Joe Sandbox Cloud Basic Analysis Report
Edit tour

Windows Analysis Report
Becker Logistics, Inc. Rate Confirmation for order_ 2747476.eml

Overview

General Information

Sample name:Becker Logistics, Inc. Rate Confirmation for order_ 2747476.eml
Analysis ID:1658742
MD5:3e2e0f0d8ef1b81a4801208c39b49cd3
SHA1:c5e26813d36ac66664752d7c9c00259ef9f08b4f
SHA256:db7efa6460372e35189ed45bd11595f4cf626f3f4a13163e9807669520c29a06
Infos:

Detection

Score:48
Range:0 - 100
Confidence:100%

Signatures

AI detected landing page (webpage, office document or email)
AI detected suspicious elements in Email content
Queries the volume information (name, serial number etc) of a device
Sigma detected: Office Autorun Keys Modification
Stores large binary data to the registry

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

Process Tree

  • System is w10x64
  • OUTLOOK.EXE (PID: 6312 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\Becker Logistics, Inc. Rate Confirmation for order_ 2747476.eml" MD5: 91A5292942864110ED734005B7E005C0)
    • ai.exe (PID: 6100 cmdline: "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "9FFB3030-A239-4A5C-A8BA-7ED10F54B49E" "BEB4842B-5C57-4C17-812D-518B82A07A12" "6312" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx" MD5: EC652BEDD90E089D9406AFED89A8A8BD)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE, ProcessId: 6312, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Addins\OneNote.OutlookAddin\1

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

  • Phishing
  • Networking
  • System Summary
  • Hooking and other Techniques for Hiding and Protection
  • Malware Analysis System Evasion
  • Language, Device and Operating System Detection

Click to jump to signature section

Show All Signature Results

Phishing

barindex
Source: EmailJoe Sandbox AI: Email contains prominent button: 'rate confirmation form - click here'
Source: EmailJoe Sandbox AI: Detected potential phishing email: The email contains multiple repetitive sections and duplicated content, which is unusual for legitimate business communications. The link provided (BKLI.loadtracking.com) appears suspicious and doesn't match the official domain (beckerlogistics.com). The urgency created by the short expiration time (0 days 1 hr) is a common phishing tactic
Source: EmailClassification: Credential Stealer
Source: Becker Logistics, Inc. Rate Confirmation for order_ 2747476.emlString found in binary or memory: <td><a href=3D"https://www.facebook.com/BeckerLogistics/"><img src=3D"https= equals www.facebook.com (Facebook)
Source: Becker Logistics, Inc. Rate Confirmation for order_ 2747476.emlString found in binary or memory: <td><a href=3D"https://www.linkedin.com/company/522234"><img src=3D"https:/= equals www.linkedin.com (Linkedin)
Source: Becker Logistics, Inc. Rate Confirmation for order_ 2747476.emlString found in binary or memory: <td><a href=3D"https://www.youtube.com/channel/UCLVZ2fAt28LS29j8mOME6Ww"><i= equals www.youtube.com (Youtube)
Source: Becker Logistics, Inc. Rate Confirmation for order_ 2747476.emlString found in binary or memory: https://BKLI.loadtracking.com/dp/=
Source: Becker Logistics, Inc. Rate Confirmation for order_ 2747476.emlString found in binary or memory: https://instagram.com/beckerlogistics/
Source: Becker Logistics, Inc. Rate Confirmation for order_ 2747476.emlString found in binary or memory: https://twitter.com/BeckerLogistics
Source: Becker Logistics, Inc. Rate Confirmation for order_ 2747476.emlString found in binary or memory: https://www.beckerlogistics.com/?utm_source=3Dgeneral&amp;ut=
Source: Becker Logistics, Inc. Rate Confirmation for order_ 2747476.emlString found in binary or memory: https://www.beckerlogistics.com/blog/becker-logistics-places=
Source: Becker Logistics, Inc. Rate Confirmation for order_ 2747476.emlString found in binary or memory: https://www.beckerlogistics.com/blog/becker-logistics-ranks-o=
Source: Becker Logistics, Inc. Rate Confirmation for order_ 2747476.emlString found in binary or memory: https://www.beckerlogistics.com/inc5000_colorstacked-2/
Source: Becker Logistics, Inc. Rate Confirmation for order_ 2747476.emlString found in binary or memory: https://www.beckerlogistics.com/wp-content/uploads/2021/11/SM-Ico=
Source: Becker Logistics, Inc. Rate Confirmation for order_ 2747476.emlString found in binary or memory: https://www.linkedin.com/company/522234
Source: Becker Logistics, Inc. Rate Confirmation for order_ 2747476.emlString found in binary or memory: https://www.youtube.com/channel/UCLVZ2fAt28LS29j8mOME6Ww
Source: classification engineClassification label: mal48.winEML@3/3@0/0
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile created: C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmpJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile created: C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20250407T1700430599-6312.etlJump to behavior
Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\Becker Logistics, Inc. Rate Confirmation for order_ 2747476.eml"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "9FFB3030-A239-4A5C-A8BA-7ED10F54B49E" "BEB4842B-5C57-4C17-812D-518B82A07A12" "6312" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "9FFB3030-A239-4A5C-A8BA-7ED10F54B49E" "BEB4842B-5C57-4C17-812D-518B82A07A12" "6312" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: c2r64.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: userenv.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{F959DBBB-3867-41F2-8E5F-3B8BEFAA81B3}\InprocServer32Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEWindow found: window name: SysTabControl32Jump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\CommonJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{2B379600-B42B-4FE9-A59C-A312FB934935} DeviceTicketJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information queried: ProcessInformationJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeQueries volume information: C:\Program Files (x86)\Microsoft Office\root\Office16\AI\WordCombinedFloatieLreOnline.onnx VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation21
Browser Extensions		1
Process Injection		1
Masquerading		OS Credential Dumping1
Process Discovery		Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/Job1
DLL Side-Loading		1
DLL Side-Loading		1
Modify Registry		LSASS Memory12
System Information Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Process Injection		Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
DLL Side-Loading		NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1658742 Sample: Becker Logistics, Inc. Rate... Startdate: 07/04/2025 Architecture: WINDOWS Score: 48 15 AI detected suspicious elements in Email content 2->15 17 AI detected landing page (webpage, office document or email) 2->17 6 OUTLOOK.EXE 66 80 2->6         started        process3 file4 11 C:\...\~Outlook Data File - NoEmail.pst.tmp, data 6->11 dropped 13 C:\Users\...\Outlook Data File - NoEmail.pst, Microsoft 6->13 dropped 9 ai.exe 6->9         started        process5

Screenshots

Download Video

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://www.beckerlogistics.com/blog/becker-logistics-ranks-o=0%Avira URL Cloudsafe
https://www.beckerlogistics.com/blog/becker-logistics-places=0%Avira URL Cloudsafe
https://www.beckerlogistics.com/?utm_source=3Dgeneral&amp;ut=0%Avira URL Cloudsafe
https://BKLI.loadtracking.com/dp/=0%Avira URL Cloudsafe
https://www.beckerlogistics.com/inc5000_colorstacked-2/0%Avira URL Cloudsafe
https://www.beckerlogistics.com/wp-content/uploads/2021/11/SM-Ico=0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
s-0005.dual-s-msedge.net
52.123.128.14
truefalse
    		high
    NameSourceMaliciousAntivirus DetectionReputation
    https://instagram.com/beckerlogistics/Becker Logistics, Inc. Rate Confirmation for order_ 2747476.emlfalse
      		high
      https://www.beckerlogistics.com/blog/becker-logistics-ranks-o=Becker Logistics, Inc. Rate Confirmation for order_ 2747476.emlfalse
      • Avira URL Cloud: safe
      		unknown
      https://www.beckerlogistics.com/blog/becker-logistics-places=Becker Logistics, Inc. Rate Confirmation for order_ 2747476.emlfalse
      • Avira URL Cloud: safe
      		unknown
      https://www.linkedin.com/company/522234Becker Logistics, Inc. Rate Confirmation for order_ 2747476.emlfalse
        		high
        https://twitter.com/BeckerLogisticsBecker Logistics, Inc. Rate Confirmation for order_ 2747476.emlfalse
          		high
          https://BKLI.loadtracking.com/dp/=Becker Logistics, Inc. Rate Confirmation for order_ 2747476.emlfalse
          • Avira URL Cloud: safe
          		unknown
          https://www.beckerlogistics.com/?utm_source=3Dgeneral&amp;ut=Becker Logistics, Inc. Rate Confirmation for order_ 2747476.emlfalse
          • Avira URL Cloud: safe
          		unknown
          https://www.beckerlogistics.com/inc5000_colorstacked-2/Becker Logistics, Inc. Rate Confirmation for order_ 2747476.emlfalse
          • Avira URL Cloud: safe
          		unknown
          https://www.beckerlogistics.com/wp-content/uploads/2021/11/SM-Ico=Becker Logistics, Inc. Rate Confirmation for order_ 2747476.emlfalse
          • Avira URL Cloud: safe
          		unknown
          https://www.youtube.com/channel/UCLVZ2fAt28LS29j8mOME6WwBecker Logistics, Inc. Rate Confirmation for order_ 2747476.emlfalse
            		high

            World Map of Contacted IPs

            No contacted IP infos

            General Information

            Joe Sandbox version:42.0.0 Malachite
            Analysis ID:1658742
            Start date and time:2025-04-07 22:59:40 +02:00
            Joe Sandbox product:CloudBasic
            Overall analysis duration:0h 4m 3s
            Hypervisor based Inspection enabled:false
            Report type:full
            Cookbook file name:default.jbs
            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
            Number of analysed new started processes analysed:14
            Number of new started drivers analysed:0
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:0
            Technologies:
            • EGA enabled
            • AMSI enabled
            Analysis Mode:default
            Analysis stop reason:Timeout
            Sample name:Becker Logistics, Inc. Rate Confirmation for order_ 2747476.eml
            Detection:MAL
            Classification:mal48.winEML@3/3@0/0
            Cookbook Comments:
            • Found application associated with file extension: .eml
            • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, sppsvc.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
            • Excluded IPs from analysis (whitelisted): 52.109.0.91, 23.206.121.14, 23.206.121.15, 51.116.246.106, 20.189.173.16, 52.123.128.14, 20.190.152.22, 52.149.20.212, 184.31.69.3, 172.202.163.200
            • Excluded domains from analysis (whitelisted): omex.cdn.office.net, ecs.office.com, fs.microsoft.com, onedscolprdgwc06.germanywestcentral.cloudapp.azure.com, slscr.update.microsoft.com, prod.configsvc1.live.com.akadns.net, onedscolprdwus17.westus.cloudapp.azure.com, mobile.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com, dual-s-0005-office.config.skype.com, login.live.com, otelrules.svc.static.microsoft, config.officeapps.live.com, us.configsvc1.live.com.akadns.net, wus-azsc-config.officeapps.live.com, officeclient.microsoft.com, ecs.office.trafficmanager.net, omex.cdn.office.net.akamaized.net, mobile.events.data.trafficmanager.net, a1864.dscd.akamai.net
            • Not all processes where analyzed, report is missing behavior information
            • Report size getting too big, too many NtQueryAttributesFile calls found.
            • Report size getting too big, too many NtQueryValueKey calls found.
            • Report size getting too big, too many NtReadVirtualMemory calls found.

            Simulations

            Behavior and APIs

            No simulations

            Joe Sandbox View / Context

            IPs

            No context

            Domains

            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
            s-0005.dual-s-msedge.netPURCHASE ORDER -6657-980.xla.xlsxGet hashmaliciousUnknownBrowse
            • 52.123.128.14
            PO#4500550389.xla.xlsxGet hashmaliciousUnknownBrowse
            • 52.123.129.14
            Payment advice.xlsGet hashmaliciousUnknownBrowse
            • 52.123.129.14
            PO#4500550389.xla.xlsxGet hashmaliciousUnknownBrowse
            • 52.123.129.14
            PURCHASE ORDER -6657-980.xla.xlsxGet hashmaliciousUnknownBrowse
            • 52.123.128.14
            Payment advice.xlsGet hashmaliciousUnknownBrowse
            • 52.123.129.14
            Payment comfirmation.docGet hashmaliciousUnknownBrowse
            • 52.123.129.14
            PO#4500550389.xla.xlsxGet hashmaliciousUnknownBrowse
            • 52.123.129.14
            Payment advice.xlsGet hashmaliciousUnknownBrowse
            • 52.123.129.14
            Payment comfirmation.docGet hashmaliciousUnknownBrowse
            • 52.123.129.14

            ASNs

            No context

            JA3 Fingerprints

            No context

            Dropped Files

            No context

            Created / dropped Files

            C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20250407T1700430599-6312.etl

            Download File
            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
            File Type:data
            Category:dropped
            Size (bytes):102400
            Entropy (8bit):4.462776527219168
            Encrypted:false
            SSDEEP:768:FWTOIEP397NQivyNlDa549EVlbMb96LaSdlaa4/2rmpXYhiKipYOflQWX1C1POaT:fh4IQb96LawX4i
            MD5:9E26733EA122C10CC0AE4FC398080462
            SHA1:0E5CD3D8F10D3F98F0522E70ED05F6E8026E23C5
            SHA-256:BD9907C66A05DBD09B95F7B6DF3A98825BDEEC976C7618C6287A06EA6AD2910E
            SHA-512:9573E987A6F09F03CCBFAC85A5680A22093470EE289F4CCCC7BDEA8E062C21C31CF0E430AA7F6E8F6920F951C402A370A81DE75893544E52BF6AEE1EFD0BE14B
            Malicious:false
            Reputation:low
            Preview:............................................................................d...........\.{ ....................eJ..............Zb..2...................................,...@.t.z.r.e.s...d.l.l.,.-.1.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.1.1.1...............................................................Z...........\.{ ............v.2._.O.U.T.L.O.O.K.:.1.8.a.8.:.9.a.0.7.7.5.1.0.1.9.b.9.4.2.2.9.9.2.c.6.2.b.5.4.e.a.2.c.a.3.5.9...C.:.\.U.s.e.r.s.\.h.u.b.e.r.t.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.O.u.t.l.o.o.k. .L.o.g.g.i.n.g.\.O.U.T.L.O.O.K._.1.6._.0._.1.6.8.2.7._.2.0.1.3.0.-.2.0.2.5.0.4.0.7.T.1.7.0.0.4.3.0.5.9.9.-.6.3.1.2...e.t.l...........P.P.........\.{ ....................................................................................................................................................................................................................................................................................................

            C:\Users\user\Documents\Outlook Files\Outlook Data File - NoEmail.pst

            Download File
            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
            File Type:Microsoft Outlook email folder (>=2003)
            Category:dropped
            Size (bytes):271360
            Entropy (8bit):2.7859577714542687
            Encrypted:false
            SSDEEP:1536:I6O0KZMwHD1sVZWxehGUAqLn4CCp2ZW53jEpEHP4qQ10PAwrHZ/EW53jEpEHP4q5:g0Q1sfWcL4Ap98op9
            MD5:E263802AB57F4CFC7300AE692DE63A14
            SHA1:F3AA4983B24907064812847ED3A0DAF2F2BBDEC5
            SHA-256:50B9AF332FBCD8C899EDEAF0BC1988F3518D0641DDC62A84A36F98461DD91945
            SHA-512:34763BE1D05FC97A5F6C0076D75355A19304A160191321C8303F011C7DF20740ADF6D249E353370980180A52E65BD8495465C701F7B0DDCE57827D68526270A0
            Malicious:true
            Reputation:low
            Preview:!BDN...SSM......\..."l..........C......._................@...........@...@...................................@...........................................................................$.......D......................B...............?........v............................................................................................................................................................................................................................................................................................].\.N.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

            C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmp

            Download File
            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
            File Type:data
            Category:dropped
            Size (bytes):131072
            Entropy (8bit):3.1558762792152892
            Encrypted:false
            SSDEEP:1536:O8W53jEpEHP4qQ10PAwr1U/NJj7D4NW53jEpEHP4qQ10PAwrojwvhHR0:Oep9rwbp9v
            MD5:13141405BDA386B960DC27A44E08FD88
            SHA1:A8D080A81804320B532274EE933B13230BBF330A
            SHA-256:4E299D7FC08754C2CC287E8CE766F0CDEB71387AABEEFA27C3F61F234D6D4EAE
            SHA-512:D5C2205BFD930C9276B90B55522DD756B5B72475F32F63C8BED5F66F74177BDAF1F90EC45472E3898F7751B3335327B81FA05C98F44D4C18D16C22A96EF6E2D0
            Malicious:true
            Reputation:low
            Preview:..?.C...]............w> ......................#.!BDN...SSM......\..."l..........C......._................@...........@...@...................................@...........................................................................$.......D......................B...............?........v............................................................................................................................................................................................................................................................................................].\.N..w> .........B............#.........................................................................................................................................................................................................................................................................................................................................................................................................

            Static File Info

            General

            File type:SMTP mail, ASCII text, with very long lines (347), with CRLF line terminators
            Entropy (8bit):5.572883936727022
            TrID:
              File name:Becker Logistics, Inc. Rate Confirmation for order_ 2747476.eml
              File size:20'679 bytes
              MD5:3e2e0f0d8ef1b81a4801208c39b49cd3
              SHA1:c5e26813d36ac66664752d7c9c00259ef9f08b4f
              SHA256:db7efa6460372e35189ed45bd11595f4cf626f3f4a13163e9807669520c29a06
              SHA512:dd7ef9c16509c96c43aa120b3b81adb6a601ab9a0d3fcfe51050d5cbb77717d8086672478d3ff801367068346f77a535ccbc20cc9b6032c192b3f6e211bc423b
              SSDEEP:384:Ivwc5t97gwkJYFyc6gf8/t4/vI++4/vOW4/vG/k4/v8iRRv4/vl/85u/qWfEZTnG:Ioc5t5BMYFIOFXr4le23
              TLSH:8A922C1F59CB0D2210BEDD656F01AC38F397386E436A4191346F9447DB88F94FA8A2F9
              File Content Preview:Delivered-To: lena@deltagov.com..Received: by 2002:ab4:a190:0:b0:28c:be37:2e43 with SMTP id de16csp6754831ecb;.. Mon, 7 Apr 2025 12:19:39 -0700 (PDT)..X-Google-Smtp-Source: AGHT+IERxaZgAdnUmPqpiSSjpYi5XBc0URVilGsNik1bDAeyoIAHM+zOa4WiyPOKhRSOORENUgU

              Static Mail

              General

              Subject:Becker Logistics, Inc. Rate Confirmation for order: 2747476
              From:"andrii.riashko@beckerlogistics.com" <andrii.riashko@beckerlogistics.com>
              To:lena@deltagov.com
              Cc:
              BCC:
              Date:Mon, 07 Apr 2025 14:19:33 -0500
              Communications:
              • Click the link below to access your rate confirmation for order: 2747476. If you are having difficulty clicking the link, you can copy and paste it into your web browser. By signing, accepting, and submitting; you are agreeing to the terms set by Becker Logistics, Inc.. Please click the link below to view this Rate Confirmation from Becker Logistics, Inc.. Rate Confirmation eForm - Click here This link will expire in 0 days 1 hrs 0 minutes. Thank you for your business. Andrii Riashko Carrier Sales Represenative Office: 630.529.0700 x3007 BeckerLogistics.com Check out what's new with Becker Logistics! Becker Logistics has been added to Transport Topics top 100 Freight Brokerage Firms This electronic message is intended for the person or entity to which it is addressed and may contain confidential and/or privileged information. Any review, dissemination, copying, printing, or other use of this electronic message by persons or entities other than the addressee is prohibited. If you received this electronic message in error, please contact the sender immediately and delete the electronic message from any and all computers. Click the link below to access your rate confirmation for order: 2747476. If you are having difficulty clicking the link, you can copy and paste it into your web browser. By signing, accepting, and submitting; you are agreeing to the terms set by Becker Logistics, Inc.. Please click the link below to view this Rate Confirmation from Becker Logistics, Inc.. Rate Confirmation eForm - Click here This link will expire in 0 days 1 hrs 0 minutes. Thank you for your business. Andrii Riashko Carrier Sales Represenative Office: 630.529.0700 x3007 BeckerLogistics.com Check out what's new with Becker Logistics! Becker Logistics has been added to Transport Topics top 100 Freight Brokerage Firms This electronic message is intended for the person or entity to which it is addressed and may contain confidential and/or privileged information. Any review, dissemination, copying, printing, or other use of this electronic message by persons or entities other than the addressee is prohibited. If you received this electronic message in error, please contact the sender immediately and delete the electronic message from any and all computers. Click the link below to access your rate confirmation for order: 2747476. If you are having difficulty clicking the link, you can copy and paste it into your web browser. By signing, accepting, and submitting; you are agreeing to the terms set by Becker Logistics, Inc.. Please click the link below to view this Rate Confirmation from Becker Logistics, Inc.. Rate Confirmation eForm - Click here This link will expire in 0 days 1 hrs 0 minutes. Please click the link below to view this Rate Confirmation from Becker Logistics, Inc.. Rate Confirmation eForm - Click here This link will expire in 0 days 1 hrs 0 minutes. Please click the link below to view this Rate Confirmation from Becker Logistics, Inc.. Please click the link below to view this Rate Confirmation from Becker Logistics, Inc.. Rate Confirmation eForm - Click here Rate Confirmation eForm - Click here Rate Confirmation eForm - Click here https://BKLI.loadtracking.com/dp/dpeforms?eN=eemgnfineifff This link will expire in 0 days 1 hrs 0 minutes. This link will expire in 0 days 1 hrs 0 minutes. Thank you for your business. Andrii Riashko Carrier Sales Represenative Office: 630.529.0700 x3007 BeckerLogistics.com Check out what's new with Becker Logistics! Becker Logistics has been added to Transport Topics top 100 Freight Brokerage Firms Andrii Riashko Carrier Sales Represenative Office: 630.529.0700 x3007 BeckerLogistics.com Check out what's new with Becker Logistics! Becker Logistics has been added to Transport Topics top 100 Freight Brokerage Firms Andrii Riashko Andrii Riashko Carrier Sales Represenative Carrier Sales Represenative Office: 630.529.0700 x3007 Office: 630.529.0700 x3007 BeckerLogistics.com BeckerLogistics.com BeckerLogistics.com https://www.beckerlogistics.com/?utm_source=general&utm_medium=email&utm_campaign=signature Check out what's new with Becker Logistics! Becker Logistics has been added to Transport Topics top 100 Freight Brokerage Firms Check out what's new with Becker Logistics! Becker Logistics has been added to Transport Topics top 100 Freight Brokerage Firms Check out what's new with Becker Logistics! Check out what's new with Becker Logistics! Check out what's new with Becker Logistics! Becker Logistics has been added to Transport Topics top 100 Freight Brokerage Firms Becker Logistics has been added to Transport Topics top 100 Freight Brokerage Firms https://www.beckerlogistics.com/blog/becker-logistics-ranks-on-transport-topics-2024-top-100-freight-brokerages/?utm_source=general&utm_medium=email&utm_campaign=signature https://www.beckerlogistics.com/?utm_source=general&utm_medium=email&utm_campaign=signature https://www.beckerlogistics.com/blog/becker-logistics-places-on-inc-5000s-2021-list-of-fastest-growing-companies-in-america/?utm_source=general&utm_medium=email&utm_campaign=signature https://www.facebook.com/BeckerLogistics/ https://www.linkedin.com/company/522234 https://www.youtube.com/channel/UCLVZ2fAt28LS29j8mOME6Ww https://twitter.com/BeckerLogistics https://instagram.com/beckerlogistics/ This electronic message is intended for the person or entity to which it is addressed and may contain confidential and/or privileged information. Any review, dissemination, copying, printing, or other use of this electronic message by persons or entities other than the addressee is prohibited. If you received this electronic message in error, please contact the sender immediately and delete the electronic message from any and all computers.
              Attachments:
                Key Value
                Delivered-Tolena@deltagov.com
                Receivedfrom GO-APP07 (69.65.18.130) by SJ1PEPF00001CE8.mail.protection.outlook.com (10.167.242.24) with Microsoft SMTP Server id 15.20.8606.22 via Frontend Transport; Mon, 7 Apr 2025 19:19:35 +0000
                X-Google-Smtp-SourceAGHT+IERxaZgAdnUmPqpiSSjpYi5XBc0URVilGsNik1bDAeyoIAHM+zOa4WiyPOKhRSOORENUgUG
                X-Receivedby 2002:a05:690c:3686:b0:703:ac44:d37e with SMTP id 00721157ae682-703f42fc111mr180885847b3.37.1744053578829; Mon, 07 Apr 2025 12:19:38 -0700 (PDT)
                ARC-Seali=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=jVz5QLMH6fGm+t5q2UU0fuOHTx17pvOm64gr1gwbrUtUBHMFfYx/EsVJ+5EsD7h1FSX0RgCxIUyhSbnPusL5GpYnz4BNTRhMAPp8alEpr8C9LG98dp7QafjbZkt6FGCVwPUsSzwDABja+ySHVmJDlqPPQz8VqARm4IafWr8nx0oTwA4Pw2T7ri0bDNoaWgHeTLWMiptkvLhrxv3t+MYYF/RLjIJ9vNgbmlVuSNg5uacBg5EWZDVfvKnQrF1jaX3COlIZOB5HqyL9X9jWLdddvENvvy6gJm/pdOhjXoBhyW7QEDRjnxbkqEQ38O0ZqnfmTlFr+s4FkIGM3kLAja1cuQ==
                ARC-Message-Signaturei=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=Pv9M6pEL5qrHNSH3Dx1YWLD1zdeaQarjz+rs0haUR2A=; b=HuD2wkncscVcCnQIA8xgo66staJJBXZTc68lJ5d1TVlbecxrfZnmOx/qQrhN64y1rl9nrjwEWaZpeXT9BqXOQ80NkEapFFMoNhFXtmnxXuA2N4u4gfFgCVF3PeFgcUI1afYcX11kBuh3wgYx3Pnx4wP+P7NS8ZYSuSs45d9NkeYa1YP8bu/ieHJFn8YtIPlpz3fkMA6PG1Hrw9nGJp53Pb+bn26GVVmzWD0q0MjO5Q81h64EZ/6IZDBHaWOfuY5PUKy+JkFnlFGItDKhaAzocsYaQfaT4yUIUSZAIIEO2g2Foy8UPH/5jzab/MCP847lNNm7svxG/cRGfdfUV6bCGA==
                ARC-Authentication-Resultsi=1; mx.microsoft.com 1; spf=fail (sender ip is 69.65.18.130) smtp.rcpttodomain=deltagov.com smtp.mailfrom=beckerlogistics.com; dmarc=fail (p=none sp=none pct=100) action=none header.from=beckerlogistics.com; dkim=none (message not signed); arc=none (0)
                Return-Pathandrii.riashko@beckerlogistics.com
                Received-SPFFail (protection.outlook.com: domain of beckerlogistics.com does not designate 69.65.18.130 as permitted sender) receiver=protection.outlook.com; client-ip=69.65.18.130; helo=GO-APP07;
                Authentication-Resultsmx.google.com; dkim=pass header.i=@beckerlogistics.onmicrosoft.com header.s=selector2-beckerlogistics-onmicrosoft-com header.b="kskYx/er"; arc=pass (i=1); spf=pass (google.com: domain of andrii.riashko@beckerlogistics.com designates 2a01:111:f403:200a::714 as permitted sender) smtp.mailfrom=andrii.riashko@beckerlogistics.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=beckerlogistics.com
                DKIM-Signaturev=1; a=rsa-sha256; c=relaxed/relaxed; d=beckerlogistics.onmicrosoft.com; s=selector2-beckerlogistics-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Pv9M6pEL5qrHNSH3Dx1YWLD1zdeaQarjz+rs0haUR2A=; b=kskYx/erjmEUG2NyvoLAYqN85QT8iSypuODvxJ+khLehIayzktFFg/dpJPZ66uAlzGRLicETYVfx3DPyupTP/rLJb7ctoLpCx2WJ3mY3PsHFEvDMm9xIMeTGZTp0yQbacgTWxpforSeuzL4Mmdl+PgtjJ8lctuSG9d+X57I/k/A=
                X-MS-Exchange-Authentication-Resultsspf=fail (sender IP is 69.65.18.130) smtp.mailfrom=beckerlogistics.com; dkim=none (message not signed) header.d=none;dmarc=fail action=none header.from=beckerlogistics.com;
                From"andrii.riashko@beckerlogistics.com" <andrii.riashko@beckerlogistics.com>
                SubjectBecker Logistics, Inc. Rate Confirmation for order: 2747476
                Tolena@deltagov.com
                MIME-Version1.0
                Sender"andrii.riashko@beckerlogistics.com" <andrii.riashko@beckerlogistics.com>
                Reply-Toandrii.riashko@beckerlogistics.com
                DateMon, 07 Apr 2025 14:19:33 -0500
                Message-ID<202504071419302880.94@GO-APP07.gobecker.com>
                X-Maileremailit
                Content-Typetext/html; charset="utf-8"
                Content-Transfer-Encodingquoted-printable
                Content-Dispositioninline
                X-EOPAttributedMessage0
                X-MS-PublicTrafficTypeEmail
                X-MS-TrafficTypeDiagnosticSJ1PEPF00001CE8:EE_|SA1PR16MB4825:EE_
                X-MS-Office365-Filtering-Correlation-Idb007c3e2-7fc1-4024-bb4b-08dd76092201
                X-MS-Exchange-SenderADCheck1
                X-MS-Exchange-AntiSpam-Relay0
                X-Microsoft-Antispam BCL:0;ARA:13230040|1032899013|1800799024|82310400026|376014|36860700013|69100299015|8096899003|2066899003;
                X-Microsoft-Antispam-Message-Info Ywo37IpQVlIT0qgGZCg5maVgM5Bg/Pjk6chDfZdpdYgkmLlKQCc7Fzerga8I0TREqCGMNVN34HW8NpiNTPp1NOHE9UCnqolHrVXR8MxIQg0EQ0v2Xy9zMAXlXHswOPkZXndNQqp03rP8AEtELhMR5YDN+txgFJvztzM1ebQAScxHP6x7y3H/3QY+b/qFGVTz4Bv/HYYgCvaGXtAND86oOmkqFYwI6HLOIsVtq/BK+gWGHnz8YccqWZSdBTH+fTSjQ8cP9c/J6KYpmNXeBZx7DOV9c2RqQUYlmlnP/nsc86xgbxj8X5mOf7gyiLaE14vlgNNJNTdv7Q5PfYYQ4w9qUa0EBfD1t6Y7CeAY28PK+3z8nhWlj5cZ2sHn+KlhkZrGrqCzW0sdHXQDwkPqYnLvOeiWAAlGdWqFFK6Uv/vj/dP8RgPahZR9bh6uvvs4qSDGc8JW5s1wro4E3rKjodYLrUVnU5aHHBPGbydcUubdZm7eM7O4BAUE57DeY2ArGAPPjgEFOC5LMrQk0Xc/jPrgk/iMpkmrjerkqzSM8nxB8cQT93SDSXnP7qy/TaEBvP56Tugs3fhXPYPaqFdAR0zdBB9JiGSPV5GC6QHMP1E8ZcbhQilfb8ahBkl/23ioeNcbLBUysVzN2cOar+rq9ZLabxQo2DAVceVxgobw23s8M9eHlsOHjPK+zkFG8DStBw7Qx93VANJB3u2TBAZZEBERd6eTPlwgudZR5HvQn8G2FSeiEfAqkrPavsy1VLtZNgY3T5MtZdLDVgGlL9yOvbYzIU6IHFBFbiZmRyWgz4M/rRck648pLlZxQohiEA6lS5wvs4hsF1E58ldUsd5MnixVDPIuvBQNRcA8vcZH53q4Mt55WJ3ys5lCwDlBewbe1QKs4Shep4doZZNDsneivIuwG66IiDVUCkz3Zu+mgTxKzqzGS1SfMS4hdDRodSpdCp9iSQNdNGCO2OvE+Dtq8qBI+Mk+/aJjWZgRnoBw05ORDctBXdQrX8SxCe8MjOuY3/e/Xad1yOqNPquB82sv6FP/zD6vgbumeX9z5b0pWt1YFRANS4q+C5Fh7KyrlrVEboDI/OdXPlBPE14NeiEgnllhdwfMm0uSusz00GZc/f4/tFKmH+A8l3R+B5v++46boJwNQTq1sF5/sqjJlqPJaOGaHJnXXFC9nLEEWIFqPHYcwZ8+fg5B95lXOIZ3zn305fzPrRnedtfDpP+oaiiHoUjVMfJGExq89PiSdqoqXx8T9pmHMO+/fiprgdmDBzTK2QWMxXd2edI+fVpDYTIk8fRd1IPuFqlej9gEu2SaoWKUeF+kAD4N3/GhPm0GOvBkFfaFZOIxWiik2w39wzYFQuvdJZfvGGVdLpeTqbQnfuhq65hnsdMmihW5TcMcU0N7jx4+SoyIlI/mPmu7SCS9LNC+rZocaY6BPELjig9uIP7EE4XV7EIr4WuoNOWPB1c2X2/QlZjHn82NTaH681kdGAEwCU5H0vsVrUMmA/1aBtj7r4Y=
                X-Forefront-Antispam-Report CIP:69.65.18.130;CTRY:US;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:GO-APP07;PTR:InfoDomainNonexistent;CAT:NONE;SFS:(13230040)(1032899013)(1800799024)(82310400026)(376014)(36860700013)(69100299015)(8096899003)(2066899003);DIR:OUT;SFP:1102;
                X-OriginatorOrgbeckerlogistics.com
                X-MS-Exchange-CrossTenant-OriginalArrivalTime07 Apr 2025 19:19:35.1300 (UTC)
                X-MS-Exchange-CrossTenant-Network-Message-Idb007c3e2-7fc1-4024-bb4b-08dd76092201
                X-MS-Exchange-CrossTenant-Id93911d83-c81d-424a-b44d-8b41231e6db3
                X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIpTenantId=93911d83-c81d-424a-b44d-8b41231e6db3;Ip=[69.65.18.130];Helo=[GO-APP07]
                X-MS-Exchange-CrossTenant-AuthSource SJ1PEPF00001CE8.namprd03.prod.outlook.com
                X-MS-Exchange-CrossTenant-AuthAsAnonymous
                X-MS-Exchange-CrossTenant-FromEntityHeaderHybridOnPrem
                X-MS-Exchange-Transport-CrossTenantHeadersStampedSA1PR16MB4825

                File Icon

                Icon Hash:46070c0a8e0c67d6

                Network Behavior

                DNS Answers

                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                Apr 7, 2025 23:00:49.660120010 CEST1.1.1.1192.168.2.80x1b4aNo error (0)ecs-office.s-0005.dual-s-msedge.nets-0005.dual-s-msedge.netCNAME (Canonical name)IN (0x0001)false
                Apr 7, 2025 23:00:49.660120010 CEST1.1.1.1192.168.2.80x1b4aNo error (0)s-0005.dual-s-msedge.net52.123.128.14A (IP address)IN (0x0001)false
                Apr 7, 2025 23:00:49.660120010 CEST1.1.1.1192.168.2.80x1b4aNo error (0)s-0005.dual-s-msedge.net52.123.129.14A (IP address)IN (0x0001)false

                Statistics

                CPU Usage

                050100s020406080100

                Click to jump to process

                Memory Usage

                050100s0.0050100MB

                Click to jump to process

                High Level Behavior Distribution

                • File
                • Registry

                Click to dive into process behavior distribution

                Behavior

                Click to jump to process

                System Behavior

                General

                Target ID:0
                Start time:17:00:43
                Start date:07/04/2025
                Path:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                Wow64 process (32bit):true
                Commandline:"C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\Becker Logistics, Inc. Rate Confirmation for order_ 2747476.eml"
                Imagebase:0x3d0000
                File size:34'446'744 bytes
                MD5 hash:91A5292942864110ED734005B7E005C0
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high
                Has exited:false
                Show Windows behavior

                File Activities

                Show Windows behavior

                Section Activities

                Show Windows behavior

                Registry Activities

                Show Windows behavior

                COM Activities

                Show Windows behavior

                Mutex Activities

                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                Show Windows behavior

                Thread Activities

                Show Windows behavior

                Memory Activities

                Show Windows behavior

                System Activities

                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                Show Windows behavior

                Windows UI Activities

                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                General

                Target ID:2
                Start time:17:00:45
                Start date:07/04/2025
                Path:C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe
                Wow64 process (32bit):false
                Commandline:"C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "9FFB3030-A239-4A5C-A8BA-7ED10F54B49E" "BEB4842B-5C57-4C17-812D-518B82A07A12" "6312" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
                Imagebase:0x7ff7003b0000
                File size:710'048 bytes
                MD5 hash:EC652BEDD90E089D9406AFED89A8A8BD
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high
                Has exited:false
                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                Show Windows behavior

                Section Activities

                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                Show Windows behavior

                Mutex Activities

                Show Windows behavior

                Process Activities

                Show Windows behavior

                Thread Activities

                Show Windows behavior

                Memory Activities

                Show Windows behavior

                System Activities

                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                Disassembly

                No disassembly