAg1mjVJkabtn52E3ICCeGn6b0wd0qwGAQIwKUQJEi0h0Z:4I
    MD5:BF6C3D9547E30C9232E969B1865AB71A
    SHA1:3F41CB1C02CBE02F3D008399D002EA71DC0A7FF5
    SHA-256:AF05EA7571552547EC24EF96B9D0F23AA088380973C1246F737AA99967363A2F
    SHA-512:8D78D83BD5C5F6984AB6470775CE10775055D583F77DE3503303F77B4FC6309B79E55556CBFE21292C61AD782B4AFB39E5B80A20E87CCB805BC1491882696009
    Malicious:false
    Reputation:low
    Preview:............................................................................h.............0.Ug..................eJ..............Zb..2...................................,...@.t.z.r.e.s...d.l.l.,.-.1.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.1.1.1..............................................................S.............0.Ug..........v.2._.O.U.T.L.O.O.K.:.1.e.f.8.:.9.0.e.7.8.9.0.f.b.9.5.a.4.2.c.c.b.1.f.9.2.2.0.9.e.f.2.1.3.5.b.9...C.:.\.U.s.e.r.s.\.F.R.O.N.T.D.~.1.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.O.u.t.l.o.o.k. .L.o.g.g.i.n.g.\.O.U.T.L.O.O.K._.1.6._.0._.1.6.8.2.7._.2.0.1.3.0.-.2.0.2.5.0.1.1.5.T.0.9.0.0.2.0.0.0.3.0.-.7.9.2.8...e.t.l.......P.P..........33.Ug..................................................................................................................................................................................................................................................................................................

    C:\Users\user\Documents\Outlook Files\Outlook Data File - NoEmail.pst

    Download File
    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
    File Type:Microsoft Outlook email folder (>=2003)
    Category:dropped
    Size (bytes):271360
    Entropy (8bit):2.356679570952484
    Encrypted:false
    SSDEEP:1536:AZ9Wm9+XY49GdzUEgFstMNW53jEpEHP4qQ10PAwr7RI/pW53jEpEHP4qQ10PAwr1:IlRqfFjp9zp9
    MD5:C28456B8D8EE9D07C0FF6909A58C0C1E
    SHA1:B1DE13D926EEB714555C3F9440FBE6C682333A31
    SHA-256:0D268A51204FDFFB4D7E32039D169AC62396C1B512D66FFCF317C13CB459FC7E
    SHA-512:2AE2D721F35A31D17345D1C69ED36DA4E06CCB63DBF742A912B4243733757117DADE4D973B4C655D6B83CD3D5058BF9F200D7530E201895F6C60AF91CD113314
    Malicious:true
    Reputation:low
    Preview:!BDNB...SM......\...U,..................X................@...........@...@...................................@...........................................................................$.......D..................................................................................................................................................................................................................................................................................................................................L....... .....S.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

    C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmp

    Download File
    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
    File Type:data
    Category:dropped
    Size (bytes):131072
    Entropy (8bit):1.5247899447494615
    Encrypted:false
    SSDEEP:768:WtWwW53amEpAHRHP4qQ10PAwr1L9UPfGSWg8MeNNNaFBC9z:0W53jEpEHP4qQ10PAwr1m/WWW
    MD5:F721DF8E777048993A17050D2244C551
    SHA1:A68AE91E44DF18C64CD9EB12441624C7E3CDF204
    SHA-256:B36AFF3312564041004BC28DE2CE2763064E622484CCA3F674AC35EEBFE2B115
    SHA-512:EAA007CC85814AF3D9B8C7E1462C6E6E3B0063537D42D820C7D5522DC4EB21425063725F2F67593A781ABBD1BD7D046234A6CC04479EF5D60BC92DD5916CC457
    Malicious:true
    Reputation:low
    Preview:'\j6C...g...............Ug....................#.!BDNB...SM......\...U,..................X................@...........@...@...................................@...........................................................................$.......D..................................................................................................................................................................................................................................................................................................................................L....... .....S.....Ug.......B............#.........................................................................................................................................................................................................................................................................................................................................................................................................

    Static File Info

    General

    File type:RFC 822 mail, ASCII text, with CRLF line terminators
    Entropy (8bit):6.04533660406676
    TrID:
    • E-Mail message (Var. 5) (54515/1) 100.00%
    File name:29617afb-25a0-12a3-3c27-9464d2b37792.eml
    File size:11'472 bytes
    MD5:d44d580e9af5848585576091a15552ce
    SHA1:4530bd82e15d9d44be6eff34a273c37900232747
    SHA256:5b10160290170cd09edb3efd221754d7ef818b060390078009f42e4a05a19964
    SHA512:7a036a90ef7b420d1f4c68bdd7bd363c7b506035d7acfe78e5fc585a36d9dadc89a069bdedbc1c547238a0879fb3bf3816b0a3dd6c3a172f260a770fbdbef5d6
    SSDEEP:192:A96RJh8gFOjrWDtNx0fqHltYklfjZQc4zE8h8ij416i7uEAAfGTWqsp1B9R:jRJROOfx0fqHltYmjZQ/E8h8Z6s2Z6qO
    TLSH:30321868AFE3542294B071DC9D51FD5FC3259C26723344F17C5632B34E8E1FAAEA2249
    File Content Preview:Received: from SA0PR11CA0123.namprd11.prod.outlook.com (2603:10b6:806:131::8).. by LV2PR01MB7862.prod.exchangelabs.com (2603:10b6:408:14e::20) with Microsoft.. SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id.. 15.20.8356.11;

    Static Mail

    General

    Subject:Your access link to Radon IDE Portal
    From:Radon IDE Portal <noreply@swmansion.com>
    To:licensing@skyairline.com
    Cc:
    BCC:
    Date:Wed, 15 Jan 2025 13:25:04 +0000
    Communications:
    • Correo externo a Sky Airline: No abrir enlaces o archivos adjuntos de correos desconocidos, ya que pueden ser phishing o contener malwares. Operaciones TI - Equipo Ciber Seguridad Log in to the Radon IDE Portal Here's your link to log in to your account. Log In If you did not request this email, you can safely ignore it. Correo externo a Sky Airline: No abrir enlaces o archivos adjuntos de correos desconocidos, ya que pueden ser phishing o contener malwares. Operaciones TI - Equipo Ciber Seguridad Log in to the Radon IDE Portal Here's your link to log in to your account. Log In If you did not request this email, you can safely ignore it. Correo externo a Sky Airline: No abrir enlaces o archivos adjuntos de correos desconocidos, ya que pueden ser phishing o contener malwares. Operaciones TI - Equipo Ciber Seguridad Correo externo a Sky Airline: No abrir enlaces o archivos adjuntos de correos desconocidos, ya que pueden ser phishing o contener malwares. No abrir enlaces o archivos adjuntos de correos desconocidos, ya que pueden ser phishing o contener malwares. Operaciones TI - Equipo Ciber Seguridad Log in to the Radon IDE Portal Here's your link to log in to your account. Log In If you did not request this email, you can safely ignore it. Log in to the Radon IDE Portal Here's your link to log in to your account. Log In If you did not request this email, you can safely ignore it. Log in to the Radon IDE Portal Here's your link to log in to your account. Log In If you did not request this email, you can safely ignore it. Log in to the Radon IDE Portal Here's your link to log in to your account. Log In If you did not request this email, you can safely ignore it. Log in to the Radon IDE Portal Here's your link to log in to your account. Log In If you did not request this email, you can safely ignore it. Log in to the Radon IDE Portal Here's your link to log in to your account. Log In If you did not request this email, you can safely ignore it. Log in to the Radon IDE Portal Here's your link to log in to your account. Log In If you did not request this email, you can safely ignore it. Log in to the Radon IDE Portal Here's your link to log in to your account. Log In If you did not request this email, you can safely ignore it. Log in to the Radon IDE Portal Here's your link to log in to your account. Log In If you did not request this email, you can safely ignore it. Log in to the Radon IDE Portal Here's your link to log in to your account. Log In If you did not request this email, you can safely ignore it. Log in to the Radon IDE Portal Here's your link to log in to your account. Log In If you did not request this email, you can safely ignore it. Log in to the Radon IDE Portal Here's your link to log in to your account. Log In If you did not request this email, you can safely ignore it. Log in to the Radon IDE Portal Here's your link to log in to your account. Log In If you did not request this email, you can safely ignore it. Log in to the Radon IDE Portal Here's your link to log in to your account. Log In http://url3790.swmansion.com/ls/click?upn=u001.3GDPIpklFYEGBJYXEnQ7Lvrbw1mHMyMknwZgn7qt7glLtZyaH8W-2BOPwmZ-2Bg2ceeDOgjwkIRnY2Vj-2FhDJJY8vqcUkjV5ro2bQd63TthRbhaxXa6mOErmFmexkzkUq6t3Brol7IyCzno5-2BGO-2FH9-2BDXG61ieJAscnDSn1V7gqRzdKWVqVXFC4OSx3LgJEitwRlb5KYkT3AMVYEeiGNP0-2BgjV-2BgfXlGNzsUYlhtFB9Rclky8cDcEwnoaSEeUkghcQJQED8ps2sN0ajxFa52-2FAU4Uag-3D-3DQ_R8_TknUrexBZViMezZOeS1w8ApySyCGHbUSnOqZQpndakdN4HpOM1GGY0avs9BUjWlnUF6-2BndVzMGWumG-2Bhyajf83Rf9KRmADNtdY9Zc0PtBGkaSEB5iiQZw3VUbBsIg3YS4CXJN4Isbvqa6wg-2BnOQbW5wix47966t0bJ5gZPl4kBSgHMgYkPsat-2FAZ3G4U2-2FdDZWHU4MOdy-2BhKxaRnY5p4BA-3D-3D If you did not request this email, you can safely ignore it.
    Attachments:

      Headers

      Key Value
      Receivedfrom uzpiutmionwuvyybiztr.supabase.co (unknown) by geopod-ismtpd-14 (SG) with ESMTP id GMzElthWRbqdcbRuD3x92g for <licensing@skyairline.com>; Wed, 15 Jan 2025 13:25:04.535 +0000 (UTC)
      Authentication-Resultsspf=pass (sender IP is 149.72.120.62) smtp.mailfrom=em3567.swmansion.com; dkim=pass (signature was verified) header.d=swmansion.com;dmarc=pass action=none header.from=swmansion.com;compauth=pass reason=100
      Received-SPFPass (protection.outlook.com: domain of em3567.swmansion.com designates 149.72.120.62 as permitted sender) receiver=protection.outlook.com; client-ip=149.72.120.62; helo=s.wrqvtvpz.outbound-mail.sendgrid.net; pr=C
      DKIM-Signaturev=1; a=rsa-sha256; c=relaxed/relaxed; d=swmansion.com; h=mime-version:from:subject:content-type:content-transfer-encoding:to: cc:content-type:from:subject:to; s=s1; bh=JAz7p05kvdnyCt8r/cGGT92QPynAbHmVkWeSWNc5n6g=; b=mYjMFwuQH1NyysTLntoJKHWw6sEqAylXvBf5RVl7l1v24qV0VROUuXCr/J7HByzRIYyk DlVflOYHMytedr6PwdbaZ46ZjCcrYGOfT+BwVyt9q+weyJEopzcudHWmedxXFJArUw5T82 3uqnesbFiEhO0DomPxThifBQ2fP1a9r+8UkylmN+pkHRWtryjyw7anMYuYM2qSofapKgIn 6aP6vE5q9HztPdAx6SgM5gz5QFC6hV0TWEQPL35oNQVihT4d8TYcRdWFdAg7+Cetz/phvC UHVuRiBxfK/klCXhAT8sWic6/qHiG1wWbaVY5spp4kQiwG0N+INJ1cqi8ISqsAXQ==
      Mime-Version1.0
      DateWed, 15 Jan 2025 13:25:04 +0000
      FromRadon IDE Portal <noreply@swmansion.com>
      SubjectYour access link to Radon IDE Portal
      Content-Typetext/html; charset="us-ascii"
      Content-Transfer-Encodingquoted-printable
      Message-ID<GMzElthWRbqdcbRuD3x92g@geopod-ismtpd-14>
      X-SG-EIDu001.Hn0POiueTUoxfjU2/GC0xB8M6QvnCY12RYWphXZb3Cn/ImSCC4wOzqA+U1kvgGOugCHcuzWz0o/ig2enVkZZffYH1L+g5tuyk0+fGhk8dtjdYTzUUjW7m27At6fMLlmV0ApweFQZjZpEvsnn55HCuI5VAunsuqYQTQG6ctIGGtyLODR0yqu1DRUp7wmyG12xI+eyF3EdHgLgWelVQ8JRQrsmCEy544a+z9ngk6yhKGT+tOQ00q4dxys16Q5hxw7Q
      Tolicensing@skyairline.com
      X-Entity-IDu001.5Y1z/BUFQMSZ3DEzlUWyBw==
      Return-Pathbounces+12499439-bc03-licensing=skyairline.com@em3567.swmansion.com
      X-EOPAttributedMessage0
      X-EOPTenantAttributedMessage4fd648bc-cc1f-4302-9f1b-8fe9f89fa092:0
      X-MS-PublicTrafficTypeEmail
      X-MS-TrafficTypeDiagnosticSA2PEPF00003AE8:EE_|LV2PR01MB7862:EE_
      X-MS-Office365-Filtering-Correlation-Ida153b4b6-c31e-4eb5-2023-08dd35680708
      X-MS-Exchange-AtpMessagePropertiesSA|SL|HVE
      X-Forefront-Antispam-ReportCIP:149.72.120.62;CTRY:US;LANG:en;SCL:8;SRV:;IPV:NLI;SFV:SPM;H:s.wrqvtvpz.outbound-mail.sendgrid.net;PTR:s.wrqvtvpz.outbound-mail.sendgrid.net;CAT:HPHISH;SFS:(13230040)(29132699027)(5073199012)(69100299015)(8110299012)(4076899003)(8096899003);DIR:INB;
      X-Microsoft-AntispamBCL:0;ARA:13230040|29132699027|5073199012|69100299015|8110299012|4076899003|8096899003;
      X-Microsoft-Antispam-Message-InfosPrHkAEtaz3olC6n7ucS3hw+pLf4N8Obte8kU4SU719S9x91YMO2VlErWfQphSDEF8GY1iWKMbCpScf4Oa4l9aS6UNKxeJ/wyPYBBgEiH8Uueo2Wcc53Oe4zlmGw5JucwHiTURTiTPrKrr5X80XXqFUgnRMJ3ms7PdJOFMHB+AHe7qHyVeqqoUoWL0dm/IqNiIxMzuL/NIP/WbDKNzEW9uRQmdNltFjN9qCjYh5YMsGiYJXU94s0/e+Id3PAKxrn4P+ho49R2z1Q2UC4JAz7gZGTaOwXh/SGW4vqe1UcTdVu7vDoHyr3/sTnW5qs3svXXjaY44YUxw9DiO8KXTIMxzAHW2Cg6BjjJZpzI7wYEZpeOXkjYKupnQfw1m9218NYp7TmUi3eoWCB3CzXQsCAp/6w5Av6wQk7rGwMG28HUo3g+r6JkVR6znA7dTQKfc3hptnSwqZabLVJPhea+vi1miJhHBVlKyVfaA/XpUKfCsGhqvrtKfc330xecZzn660KKB8GTnei1Wn+CZXtYKegHwXpm5rVvAs5infSssfDutXbtp1y/6CcWsMdUh7lHJ8uTVqiArDpTkx6SxbOatA47MPE+u8UgFpWGEqFKJiGEJe1C4WcDZsUfswjfSD4Ebh2VNLDiu7tKWEhoB2SnFB+1fbJ8+0FVmQblh4GAKgxtapajsDjempDwOBsZJYPl74gbVSBwEIIW0BdTxD4Ddbsd4H9opb6lVFMScQ5nzXIvPcWen83Jy+WjBThNdSaid9XIcV4L8+YptEnQlIqgtg/BRBWBFyd83YPewZHDi2wWurY/3H0xdJBxI8IDsYjKKCiVSACer2Pe1rm2eA8NpcCG9CDuuyGbVSEy8om8xjZpkKWIY4/5Ff0Z646EwwYpuvdl1nmb4Der234BcV0336ClOOFaqUVV6Y0zVm7Bog3NGry/RPYFz2Y7LJiwm5UcIKRCiYa4RmR1U2F7MNm5gt/IZL0bvl4uniKwza2FgOyxEXxeBUh7HB5+fO7qSlaSiW5k7hI+BmZUL5XTvObb06BfVNtxLflAeImu9mtb3ytnV3x7Z92vEzdQdyYOLadUvRcHAtzPXomNHPxzVkeogL4JHsrBzLb07jMGRMeV1Z0hriKZysCHJbqT/HgqQSgjJk/BhcNH1HuaZNvDWKViPCHpLv1d9+2xoU1YsE7zXT8ywBRRnYSlDQ5zNSiazDwSQPOrBha1FyBVzli7oXr5ZH4WgsAVek1mATwyKlbhsqGs4gtNQuSqJIxkjbSZZSHpHQ6Vo4VCzUkxIzhc/2xGiI0qsWFgH3Y1JBr18YPgb5wz1m4TfY/+H5j3vY3Ra8I4eHOWzqTQZC6x9rmIwYL4VLFLbmh1zMZbaNfRd9H3Z59In3RGsJVuZBCFozJJgnTUsNHyLCF1fHSbsXCbfmhfN6TmNiD79QKYNnOYx7ramVzsh8cPNhG56IN1Tt/D05KxdmfJUV/d0/tI71euSAWsQ1T3VJ8EWzARf01/B+EU5miHjtgiagHDrxatBRK9fnznH5X+NhgeZAQ5JwBGkNoeKSYfRtQBC6LfO7Ux2Zxaqnxay3qPJ6+thPa0e2LKbpVIpJjCeVMrJtI+igIkswg5Y2II1mRmD8WTLof7BgUzbyedrwcydfDwrLri7EmbgkkSU66BEu+wv4S8oe2vy8UulWK+jH7unyMKpgZ2utw3icKgM8f/a9xM9JjdjV1vvmFfMn5/bgUoxHgXy6JCPGSn8cv14LevsfHzFkF97jettVtG4j8WcykLtg4rk0fqn/ridmJvjPS3iBlnzMSAOttb1aBXdfmkUrJVbLu/lhWai/ZwpN/v2P3qFRSKxPZXpHyHsJqYr+uOsjDmEnEPwd92HEi3N66HyVEw3lx2ZuGioKhFTt6zuc6ba6w0qJW+HCr9d1RUdBI5tsRA+8daZzHseZX+Yz9n32e0dXazhdaXzKZcshXmLGT6f41zXkaPJAgNIJFedOhyb0r9CDTmrI/wgXPOR//iTWDhNCt5CE/G1199hHb0rZ7bHXK9z2pRun+Vasm8yZKOdSuhMHp8ct+ZMVy4pSCGWRqJI9dl94Ms1AfW9WlVhhnwx6fZBEzKA95b0FtRS1UJPMPs3d10B4tArRWw2gCiz55BuWyZUOpV2AregS+dEaUfi9QG3fzQASVlwxNXgAw+M5biZyvSXqTNpa/Tku2TkPIKFhXYAOoXW/9XrT/Sy6/ZnBQB4UGvmO/d8aBMA8nzueMJfmwVD8KhTqpYXlFUjvmyim59CvQgFt9+q2MlJdSaMAze5yJtrE7UctW8ILOhE1Og76XTjmHUsHOa1Yw6KVLUZhvuaAPTKOtNiyJ4VGQWrloGfvqS0aSyoNri2dc+oTMP53vrVVzu5h80jx1nHfDm/T2zoFcoB41icmHOzbYdQslR68gHcA6Olbpj5dd2jSF7eEMD95HrOognn5iRyRAoO9zpv/Z5mBfTGSfuqSh07K94IO0/80r6ChT1FWJ7mrwj+k9w8+13KdNsEYalcia57wrEFzHQL6tWdaGZ0zr3VuYAH0ikKY22LgJdBJvTJyW2i0H16mTEKv5pPmAPwfKrM2EwHSZkaCMcyL6m6SGUM4uAR6CFVNci9iRLIHYK1+b0I9+yqghdizbHg==

      File Icon

      Icon Hash:46070c0a8e0c67d6

      Network Behavior

      Network Port Distribution

      TCP Packets

      TimestampSource PortDest PortSource IPDest IP
      Jan 15, 2025 15:00:30.491422892 CET6094253192.168.2.71.1.1.1
      Jan 15, 2025 15:00:30.496260881 CET53609421.1.1.1192.168.2.7
      Jan 15, 2025 15:00:30.496427059 CET6094253192.168.2.71.1.1.1
      Jan 15, 2025 15:00:30.501272917 CET53609421.1.1.1192.168.2.7
      Jan 15, 2025 15:00:30.964385986 CET6094253192.168.2.71.1.1.1
      Jan 15, 2025 15:00:30.971467018 CET53609421.1.1.1192.168.2.7
      Jan 15, 2025 15:00:30.971641064 CET6094253192.168.2.71.1.1.1
      Jan 15, 2025 15:00:32.982189894 CET5016353192.168.2.71.1.1.1
      Jan 15, 2025 15:00:32.987015963 CET53501631.1.1.1192.168.2.7
      Jan 15, 2025 15:00:32.987086058 CET5016353192.168.2.71.1.1.1
      Jan 15, 2025 15:00:32.991888046 CET53501631.1.1.1192.168.2.7
      Jan 15, 2025 15:00:33.433773994 CET5016353192.168.2.71.1.1.1
      Jan 15, 2025 15:00:33.438724041 CET53501631.1.1.1192.168.2.7
      Jan 15, 2025 15:00:33.438801050 CET5016353192.168.2.71.1.1.1

      UDP Packets

      TimestampSource PortDest PortSource IPDest IP
      Jan 15, 2025 15:00:30.490459919 CET53649501.1.1.1192.168.2.7
      Jan 15, 2025 15:00:32.981857061 CET53504381.1.1.1192.168.2.7

      DNS Answers

      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
      Jan 15, 2025 15:00:14.956973076 CET1.1.1.1192.168.2.70xb39cNo error (0)shed.dual-low.s-part-0017.t-0009.t-msedge.netazurefd-t-fb-prod.trafficmanager.netCNAME (Canonical name)IN (0x0001)false
      Jan 15, 2025 15:00:14.956973076 CET1.1.1.1192.168.2.70xb39cNo error (0)dual.s-part-0017.t-0009.fb-t-msedge.nets-part-0017.t-0009.fb-t-msedge.netCNAME (Canonical name)IN (0x0001)false
      Jan 15, 2025 15:00:14.956973076 CET1.1.1.1192.168.2.70xb39cNo error (0)s-part-0017.t-0009.fb-t-msedge.net13.107.253.45A (IP address)IN (0x0001)false

      Statistics

      CPU Usage

      Click to jump to process

      Memory Usage

      Click to jump to process

      High Level Behavior Distribution

      Click to dive into process behavior distribution

      Behavior

      Click to jump to process

      System Behavior

      General

      Target ID:1
      Start time:09:00:17
      Start date:15/01/2025
      Path:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
      Wow64 process (32bit):true
      Commandline:"C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\29617afb-25a0-12a3-3c27-9464d2b37792.eml"
      Imagebase:0x360000
      File size:34'446'744 bytes
      MD5 hash:91A5292942864110ED734005B7E005C0
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high
      Has exited:false

      General

      Target ID:3
      Start time:09:00:23
      Start date:15/01/2025
      Path:C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe
      Wow64 process (32bit):false
      Commandline:"C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "6BCD92BA-89E1-4AC4-A144-A6AF915C0CD0" "098CFE64-8583-40F6-B0EB-8DF779353267" "7928" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
      Imagebase:0x7ff64d240000
      File size:710'048 bytes
      MD5 hash:EC652BEDD90E089D9406AFED89A8A8BD
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high
      Has exited:false

      Disassembly

      No disassembly