Edit tour

Windows Analysis Report
7e02499c-2bea-a9d9-6a2f-934633fb5e94.eml

Overview

General Information

Sample name:7e02499c-2bea-a9d9-6a2f-934633fb5e94.eml
Analysis ID:1648552
MD5:e32933917a58f9942c58bc27c5ec41d1
SHA1:9f0775601a96aacb4983ac1f18398f97bd24f946
SHA256:b0cca56e7544b7c69cd785055683c5aca7cabb24c657ce767d305ddd640e05c2
Infos:

Detection

Score:48
Range:0 - 100
Confidence:100%

Signatures

AI detected suspicious elements in Email content
AI detected suspicious elements in Email header
Queries the volume information (name, serial number etc) of a device
Sigma detected: Office Autorun Keys Modification

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
  • System is w10x64
  • OUTLOOK.EXE (PID: 7640 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\7e02499c-2bea-a9d9-6a2f-934633fb5e94.eml" MD5: 91A5292942864110ED734005B7E005C0)
    • ai.exe (PID: 7992 cmdline: "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "20EC6D5A-8C61-4A72-B4D0-0FBD921137BF" "9D99BC2F-0413-4AD1-B5B5-6F25C4F4E4D7" "7640" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx" MD5: EC652BEDD90E089D9406AFED89A8A8BD)
  • cleanup
No configs have been found
No yara matches
Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE, ProcessId: 7640, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Addins\OneNote.OutlookAddin\1
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results

Phishing

barindex
Source: EmailJoe Sandbox AI: Detected potential phishing email: Suspicious sender email domain (gmail.com) doesn't match claimed organization (Synology). Generic and vague subject line about data collection policy updates. Short URL (sy.to) is suspicious and commonly used in phishing attempts
Source: EmailJoe Sandbox AI: Detected suspicious elements in Email header: High SCL (Spam Confidence Level) score of 8 in x-forefront-antispam-report. CAT:HPHISH indicator in antispam report suggests high-confidence phishing detection. Suspicious HTTPREST submission from unnamed source (832519452450). Multiple spam filter triggers indicated in SFS values. Gmail API submission but with suspicious authentication patterns. Message originated from Google's infrastructure but triggered multiple security controls. Unusual combination of legitimate infrastructure (Google) with high-risk spam/phishing indicators
Source: EmailClassification: Credential Stealer
Source: 7e02499c-2bea-a9d9-6a2f-934633fb5e94.emlString found in binary or memory: https://sy.to/zvgxb
Source: classification engineClassification label: mal48.winEML@3/3@0/0
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile created: C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmpJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile created: C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20250325T1746300228-7640.etlJump to behavior
Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\7e02499c-2bea-a9d9-6a2f-934633fb5e94.eml"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "20EC6D5A-8C61-4A72-B4D0-0FBD921137BF" "9D99BC2F-0413-4AD1-B5B5-6F25C4F4E4D7" "7640" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "20EC6D5A-8C61-4A72-B4D0-0FBD921137BF" "9D99BC2F-0413-4AD1-B5B5-6F25C4F4E4D7" "7640" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: c2r64.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: userenv.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{F959DBBB-3867-41F2-8E5F-3B8BEFAA81B3}\InprocServer32Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEWindow found: window name: SysTabControl32Jump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\CommonJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information queried: ProcessInformationJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeQueries volume information: C:\Program Files (x86)\Microsoft Office\root\Office16\AI\WordCombinedFloatieLreOnline.onnx VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation11
Browser Extensions
1
Process Injection
1
Masquerading
OS Credential Dumping1
Process Discovery
Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/Job1
DLL Side-Loading
1
DLL Side-Loading
1
Process Injection
LSASS Memory12
System Information Discovery
Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
DLL Side-Loading
Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1648552 Sample: 7e02499c-2bea-a9d9-6a2f-934... Startdate: 25/03/2025 Architecture: WINDOWS Score: 48 15 AI detected suspicious elements in Email header 2->15 17 AI detected suspicious elements in Email content 2->17 6 OUTLOOK.EXE 49 72 2->6         started        process3 file4 11 C:\...\~Outlook Data File - NoEmail.pst.tmp, data 6->11 dropped 13 C:\Users\...\Outlook Data File - NoEmail.pst, Microsoft 6->13 dropped 9 ai.exe 6->9         started        process5

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
No Antivirus matches
No Antivirus matches
No Antivirus matches
No Antivirus matches
No Antivirus matches
NameIPActiveMaliciousAntivirus DetectionReputation
s-0005.dual-s-msedge.net
52.123.129.14
truefalse
    high
    NameSourceMaliciousAntivirus DetectionReputation
    https://sy.to/zvgxb7e02499c-2bea-a9d9-6a2f-934633fb5e94.emlfalse
      high
      No contacted IP infos
      Joe Sandbox version:42.0.0 Malachite
      Analysis ID:1648552
      Start date and time:2025-03-25 22:45:20 +01:00
      Joe Sandbox product:CloudBasic
      Overall analysis duration:0h 4m 23s
      Hypervisor based Inspection enabled:false
      Report type:full
      Cookbook file name:default.jbs
      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
      Number of analysed new started processes analysed:8
      Number of new started drivers analysed:0
      Number of existing processes analysed:0
      Number of existing drivers analysed:0
      Number of injected processes analysed:0
      Technologies:
      • HCA enabled
      • EGA enabled
      • AMSI enabled
      Analysis Mode:default
      Analysis stop reason:Timeout
      Sample name:7e02499c-2bea-a9d9-6a2f-934633fb5e94.eml
      Detection:MAL
      Classification:mal48.winEML@3/3@0/0
      EGA Information:Failed
      HCA Information:
      • Successful, ratio: 100%
      • Number of executed functions: 0
      • Number of non-executed functions: 0
      Cookbook Comments:
      • Found application associated with file extension: .eml
      • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
      • Excluded IPs from analysis (whitelisted): 52.109.6.53, 40.79.189.59, 184.31.69.3, 4.245.163.56, 52.123.129.14
      • Excluded domains from analysis (whitelisted): ecs.office.com, fs.microsoft.com, slscr.update.microsoft.com, prod.configsvc1.live.com.akadns.net, ctldl.windowsupdate.com, mobile.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com, dual-s-0005-office.config.skype.com, onedscolprdjpe05.japaneast.cloudapp.azure.com, config.officeapps.live.com, us.configsvc1.live.com.akadns.net, eus2-azsc-config.officeapps.live.com, officeclient.microsoft.com, ecs.office.trafficmanager.net, mobile.events.data.trafficmanager.net
      • Not all processes where analyzed, report is missing behavior information
      • Report size getting too big, too many NtQueryAttributesFile calls found.
      • Report size getting too big, too many NtQueryValueKey calls found.
      No simulations
      No context
      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
      s-0005.dual-s-msedge.nethttps://thetti-my.sharepoint.com/:f:/p/kellieblack/EtssBivICL5BgQEDfbETZP4BZsoHTOyxYMnSj46dgeiAiA?e=0t2fdmGet hashmaliciousHTMLPhisherBrowse
      • 52.123.128.14
      Revised - Hartzellprop.com 2025 Handbook29828.docGet hashmaliciousHTMLPhisher, Invisible JS, Tycoon2FABrowse
      • 52.123.128.14
      Revised - Cwalker 2025 Handbook25807.docGet hashmaliciousHTMLPhisher, Invisible JS, Tycoon2FABrowse
      • 52.123.129.14
      original.emlGet hashmaliciousUnknownBrowse
      • 52.123.128.14
      PO 25032025.docxGet hashmaliciousUnknownBrowse
      • 52.123.129.14
      PO 25032025.docxGet hashmaliciousUnknownBrowse
      • 52.123.128.14
      PURCHASE ORDER 5172025.xla.xlsxGet hashmaliciousUnknownBrowse
      • 52.123.129.14
      PURCHASE ORDER 5172025.xla.xlsxGet hashmaliciousUnknownBrowse
      • 52.123.129.14
      PURCHASE ORDER 420-2025.xla.xlsxGet hashmaliciousUnknownBrowse
      • 52.123.128.14
      PURCHASE ORDER 5172025.xla.xlsxGet hashmaliciousUnknownBrowse
      • 52.123.129.14
      No context
      No context
      No context
      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
      File Type:data
      Category:dropped
      Size (bytes):106496
      Entropy (8bit):4.493093596663979
      Encrypted:false
      SSDEEP:768:gSvPgaJ4z7n2hs/j4UOAMRv99xsK7SM+Xc/WGWtBcuS2:gSvIaw4CAV9xsK8XLvS2
      MD5:9B61930584CF81ABF30E507411D256D4
      SHA1:AFC231DDF944FB5CDE7616B2F731034A0215F4AD
      SHA-256:9328EB6EC3B4D00680AE98CEA0A7418AFEBEB16D503137451EA2AB2C3F471462
      SHA-512:85A18105AC1361DE594F4DAC5BB226A69FAEA12E7404BC06FD6FD033DDA2496BA44AD9282E087E2DD8C81197F0985021CC6612B431C02D5256D1A436B6C5DC18
      Malicious:false
      Reputation:low
      Preview:............................................................................h.............;^...................eJ..............Zb..2...................................,...@.t.z.r.e.s...d.l.l.,.-.1.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.1.1.1...............................................................[.............;^...........v.2._.O.U.T.L.O.O.K.:.1.d.d.8.:.0.0.4.a.4.9.0.8.b.d.d.8.4.1.b.4.b.0.2.d.3.0.9.1.2.6.f.4.b.4.7.4...C.:.\.U.s.e.r.s.\.e.n.g.i.n.e.e.r.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.O.u.t.l.o.o.k. .L.o.g.g.i.n.g.\.O.U.T.L.O.O.K._.1.6._.0._.1.6.8.2.7._.2.0.1.3.0.-.2.0.2.5.0.3.2.5.T.1.7.4.6.3.0.0.2.2.8.-.7.6.4.0...e.t.l.......P.P..........w=^...................................................................................................................................................................................................................................................................................................
      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
      File Type:Microsoft Outlook email folder (>=2003)
      Category:dropped
      Size (bytes):271360
      Entropy (8bit):2.3181175990525067
      Encrypted:false
      SSDEEP:1536:vT2T2/UjV8j7ZyThHGuGHm1opHixmvDD5W53jEpEHP4qQ10PAwrApDOVW53jEpEF:r2dx8j7Zyj4rHp9nojp9
      MD5:EECCB594696B4A395A1AF10A1B0F28D4
      SHA1:0145090ED23718A42CC06307E53F406D244E6F08
      SHA-256:1CDA679E3EBE18B8521E4AAA76318444FF263C65FDF1725483E5D1BDC4921C14
      SHA-512:6D140A3F322FA8EAF9B7A6D4F58A453C1DC86AA4A5C973FFE1899E794BECF90996693ECA2DC61BAE07EDB6BF56E589FC6FAB3672FCD86A0C31000D7571A3AD09
      Malicious:true
      Reputation:low
      Preview:!BDN....SM......\...v...................Z................@...........@...@...................................@...........................................................................$.......D..................................................................................................................................................................................................................................................................................................................................D...........T$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
      File Type:data
      Category:dropped
      Size (bytes):131072
      Entropy (8bit):2.716568678420666
      Encrypted:false
      SSDEEP:1536:eW53jEpEHP4qQ10PAwr1bDOpQIO3jEpEHP4qQ10PAwrEYpDD27l5HjT:sp9VjNp9U273v
      MD5:6C3C9FA5DCBC8CB121A7436B61C1EDE4
      SHA1:593ED128842E6C2657948B1AB9B7A08C712FB2F5
      SHA-256:CAFC56C990181D13235DF3DA6EBA798B5F8CA12EFE737EA95640F55C3B3E6C62
      SHA-512:428D35DF377299EA9FFD5832A0D9D9778A571AE6D1FD4FC41824C3011AD1FEE795D1612DEA62F65A46DACA581275546DA9B64B9FCF346CA8B5B4D64B796D2BC9
      Malicious:true
      Reputation:low
      Preview:..Z.C...g..............[.....................#.!BDN....SM......\...v...................Z................@...........@...@...................................@...........................................................................$.......D..................................................................................................................................................................................................................................................................................................................................D...........T$.....[........B............#.........................................................................................................................................................................................................................................................................................................................................................................................................
      File type:RFC 822 mail, ASCII text, with CRLF line terminators
      Entropy (8bit):6.046083760151485
      TrID:
      • E-Mail message (Var. 5) (54515/1) 100.00%
      File name:7e02499c-2bea-a9d9-6a2f-934633fb5e94.eml
      File size:10'386 bytes
      MD5:e32933917a58f9942c58bc27c5ec41d1
      SHA1:9f0775601a96aacb4983ac1f18398f97bd24f946
      SHA256:b0cca56e7544b7c69cd785055683c5aca7cabb24c657ce767d305ddd640e05c2
      SHA512:9f853987ff6324e8f6db53406c0b744dbe35542e26c1c132c3650b37bad9e479d08da43c0c9b86ecfe4e50710eee6eb312aa9c9357fed6006443718c0d7394e2
      SSDEEP:192:oIJmSl6Nn0hA6Af9ZoLes8OGgWG4lYuSKOP7:oIkSl6N0hA6AfUCRfgXTJP7
      TLSH:56220711A6131522E79142416C51BC68A311F95AB6BFA6C03D8F32BF5BCF07F7E3684A
      File Content Preview:Received: from YT1PR01CA0070.CANPRD01.PROD.OUTLOOK.COM (2603:10b6:b01:2d::9).. by LV8PR07MB10486.namprd07.prod.outlook.com (2603:10b6:408:241::22) with.. Microsoft SMTP Server (version=TLS1_2,.. cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8534.
      Subject:[External] [AAV-NVAL-SYN-01] Updates to our Services Data Collection Disclosure
      From:AAV-NVAL-SYN-01 - Synology NAS <aavalerting@gmail.com>
      To:notifications@advantageog.com
      Cc:
      BCC:
      Date:Tue, 25 Mar 2025 10:56:37 +0900
      Communications:
      • We have updated our Services Data Collection Disclosure <https://sy.to/zvgxb> to make it easier to understand and to reflect recent changes to our policy. We encourage you to read our Services Data Collection Disclosure by clicking on the link above and regularly check for any changes. From AAV-NVAL-SYN-01
      Attachments:
        Key Value
        Receivedfrom 832519452450 named unknown by gmailapi.google.com with HTTPREST; Tue, 25 Mar 2025 10:56:37 +0900
        Authentication-Resultsspf=pass (sender IP is 2607:f8b0:4864:20::d41) smtp.mailfrom=gmail.com; dkim=pass (signature was verified) header.d=gmail.com;dmarc=pass action=none header.from=gmail.com;compauth=pass reason=100
        Received-SPFPass (protection.outlook.com: domain of gmail.com designates 2607:f8b0:4864:20::d41 as permitted sender) receiver=protection.outlook.com; client-ip=2607:f8b0:4864:20::d41; helo=mail-io1-xd41.google.com; pr=C
        DKIM-Signaturev=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1742867799; x=1743472599; darn=advantageog.com; h=to:subject:message-id:date:mime-version:from:from:to:cc:subject :date:message-id:reply-to; bh=U+/W2nRMgfRl9Iho1AxycIwiEUm5xx0zENG73kQ1LW0=; b=D4RFnECyDlANNvHEgHMfsvYw+Aol5Cq8uWBPeyC0w1uCi5Hcn34I6gCFscforL4WXP hMNOT8F7v+7valcoMCkAcJT87KNx1fakFVDcD0x8+YuZrsKhrTITzZFOQHU8VcrLve3S td5qnJaYahJs1YURVjV/iwGUHQUyYn4I92ei5b2QMDYW9WRy8Y3ncCdmd/EFUTyQx/D4 NK6EQ9ZpF4MO4BPs36oYCG4Dqg2oyIp7jldWtU92XRPEQY+xkNirnSE6HmfW+OUxklWF Exr+bP+PMn6yovDKz9J+sCCY5rYZDdI9N/ZaVic6njbb+WyoFHM5sSswciHNElYhVClU EBCw==
        X-Google-DKIM-Signaturev=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1742867799; x=1743472599; h=to:subject:message-id:date:mime-version:from:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=U+/W2nRMgfRl9Iho1AxycIwiEUm5xx0zENG73kQ1LW0=; b=J/f0T4l6SxAF9LMyOuST2QTWFFewDcMatgRtFWZ9/h2kuoH42qVsk71AkXOc7SrkHZ ydbsDRlugLxgjJBDaNY2nxLynf0H9czbBSylmvyOd7xdGsoM7ltPL4CLjvdTC8OYuN9u wVCkKeT0SKZNJEtY8PFcy0+71MU38Fb0Ovs2S1/R/AllgcQfa1oB+4Evx9dM6wvXWrk9 v0wZklyTbQzzwa2NCO8v29C9gF6b+7cuU8CZkVB1ZwCaJcOw0PvN4GKrXNbcHBJXi85C Nx3u+0fWRajhxA0TMlaJg8eZbGVCuhaNkTj4gPVEII1+Zp9+xi+4i21309mX4PTT37ku XLtg==
        X-Gm-Message-StateAOJu0YzDvBwUOqmAMFDCUlaor2c5Aw33NzvmE97JTO/xHFe+3bnadxAs eZtrNrem4VevXL3jKN/z5j3a13s9JUYgFikVZp841xuLYBxwjgccKtmfuDH0MSvMrk6ntuDdws/ oGOqCFWa6C24juceMHVuEdqcgbUwlKxYjlMD0dg==
        X-Gm-GgASbGnctMyKtby5VhrGYNZPHkBitPcOxvgViuyzGrAifqNeV8oPPu52M+LuTl+ylc+Hr rdUskMYkquTyZTqFK3T+DeIA4RAMvhl+HARpUpvrZbDGPdEhftKppGp9M2B1RZeFQx6lcSSmbGz PSRMybsXC9Fst7QUmc4cOxfLtRL9A=
        X-Google-Smtp-SourceAGHT+IHj1NIhSYJAaM9eUkOAWtUJPWby2HSVAl+aqSrsl39C7WYt8r92U91ckOolsdIMSseOxlXLzmaJTY7xCqJcQ5U=
        X-Receivedby 2002:a05:6e02:1aaa:b0:3d3:dcc4:a58e with SMTP id e9e14a558f8ab-3d5960f2c5amr166420035ab.8.1742867798715; Mon, 24 Mar 2025 18:56:38 -0700 (PDT)
        FromAAV-NVAL-SYN-01 - Synology NAS <aavalerting@gmail.com>
        MIME-Version1.0
        DateTue, 25 Mar 2025 10:56:37 +0900
        X-Gm-FeaturesAQ5f1JrLxGDQCsGbsnYTb4TwRLSYhFnmMN6UwRPQYnk9QzQL0hVkdPMq8LvpOEs
        Message-ID<CAEgF+G2KXPPKMT_twh8vbMBbcNtdpiAKD=v-zAz8hk4QDfW6gg@mail.gmail.com>
        Subject[External] [AAV-NVAL-SYN-01] Updates to our Services Data Collection Disclosure
        Tonotifications@advantageog.com
        Content-Typemultipart/alternative; boundary="0000000000000874920631210891"
        Return-Pathaavalerting@gmail.com
        X-EOPAttributedMessage0
        X-EOPTenantAttributedMessagec342087c-d3b6-410f-a7db-385ccc83325d:0
        X-MS-PublicTrafficTypeEmail
        X-MS-TrafficTypeDiagnosticYT2PEPF000001CC:EE_|LV8PR07MB10486:EE_
        X-MS-Office365-Filtering-Correlation-Id28ef880e-5df4-421f-e162-08dd6b4048a4
        X-LD-Processedc342087c-d3b6-410f-a7db-385ccc83325d,ExtFwd
        X-MS-Exchange-AtpMessagePropertiesSA|SL
        X-Forefront-Antispam-ReportCIP:2607:f8b0:4864:20::d41;CTRY:;LANG:en;SCL:8;SRV:;IPV:NLI;SFV:SPM;H:mail-io1-xd41.google.com;PTR:mail-io1-xd41.google.com;CAT:HPHISH;SFS:(13230040)(7093399015)(13003099007)(8096899003);DIR:INB;
        X-Microsoft-AntispamBCL:0;ARA:13230040|7093399015|13003099007|8096899003;
        X-Microsoft-Antispam-Message-InfouDyQhJM8xAZQIcvvbC9l0sl7gseJbUOSxIIiU9Ngvg6wzhx/4Mhxf/utwEyF5aM/44pWyOZKwoZktobrYGxZBsCho4civzTbuqvPa3pj0ftPWqZaHnsFHQmRzwlL9T7CD+ZUsXyersO81d4/yLr+cKNlK/Js91lPztW/Lg/B10cImWRMmRhSJOg+HpNEfPfFydZ/spEUaGZ/yjUymZOeIHjKN5PG4VS43eNvoWh9hLRARiRFdXCdv6k/igAaAnauybe14PG5KtBGUkVDD2357VfdQzwGvqSkGHHZdmHlnsP2iQFQO12Pbu5xnuzRnMd7WOgzXfB3W+jMBQYfj0C2TicT4MyWPSVQ6NdWviLL5BNCAWDSmu66b30DBBeuW2UWceVJYD/OWkxZZhwHXgby7Rs6ZybOE8CDfxof/NnSoLKfLLb+0NHzrnfpA4iAzjihrYJBSSc6CLgkDKsrrGXeIZIlTxNIjsnvCsPbTB8HC+J+45s+lFv+WRJXr0upH7XjlNbPRHc3QU226Wbvdh8szp4XeHt/SoiVDJAXrVEgJPPE+e8y0gwMIGsPEESO4qCyVjK3JwWxEnB4YKuDr92kblHCB6+/1/eEJ/YefDkbK7k5CHKYWdy4tVd+15VamlkIyMJlzo6ZwioD+pz0mry47P++u/gX+hINM9SJeFK4+OdqhDiBEjxmAU75f/P0vnySVd1sLeK2Yt0RlvKUN46isuS9sjBaAlEqURHs0j0+Wiq9dmG/JjiX4mRzdnkZkuKN9WdSnj3b/egbOFq0ToLO8IXlrgA+HcDz92zWJKvKAC3amalEPJ3pO3pb+tUvMUAZZu20WWk9Oev5lsxdCGet/q9y0xBTW2lrz8reZbS6qkqyqZ5fAEATkhWnsfHmacabzshcFC87lRTNXsMl78F/4rpkEUHr4z7l6F6u26Wb+CqzYJ11tJz3okMePe6tMf0akTyLMIe2poefuMF09WmF8nJKuEE577ys+3t+tAEFRv+czt2Et22ul5w51hGH3VCPzupgE3j3ZnUYV1LvKw7ooTAUi058K2KZtPJkGyEI+RoGs50o0TfOyP5P40vLSeCT090DmlvfEdJCLsBNYtiCxgBtiYTdpsP1BhrlYqprkvu7noHAp3rNz1wTjLmlo6VRHNXe9XiOpDCG32aT6c44CacRSInslSZST0UnB+rK7Xy9r4Nt+WSrgTRxo0HxeW4ucCZVZV09lPKtiC8+O4WCrFWmHmxdyyHpFCm+l3jzpLyOMWs73crJU+NHRDPYcu9Ksv83wQ9HSOQf0VDp5t72cylbKVV2hENVO0Aw/EjTBRpg+DxxLjB/OMZK1L4QV+v9Ckhrupg8z+BjCIbIQW1wkfvy7WHsKtLK+Q7ZCFqV3NmJwooxepnQr4E1exow78zWkcLYAnD0O66bLtq60RAIoFhseuMNLZ7ID7ZpNV6FDGOIreCAbCFrQpZmwX4QcKdt80Ry0D6med5mbwwbCvZtGyLGzwVs+XhU8SD7ebWVF9yyBCP8wUgygkTcvylRo7jC4M1HI002YSDfK+fdEaUL+ckEvcEOq3xFcnw/wvEoj5zNtEjESoadQVeFqoW8MJgcQdU09KkYnUG0N/Thfgka9wD0kt5SMJkcdEjMYMR9WDCF0d/7D9pIuzOkw+m/ucMrS6v6GUjCHi4n6SMpUGUDfyYv3cpRyyxYORULNuufeS6B9okPa166UQVbqWbQ9aLas7e3hPeNEJvL2nx93Uz3hK465hgDFRuB4U2UBab+hrVT0UZGl3VmWKZlDMgR+Ahb7gVn0L3VilT0QU14f9WbhsXzyvYZQYCvHdcI2fizGuicYS8I/WOjfccmueVOeUKes0HJgMa2DBVJcBSnjlgSLawiHK3zLM0iCsakHYog1Gs9hJxWCipfR6bd00x0wyGZSHvWSwHMKtbnWLw91arSTzvmGM6fbLkPRRz2VTh8dMwGf4OVfOPWsy2WKGzV7dmiWy8/GRcBYbsaNbD498No4N9MMhnx1MdjiBWDGtVN5PnoqG8AGrAkoL0ofjNjuJC2gSNW3FsfIHQu+hUqNhuvrGz/UmbhrimnoZnTAhYxrJ7hrBjAxdfuwn9HgAm/3dQbSQyJFX0pQABM24Y/arSYSuGAyn3vFc8MM61vQC6JypwRu179ua7tDtgMJdWZbIcQrc74W0cEykybqAze9EADNHZgSYVItVFeCTl83q0s0JkKqI0wDchBDHdKh9yoPDdTWe0jFRjw9GvmrP7afS3fdFn5pnrBEL5dy09aQQvZPlKbNBbHA77BlM+ccqs4lHxmt6YdZ1NxvFsWfpxuff1ZaQmqRRpZ8u3jxkVOpUByg+wyPk16FOZ5icDLBUqdVCMsmWfOOvPt4MyGfsh4sF0dvX+zZ/CDL0t5CQ4ZIJZTOyZy+2Gb+DJRYCqqzKrXQJyemqEo8JrdLHmL+2g8Xl67sqKsz2pn4Eh2vFMu0rdRaMCPX2AcXxiIp8/uq3WXv7HnN/oGBPsRPOcM9YFf0k4tsqPwdjD7l71AFBQPy1GAF9TVvooC+AsdoCBfGMMJnEGI57APlV1pKnEgcrcvtvpA99W9gqXNY0gNJBcehM4VL0a/ShA0GTlQ9gcQP8AH+0poRT074Xxvs8xtCA1PJmF6nRQOsuZrXOPaTbU0XFq1N0/VVRmjZ5ZxtXX323uRaRvG

        Icon Hash:46070c0a8e0c67d6
        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
        Mar 25, 2025 22:46:33.978648901 CET1.1.1.1192.168.2.60x5a46No error (0)ecs-office.s-0005.dual-s-msedge.nets-0005.dual-s-msedge.netCNAME (Canonical name)IN (0x0001)false
        Mar 25, 2025 22:46:33.978648901 CET1.1.1.1192.168.2.60x5a46No error (0)s-0005.dual-s-msedge.net52.123.129.14A (IP address)IN (0x0001)false
        Mar 25, 2025 22:46:33.978648901 CET1.1.1.1192.168.2.60x5a46No error (0)s-0005.dual-s-msedge.net52.123.128.14A (IP address)IN (0x0001)false
        050100s020406080100

        Click to jump to process

        050100s0.0050100MB

        Click to jump to process

        • File
        • Registry

        Click to dive into process behavior distribution

        Click to jump to process

        Target ID:2
        Start time:17:46:26
        Start date:25/03/2025
        Path:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
        Wow64 process (32bit):true
        Commandline:"C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\7e02499c-2bea-a9d9-6a2f-934633fb5e94.eml"
        Imagebase:0x6a0000
        File size:34'446'744 bytes
        MD5 hash:91A5292942864110ED734005B7E005C0
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:high
        Has exited:false
        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

        Target ID:4
        Start time:17:46:33
        Start date:25/03/2025
        Path:C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe
        Wow64 process (32bit):false
        Commandline:"C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "20EC6D5A-8C61-4A72-B4D0-0FBD921137BF" "9D99BC2F-0413-4AD1-B5B5-6F25C4F4E4D7" "7640" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
        Imagebase:0x7ff7b55f0000
        File size:710'048 bytes
        MD5 hash:EC652BEDD90E089D9406AFED89A8A8BD
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:high
        Has exited:false

        No disassembly