Windows
Analysis Report
7e02499c-2bea-a9d9-6a2f-934633fb5e94.eml
Overview
General Information
Detection
Score: | 48 |
Range: | 0 - 100 |
Confidence: | 100% |
Signatures
Classification
- System is w10x64
OUTLOOK.EXE (PID: 7640 cmdline:
"C:\Progra m Files (x 86)\Micros oft Office \Root\Offi ce16\OUTLO OK.EXE" /e ml "C:\Use rs\user\De sktop\7e02 499c-2bea- a9d9-6a2f- 934633fb5e 94.eml" MD5: 91A5292942864110ED734005B7E005C0) ai.exe (PID: 7992 cmdline:
"C:\Progra m Files (x 86)\Micros oft Office \root\vfs\ ProgramFil esCommonX6 4\Microsof t Shared\O ffice16\ai .exe" "20E C6D5A-8C61 -4A72-B4D0 -0FBD92113 7BF" "9D99 BC2F-0413- 4AD1-B5B5- 6F25C4F4E4 D7" "7640" "C:\Progr am Files ( x86)\Micro soft Offic e\Root\Off ice16\OUTL OOK.EXE" " WordCombin edFloatieL reOnline.o nnx" MD5: EC652BEDD90E089D9406AFED89A8A8BD)
- cleanup
Source: | Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): |
- • Phishing
- • Networking
- • System Summary
- • Hooking and other Techniques for Hiding and Protection
- • Malware Analysis System Evasion
- • Language, Device and Operating System Detection
Click to jump to signature section
Phishing |
---|
Source: | Joe Sandbox AI: |
Source: | Joe Sandbox AI: |
Source: | Classification: |
Source: | String found in binary or memory: |
Source: | Classification label: |
Source: | File created: | Jump to behavior |
Source: | File created: | Jump to behavior |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Source: | Window found: | Jump to behavior |
Source: | Window detected: |
Source: | Key opened: | Jump to behavior |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Source: | Process information queried: | Jump to behavior |
Source: | Queries volume information: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | Windows Management Instrumentation | 11 Browser Extensions | 1 Process Injection | 1 Masquerading | OS Credential Dumping | 1 Process Discovery | Remote Services | Data from Local System | Data Obfuscation | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Credentials | Domains | Default Accounts | Scheduled Task/Job | 1 DLL Side-Loading | 1 DLL Side-Loading | 1 Process Injection | LSASS Memory | 12 System Information Discovery | Remote Desktop Protocol | Data from Removable Media | Junk Data | Exfiltration Over Bluetooth | Network Denial of Service |
Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 1 DLL Side-Loading | Security Account Manager | Query Registry | SMB/Windows Admin Shares | Data from Network Shared Drive | Steganography | Automated Exfiltration | Data Encrypted for Impact |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
s-0005.dual-s-msedge.net | 52.123.129.14 | true | false | high |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false | high |
Joe Sandbox version: | 42.0.0 Malachite |
Analysis ID: | 1648552 |
Start date and time: | 2025-03-25 22:45:20 +01:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 4m 23s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
Number of analysed new started processes analysed: | 8 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample name: | 7e02499c-2bea-a9d9-6a2f-934633fb5e94.eml |
Detection: | MAL |
Classification: | mal48.winEML@3/3@0/0 |
EGA Information: | Failed |
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis
(whitelisted): MpCmdRun.exe, d llhost.exe, WMIADAP.exe, SIHCl ient.exe, conhost.exe, svchost .exe - Excluded IPs from analysis (wh
itelisted): 52.109.6.53, 40.79 .189.59, 184.31.69.3, 4.245.16 3.56, 52.123.129.14 - Excluded domains from analysis
(whitelisted): ecs.office.com , fs.microsoft.com, slscr.upda te.microsoft.com, prod.configs vc1.live.com.akadns.net, ctldl .windowsupdate.com, mobile.eve nts.data.microsoft.com, fe3cr. delivery.mp.microsoft.com, dua l-s-0005-office.config.skype.c om, onedscolprdjpe05.japaneast .cloudapp.azure.com, config.of ficeapps.live.com, us.configsv c1.live.com.akadns.net, eus2-a zsc-config.officeapps.live.com , officeclient.microsoft.com, ecs.office.trafficmanager.net, mobile.events.data.trafficman ager.net - Not all processes where analyz
ed, report is missing behavior information - Report size getting too big, t
oo many NtQueryAttributesFile calls found. - Report size getting too big, t
oo many NtQueryValueKey calls found.
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
s-0005.dual-s-msedge.net | Get hash | malicious | HTMLPhisher | Browse |
| |
Get hash | malicious | HTMLPhisher, Invisible JS, Tycoon2FA | Browse |
| ||
Get hash | malicious | HTMLPhisher, Invisible JS, Tycoon2FA | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
|
Process: | C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 106496 |
Entropy (8bit): | 4.493093596663979 |
Encrypted: | false |
SSDEEP: | 768:gSvPgaJ4z7n2hs/j4UOAMRv99xsK7SM+Xc/WGWtBcuS2:gSvIaw4CAV9xsK8XLvS2 |
MD5: | 9B61930584CF81ABF30E507411D256D4 |
SHA1: | AFC231DDF944FB5CDE7616B2F731034A0215F4AD |
SHA-256: | 9328EB6EC3B4D00680AE98CEA0A7418AFEBEB16D503137451EA2AB2C3F471462 |
SHA-512: | 85A18105AC1361DE594F4DAC5BB226A69FAEA12E7404BC06FD6FD033DDA2496BA44AD9282E087E2DD8C81197F0985021CC6612B431C02D5256D1A436B6C5DC18 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 271360 |
Entropy (8bit): | 2.3181175990525067 |
Encrypted: | false |
SSDEEP: | 1536:vT2T2/UjV8j7ZyThHGuGHm1opHixmvDD5W53jEpEHP4qQ10PAwrApDOVW53jEpEF:r2dx8j7Zyj4rHp9nojp9 |
MD5: | EECCB594696B4A395A1AF10A1B0F28D4 |
SHA1: | 0145090ED23718A42CC06307E53F406D244E6F08 |
SHA-256: | 1CDA679E3EBE18B8521E4AAA76318444FF263C65FDF1725483E5D1BDC4921C14 |
SHA-512: | 6D140A3F322FA8EAF9B7A6D4F58A453C1DC86AA4A5C973FFE1899E794BECF90996693ECA2DC61BAE07EDB6BF56E589FC6FAB3672FCD86A0C31000D7571A3AD09 |
Malicious: | true |
Reputation: | low |
Preview: |
Process: | C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 131072 |
Entropy (8bit): | 2.716568678420666 |
Encrypted: | false |
SSDEEP: | 1536:eW53jEpEHP4qQ10PAwr1bDOpQIO3jEpEHP4qQ10PAwrEYpDD27l5HjT:sp9VjNp9U273v |
MD5: | 6C3C9FA5DCBC8CB121A7436B61C1EDE4 |
SHA1: | 593ED128842E6C2657948B1AB9B7A08C712FB2F5 |
SHA-256: | CAFC56C990181D13235DF3DA6EBA798B5F8CA12EFE737EA95640F55C3B3E6C62 |
SHA-512: | 428D35DF377299EA9FFD5832A0D9D9778A571AE6D1FD4FC41824C3011AD1FEE795D1612DEA62F65A46DACA581275546DA9B64B9FCF346CA8B5B4D64B796D2BC9 |
Malicious: | true |
Reputation: | low |
Preview: |
File type: | |
Entropy (8bit): | 6.046083760151485 |
TrID: |
|
File name: | 7e02499c-2bea-a9d9-6a2f-934633fb5e94.eml |
File size: | 10'386 bytes |
MD5: | e32933917a58f9942c58bc27c5ec41d1 |
SHA1: | 9f0775601a96aacb4983ac1f18398f97bd24f946 |
SHA256: | b0cca56e7544b7c69cd785055683c5aca7cabb24c657ce767d305ddd640e05c2 |
SHA512: | 9f853987ff6324e8f6db53406c0b744dbe35542e26c1c132c3650b37bad9e479d08da43c0c9b86ecfe4e50710eee6eb312aa9c9357fed6006443718c0d7394e2 |
SSDEEP: | 192:oIJmSl6Nn0hA6Af9ZoLes8OGgWG4lYuSKOP7:oIkSl6N0hA6AfUCRfgXTJP7 |
TLSH: | 56220711A6131522E79142416C51BC68A311F95AB6BFA6C03D8F32BF5BCF07F7E3684A |
File Content Preview: | Received: from YT1PR01CA0070.CANPRD01.PROD.OUTLOOK.COM (2603:10b6:b01:2d::9).. by LV8PR07MB10486.namprd07.prod.outlook.com (2603:10b6:408:241::22) with.. Microsoft SMTP Server (version=TLS1_2,.. cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8534. |
Subject: | [External] [AAV-NVAL-SYN-01] Updates to our Services Data Collection Disclosure |
From: | AAV-NVAL-SYN-01 - Synology NAS <aavalerting@gmail.com> |
To: | notifications@advantageog.com |
Cc: | |
BCC: | |
Date: | Tue, 25 Mar 2025 10:56:37 +0900 |
Communications: |
|
Attachments: |
Key | Value |
---|---|
Received | from 832519452450 named unknown by gmailapi.google.com with HTTPREST; Tue, 25 Mar 2025 10:56:37 +0900 |
Authentication-Results | spf=pass (sender IP is 2607:f8b0:4864:20::d41) smtp.mailfrom=gmail.com; dkim=pass (signature was verified) header.d=gmail.com;dmarc=pass action=none header.from=gmail.com;compauth=pass reason=100 |
Received-SPF | Pass (protection.outlook.com: domain of gmail.com designates 2607:f8b0:4864:20::d41 as permitted sender) receiver=protection.outlook.com; client-ip=2607:f8b0:4864:20::d41; helo=mail-io1-xd41.google.com; pr=C |
DKIM-Signature | v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1742867799; x=1743472599; darn=advantageog.com; h=to:subject:message-id:date:mime-version:from:from:to:cc:subject :date:message-id:reply-to; bh=U+/W2nRMgfRl9Iho1AxycIwiEUm5xx0zENG73kQ1LW0=; b=D4RFnECyDlANNvHEgHMfsvYw+Aol5Cq8uWBPeyC0w1uCi5Hcn34I6gCFscforL4WXP hMNOT8F7v+7valcoMCkAcJT87KNx1fakFVDcD0x8+YuZrsKhrTITzZFOQHU8VcrLve3S td5qnJaYahJs1YURVjV/iwGUHQUyYn4I92ei5b2QMDYW9WRy8Y3ncCdmd/EFUTyQx/D4 NK6EQ9ZpF4MO4BPs36oYCG4Dqg2oyIp7jldWtU92XRPEQY+xkNirnSE6HmfW+OUxklWF Exr+bP+PMn6yovDKz9J+sCCY5rYZDdI9N/ZaVic6njbb+WyoFHM5sSswciHNElYhVClU EBCw== |
X-Google-DKIM-Signature | v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1742867799; x=1743472599; h=to:subject:message-id:date:mime-version:from:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=U+/W2nRMgfRl9Iho1AxycIwiEUm5xx0zENG73kQ1LW0=; b=J/f0T4l6SxAF9LMyOuST2QTWFFewDcMatgRtFWZ9/h2kuoH42qVsk71AkXOc7SrkHZ ydbsDRlugLxgjJBDaNY2nxLynf0H9czbBSylmvyOd7xdGsoM7ltPL4CLjvdTC8OYuN9u wVCkKeT0SKZNJEtY8PFcy0+71MU38Fb0Ovs2S1/R/AllgcQfa1oB+4Evx9dM6wvXWrk9 v0wZklyTbQzzwa2NCO8v29C9gF6b+7cuU8CZkVB1ZwCaJcOw0PvN4GKrXNbcHBJXi85C Nx3u+0fWRajhxA0TMlaJg8eZbGVCuhaNkTj4gPVEII1+Zp9+xi+4i21309mX4PTT37ku XLtg== |
X-Gm-Message-State | AOJu0YzDvBwUOqmAMFDCUlaor2c5Aw33NzvmE97JTO/xHFe+3bnadxAs eZtrNrem4VevXL3jKN/z5j3a13s9JUYgFikVZp841xuLYBxwjgccKtmfuDH0MSvMrk6ntuDdws/ oGOqCFWa6C24juceMHVuEdqcgbUwlKxYjlMD0dg== |
X-Gm-Gg | ASbGnctMyKtby5VhrGYNZPHkBitPcOxvgViuyzGrAifqNeV8oPPu52M+LuTl+ylc+Hr rdUskMYkquTyZTqFK3T+DeIA4RAMvhl+HARpUpvrZbDGPdEhftKppGp9M2B1RZeFQx6lcSSmbGz PSRMybsXC9Fst7QUmc4cOxfLtRL9A= |
X-Google-Smtp-Source | AGHT+IHj1NIhSYJAaM9eUkOAWtUJPWby2HSVAl+aqSrsl39C7WYt8r92U91ckOolsdIMSseOxlXLzmaJTY7xCqJcQ5U= |
X-Received | by 2002:a05:6e02:1aaa:b0:3d3:dcc4:a58e with SMTP id e9e14a558f8ab-3d5960f2c5amr166420035ab.8.1742867798715; Mon, 24 Mar 2025 18:56:38 -0700 (PDT) |
From | AAV-NVAL-SYN-01 - Synology NAS <aavalerting@gmail.com> |
MIME-Version | 1.0 |
Date | Tue, 25 Mar 2025 10:56:37 +0900 |
X-Gm-Features | AQ5f1JrLxGDQCsGbsnYTb4TwRLSYhFnmMN6UwRPQYnk9QzQL0hVkdPMq8LvpOEs |
Message-ID | <CAEgF+G2KXPPKMT_twh8vbMBbcNtdpiAKD=v-zAz8hk4QDfW6gg@mail.gmail.com> |
Subject | [External] [AAV-NVAL-SYN-01] Updates to our Services Data Collection Disclosure |
To | notifications@advantageog.com |
Content-Type | multipart/alternative; boundary="0000000000000874920631210891" |
Return-Path | aavalerting@gmail.com |
X-EOPAttributedMessage | 0 |
X-EOPTenantAttributedMessage | c342087c-d3b6-410f-a7db-385ccc83325d:0 |
X-MS-PublicTrafficType | |
X-MS-TrafficTypeDiagnostic | YT2PEPF000001CC:EE_|LV8PR07MB10486:EE_ |
X-MS-Office365-Filtering-Correlation-Id | 28ef880e-5df4-421f-e162-08dd6b4048a4 |
X-LD-Processed | c342087c-d3b6-410f-a7db-385ccc83325d,ExtFwd |
X-MS-Exchange-AtpMessageProperties | SA|SL |
X-Forefront-Antispam-Report | CIP:2607:f8b0:4864:20::d41;CTRY:;LANG:en;SCL:8;SRV:;IPV:NLI;SFV:SPM;H:mail-io1-xd41.google.com;PTR:mail-io1-xd41.google.com;CAT:HPHISH;SFS:(13230040)(7093399015)(13003099007)(8096899003);DIR:INB; |
X-Microsoft-Antispam | BCL:0;ARA:13230040|7093399015|13003099007|8096899003; |
X-Microsoft-Antispam-Message-Info | uDyQhJM8xAZQIcvvbC9l0sl7gseJbUOSxIIiU9Ngvg6wzhx/4Mhxf/utwEyF5aM/44pWyOZKwoZktobrYGxZBsCho4civzTbuqvPa3pj0ftPWqZaHnsFHQmRzwlL9T7CD+ZUsXyersO81d4/yLr+cKNlK/Js91lPztW/Lg/B10cImWRMmRhSJOg+HpNEfPfFydZ/spEUaGZ/yjUymZOeIHjKN5PG4VS43eNvoWh9hLRARiRFdXCdv6k/igAaAnauybe14PG5KtBGUkVDD2357VfdQzwGvqSkGHHZdmHlnsP2iQFQO12Pbu5xnuzRnMd7WOgzXfB3W+jMBQYfj0C2TicT4MyWPSVQ6NdWviLL5BNCAWDSmu66b30DBBeuW2UWceVJYD/OWkxZZhwHXgby7Rs6ZybOE8CDfxof/NnSoLKfLLb+0NHzrnfpA4iAzjihrYJBSSc6CLgkDKsrrGXeIZIlTxNIjsnvCsPbTB8HC+J+45s+lFv+WRJXr0upH7XjlNbPRHc3QU226Wbvdh8szp4XeHt/SoiVDJAXrVEgJPPE+e8y0gwMIGsPEESO4qCyVjK3JwWxEnB4YKuDr92kblHCB6+/1/eEJ/YefDkbK7k5CHKYWdy4tVd+15VamlkIyMJlzo6ZwioD+pz0mry47P++u/gX+hINM9SJeFK4+OdqhDiBEjxmAU75f/P0vnySVd1sLeK2Yt0RlvKUN46isuS9sjBaAlEqURHs0j0+Wiq9dmG/JjiX4mRzdnkZkuKN9WdSnj3b/egbOFq0ToLO8IXlrgA+HcDz92zWJKvKAC3amalEPJ3pO3pb+tUvMUAZZu20WWk9Oev5lsxdCGet/q9y0xBTW2lrz8reZbS6qkqyqZ5fAEATkhWnsfHmacabzshcFC87lRTNXsMl78F/4rpkEUHr4z7l6F6u26Wb+CqzYJ11tJz3okMePe6tMf0akTyLMIe2poefuMF09WmF8nJKuEE577ys+3t+tAEFRv+czt2Et22ul5w51hGH3VCPzupgE3j3ZnUYV1LvKw7ooTAUi058K2KZtPJkGyEI+RoGs50o0TfOyP5P40vLSeCT090DmlvfEdJCLsBNYtiCxgBtiYTdpsP1BhrlYqprkvu7noHAp3rNz1wTjLmlo6VRHNXe9XiOpDCG32aT6c44CacRSInslSZST0UnB+rK7Xy9r4Nt+WSrgTRxo0HxeW4ucCZVZV09lPKtiC8+O4WCrFWmHmxdyyHpFCm+l3jzpLyOMWs73crJU+NHRDPYcu9Ksv83wQ9HSOQf0VDp5t72cylbKVV2hENVO0Aw/EjTBRpg+DxxLjB/OMZK1L4QV+v9Ckhrupg8z+BjCIbIQW1wkfvy7WHsKtLK+Q7ZCFqV3NmJwooxepnQr4E1exow78zWkcLYAnD0O66bLtq60RAIoFhseuMNLZ7ID7ZpNV6FDGOIreCAbCFrQpZmwX4QcKdt80Ry0D6med5mbwwbCvZtGyLGzwVs+XhU8SD7ebWVF9yyBCP8wUgygkTcvylRo7jC4M1HI002YSDfK+fdEaUL+ckEvcEOq3xFcnw/wvEoj5zNtEjESoadQVeFqoW8MJgcQdU09KkYnUG0N/Thfgka9wD0kt5SMJkcdEjMYMR9WDCF0d/7D9pIuzOkw+m/ucMrS6v6GUjCHi4n6SMpUGUDfyYv3cpRyyxYORULNuufeS6B9okPa166UQVbqWbQ9aLas7e3hPeNEJvL2nx93Uz3hK465hgDFRuB4U2UBab+hrVT0UZGl3VmWKZlDMgR+Ahb7gVn0L3VilT0QU14f9WbhsXzyvYZQYCvHdcI2fizGuicYS8I/WOjfccmueVOeUKes0HJgMa2DBVJcBSnjlgSLawiHK3zLM0iCsakHYog1Gs9hJxWCipfR6bd00x0wyGZSHvWSwHMKtbnWLw91arSTzvmGM6fbLkPRRz2VTh8dMwGf4OVfOPWsy2WKGzV7dmiWy8/GRcBYbsaNbD498No4N9MMhnx1MdjiBWDGtVN5PnoqG8AGrAkoL0ofjNjuJC2gSNW3FsfIHQu+hUqNhuvrGz/UmbhrimnoZnTAhYxrJ7hrBjAxdfuwn9HgAm/3dQbSQyJFX0pQABM24Y/arSYSuGAyn3vFc8MM61vQC6JypwRu179ua7tDtgMJdWZbIcQrc74W0cEykybqAze9EADNHZgSYVItVFeCTl83q0s0JkKqI0wDchBDHdKh9yoPDdTWe0jFRjw9GvmrP7afS3fdFn5pnrBEL5dy09aQQvZPlKbNBbHA77BlM+ccqs4lHxmt6YdZ1NxvFsWfpxuff1ZaQmqRRpZ8u3jxkVOpUByg+wyPk16FOZ5icDLBUqdVCMsmWfOOvPt4MyGfsh4sF0dvX+zZ/CDL0t5CQ4ZIJZTOyZy+2Gb+DJRYCqqzKrXQJyemqEo8JrdLHmL+2g8Xl67sqKsz2pn4Eh2vFMu0rdRaMCPX2AcXxiIp8/uq3WXv7HnN/oGBPsRPOcM9YFf0k4tsqPwdjD7l71AFBQPy1GAF9TVvooC+AsdoCBfGMMJnEGI57APlV1pKnEgcrcvtvpA99W9gqXNY0gNJBcehM4VL0a/ShA0GTlQ9gcQP8AH+0poRT074Xxvs8xtCA1PJmF6nRQOsuZrXOPaTbU0XFq1N0/VVRmjZ5ZxtXX323uRaRvG |
Icon Hash: | 46070c0a8e0c67d6 |
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|---|---|
Mar 25, 2025 22:46:33.978648901 CET | 1.1.1.1 | 192.168.2.6 | 0x5a46 | No error (0) | s-0005.dual-s-msedge.net | CNAME (Canonical name) | IN (0x0001) | false | ||
Mar 25, 2025 22:46:33.978648901 CET | 1.1.1.1 | 192.168.2.6 | 0x5a46 | No error (0) | 52.123.129.14 | A (IP address) | IN (0x0001) | false | ||
Mar 25, 2025 22:46:33.978648901 CET | 1.1.1.1 | 192.168.2.6 | 0x5a46 | No error (0) | 52.123.128.14 | A (IP address) | IN (0x0001) | false |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
Target ID: | 2 |
Start time: | 17:46:26 |
Start date: | 25/03/2025 |
Path: | C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x6a0000 |
File size: | 34'446'744 bytes |
MD5 hash: | 91A5292942864110ED734005B7E005C0 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | false |
Target ID: | 4 |
Start time: | 17:46:33 |
Start date: | 25/03/2025 |
Path: | C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff7b55f0000 |
File size: | 710'048 bytes |
MD5 hash: | EC652BEDD90E089D9406AFED89A8A8BD |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | false |