Joe Sandbox Cloud Basic Analysis Report
Edit tour

Windows Analysis Report
e73fd063-ee8a-a9c6-f391-834415836051.eml

Overview

General Information

Sample name:e73fd063-ee8a-a9c6-f391-834415836051.eml
Analysis ID:1675776
MD5:0591a0d418cea56e92360436de6df692
SHA1:c890f388ad9b5d68f031b6bf68c6d8382bef024b
SHA256:2fb0e5872be17ec630de5c356b94cf7892bec16ebf0c06dd197c34e8f7137689
Infos:

Detection

Score:48
Range:0 - 100
Confidence:100%

Signatures

AI detected landing page (webpage, office document or email)
AI detected suspicious elements in Email content
Queries the volume information (name, serial number etc) of a device

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

Process Tree

  • System is w10x64
  • OUTLOOK.EXE (PID: 7084 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\e73fd063-ee8a-a9c6-f391-834415836051.eml" MD5: 91A5292942864110ED734005B7E005C0)
    • ai.exe (PID: 2488 cmdline: "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "39D5AE5F-278B-4B07-A02C-37C9C7DFD5E7" "969BD495-0C59-4644-953F-3B2F2050D124" "7084" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx" MD5: EC652BEDD90E089D9406AFED89A8A8BD)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE, ProcessId: 7084, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Addins\OneNote.OutlookAddin\1

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

  • Phishing
  • Networking
  • System Summary
  • Hooking and other Techniques for Hiding and Protection
  • Malware Analysis System Evasion
  • Language, Device and Operating System Detection

Click to jump to signature section

Show All Signature Results

Phishing

barindex
Source: EmailJoe Sandbox AI: Email contains prominent button: 'view pdf'
Source: e73fd063-ee8a-a9c6-f391-834415836051.emlJoe Sandbox AI: Detected potential phishing email: Suspicious sender domain 'disneytech.asia' attempting to impersonate legitimate brands (Disney/Procore). Suspicious URL structure and redirect through 'icpage.net' domain. Inconsistent branding mixing Disney, Procore, and DigiSigner in suspicious ways
Source: EmailClassification: Credential Stealer
Source: e73fd063-ee8a-a9c6-f391-834415836051.emlString found in binary or memory: https://1d7005-668.icpage.n=
Source: e73fd063-ee8a-a9c6-f391-834415836051.emlString found in binary or memory: https://1d7005-668.icpage.net/analytics/click/?d=3Dhttps%3A%=
Source: e73fd063-ee8a-a9c6-f391-834415836051.emlString found in binary or memory: https://1d7005-668.icpage.net/analytics/click/?d=3Dhttps=
Source: e73fd063-ee8a-a9c6-f391-834415836051.emlString found in binary or memory: https://aka.ms/LearnAboutSenderIdentification
Source: e73fd063-ee8a-a9c6-f391-834415836051.emlString found in binary or memory: https://aus01.safelinks.protection.outlook.com/=
Source: e73fd063-ee8a-a9c6-f391-834415836051.emlString found in binary or memory: https://aus01.safelinks.protection.outlook.com/?url=3Dh=
Source: e73fd063-ee8a-a9c6-f391-834415836051.emlString found in binary or memory: https://aus01.safelinks.protection.outlook.com/?url=3Dhttps%3A%2=
Source: e73fd063-ee8a-a9c6-f391-834415836051.emlString found in binary or memory: https://procore.com
Source: e73fd063-ee8a-a9c6-f391-834415836051.emlString found in binary or memory: https://procore.com/
Source: e73fd063-ee8a-a9c6-f391-834415836051.emlString found in binary or memory: https://storage.pro=
Source: e73fd063-ee8a-a9c6-f391-834415836051.emlString found in binary or memory: https://storage.procore.com/api/v5/files/us-east-1/pro-core.com/prostore/2=
Source: e73fd063-ee8a-a9c6-f391-834415836051.emlString found in binary or memory: https://support.procore.=
Source: e73fd063-ee8a-a9c6-f391-834415836051.emlString found in binary or memory: https://support.procore.com
Source: classification engineClassification label: mal48.winEML@3/3@0/0
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile created: C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmpJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile created: C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20250427T2105420063-7084.etlJump to behavior
Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\e73fd063-ee8a-a9c6-f391-834415836051.eml"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "39D5AE5F-278B-4B07-A02C-37C9C7DFD5E7" "969BD495-0C59-4644-953F-3B2F2050D124" "7084" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "39D5AE5F-278B-4B07-A02C-37C9C7DFD5E7" "969BD495-0C59-4644-953F-3B2F2050D124" "7084" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: c2r64.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: userenv.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{F959DBBB-3867-41F2-8E5F-3B8BEFAA81B3}\InprocServer32Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEWindow found: window name: SysTabControl32Jump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\CommonJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information queried: ProcessInformationJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeQueries volume information: C:\Program Files (x86)\Microsoft Office\root\Office16\AI\WordCombinedFloatieLreOnline.onnx VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation21
Browser Extensions		1
Process Injection		1
Masquerading		OS Credential Dumping1
Process Discovery		Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/Job1
DLL Side-Loading		1
DLL Side-Loading		1
Process Injection		LSASS Memory12
System Information Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
DLL Side-Loading		Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1675776 Sample: e73fd063-ee8a-a9c6-f391-834... Startdate: 28/04/2025 Architecture: WINDOWS Score: 48 15 AI detected suspicious elements in Email content 2->15 17 AI detected landing page (webpage, office document or email) 2->17 6 OUTLOOK.EXE 49 77 2->6         started        process3 file4 11 C:\...\~Outlook Data File - NoEmail.pst.tmp, data 6->11 dropped 13 C:\Users\...\Outlook Data File - NoEmail.pst, Microsoft 6->13 dropped 9 ai.exe 6->9         started        process5

Screenshots

Download Video

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://support.procore.=0%Avira URL Cloudsafe
https://storage.pro=0%Avira URL Cloudsafe
https://1d7005-668.icpage.net/analytics/click/?d=3Dhttps%3A%=0%Avira URL Cloudsafe
https://1d7005-668.icpage.n=0%Avira URL Cloudsafe
https://1d7005-668.icpage.net/analytics/click/?d=3Dhttps=0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
s-0005.dual-s-msedge.net
52.123.129.14
truefalse
    		high
    NameSourceMaliciousAntivirus DetectionReputation
    https://aus01.safelinks.protection.outlook.com/?url=3Dhttps%3A%2=e73fd063-ee8a-a9c6-f391-834415836051.emlfalse
      		high
      https://storage.procore.com/api/v5/files/us-east-1/pro-core.com/prostore/2=e73fd063-ee8a-a9c6-f391-834415836051.emlfalse
        		high
        https://procore.com/e73fd063-ee8a-a9c6-f391-834415836051.emlfalse
          		high
          https://support.procore.=e73fd063-ee8a-a9c6-f391-834415836051.emlfalse
          • Avira URL Cloud: safe
          		unknown
          https://1d7005-668.icpage.net/analytics/click/?d=3Dhttps%3A%=e73fd063-ee8a-a9c6-f391-834415836051.emlfalse
          • Avira URL Cloud: safe
          		unknown
          https://procore.come73fd063-ee8a-a9c6-f391-834415836051.emlfalse
            		high
            https://aus01.safelinks.protection.outlook.com/=e73fd063-ee8a-a9c6-f391-834415836051.emlfalse
              		high
              https://1d7005-668.icpage.n=e73fd063-ee8a-a9c6-f391-834415836051.emlfalse
              • Avira URL Cloud: safe
              		unknown
              https://aus01.safelinks.protection.outlook.com/?url=3Dh=e73fd063-ee8a-a9c6-f391-834415836051.emlfalse
                		high
                https://storage.pro=e73fd063-ee8a-a9c6-f391-834415836051.emlfalse
                • Avira URL Cloud: safe
                		unknown
                https://support.procore.come73fd063-ee8a-a9c6-f391-834415836051.emlfalse
                  		high
                  https://1d7005-668.icpage.net/analytics/click/?d=3Dhttps=e73fd063-ee8a-a9c6-f391-834415836051.emlfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://aka.ms/LearnAboutSenderIdentificatione73fd063-ee8a-a9c6-f391-834415836051.emlfalse
                    		high

                    World Map of Contacted IPs

                    No contacted IP infos

                    General Information

                    Joe Sandbox version:42.0.0 Malachite
                    Analysis ID:1675776
                    Start date and time:2025-04-28 03:04:35 +02:00
                    Joe Sandbox product:CloudBasic
                    Overall analysis duration:0h 4m 6s
                    Hypervisor based Inspection enabled:false
                    Report type:full
                    Cookbook file name:default.jbs
                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                    Number of analysed new started processes analysed:13
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:0
                    Technologies:
                    • EGA enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Timeout
                    Sample name:e73fd063-ee8a-a9c6-f391-834415836051.eml
                    Detection:MAL
                    Classification:mal48.winEML@3/3@0/0
                    Cookbook Comments:
                    • Found application associated with file extension: .eml
                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, TextInputHost.exe, svchost.exe
                    • Excluded IPs from analysis (whitelisted): 52.109.20.38, 69.192.44.226, 20.42.73.28, 52.123.129.14, 20.109.210.53
                    • Excluded domains from analysis (whitelisted): ecs.office.com, fs.microsoft.com, slscr.update.microsoft.com, prod.configsvc1.live.com.akadns.net, scus-azsc-config.officeapps.live.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, e16604.dscf.akamaiedge.net, mobile.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com, dual-s-0005-office.config.skype.com, otelrules.svc.static.microsoft, config.officeapps.live.com, us.configsvc1.live.com.akadns.net, officeclient.microsoft.com, onedscolprdeus15.eastus.cloudapp.azure.com, ecs.office.trafficmanager.net, prod.fs.microsoft.com.akadns.net, mobile.events.data.trafficmanager.net
                    • Not all processes where analyzed, report is missing behavior information
                    • Report size getting too big, too many NtQueryAttributesFile calls found.
                    • Report size getting too big, too many NtQueryValueKey calls found.
                    • Report size getting too big, too many NtReadVirtualMemory calls found.

                    Simulations

                    Behavior and APIs

                    No simulations

                    Joe Sandbox View / Context

                    IPs

                    No context

                    Domains

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    s-0005.dual-s-msedge.neteattitde.docGet hashmaliciousUnknownBrowse
                    • 52.123.129.14
                    myfile.docGet hashmaliciousUnknownBrowse
                    • 52.123.129.14
                    wgivenby.docGet hashmaliciousUnknownBrowse
                    • 52.123.129.14
                    rthisday.docGet hashmaliciousUnknownBrowse
                    • 52.123.129.14
                    myfile.docGet hashmaliciousUnknownBrowse
                    • 52.123.128.14
                    wgivenby.docGet hashmaliciousUnknownBrowse
                    • 52.123.128.14
                    eattitde.docGet hashmaliciousUnknownBrowse
                    • 52.123.128.14
                    rthisday.docGet hashmaliciousUnknownBrowse
                    • 52.123.128.14
                    250427-3jbtpawp18.bin.exeGet hashmaliciousUnknownBrowse
                    • 52.123.129.14
                    250427-29p9bstvez.bin.exeGet hashmaliciousXRedBrowse
                    • 52.123.129.14

                    ASNs

                    No context

                    JA3 Fingerprints

                    No context

                    Dropped Files

                    No context

                    Created / dropped Files

                    C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20250427T2105420063-7084.etl

                    Download File
                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                    File Type:data
                    Category:dropped
                    Size (bytes):106496
                    Entropy (8bit):4.509708350101463
                    Encrypted:false
                    SSDEEP:768:lT6qbNa6HdzpQLeYerfjy47O99r5t1HaLXhv91WdWLhCI97EC:Zs4709r5t4XllCC
                    MD5:74F04B131E3054AE780FD45361C41A22
                    SHA1:1437D247DB851A3E5F09EB30BFEFB789C821DE96
                    SHA-256:38B1D11CA020CDE61134A44A9CEA08862A62592F3FF9CBC8417BCE820699E871
                    SHA-512:2B144FB502AB35619661C7BB82844DA19F7299522FDB8D88DA7A7D7D021872A9D93DC5AF20C026AC3019D1214783E5424E8C5F3218982C441E9E0F52018A87B0
                    Malicious:false
                    Reputation:low
                    Preview:............................................................................d............+.....................eJ..............Zb..2...................................,...@.t.z.r.e.s...d.l.l.,.-.1.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.1.1.1...............................................................\............+.............v.2._.O.U.T.L.O.O.K.:.1.b.a.c.:.1.1.6.a.f.0.8.9.6.d.4.b.4.b.d.9.9.f.f.d.9.e.1.e.6.8.7.0.e.2.8.1...C.:.\.U.s.e.r.s.\.h.u.b.e.r.t.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.O.u.t.l.o.o.k. .L.o.g.g.i.n.g.\.O.U.T.L.O.O.K._.1.6._.0._.1.6.8.2.7._.2.0.1.3.0.-.2.0.2.5.0.4.2.7.T.2.1.0.5.4.2.0.0.6.3.-.7.0.8.4...e.t.l...........P.P.........L......................................................................................................................................................................................................................................................................................................

                    C:\Users\user\Documents\Outlook Files\Outlook Data File - NoEmail.pst

                    Download File
                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                    File Type:Microsoft Outlook email folder (>=2003)
                    Category:dropped
                    Size (bytes):271360
                    Entropy (8bit):2.943422465941738
                    Encrypted:false
                    SSDEEP:6144:Yy+lFCEkNCEkrCEkaCEk/CEkICEkiXCEk+R5C:UFCEkNCEkrCEkaCEk/CEkICEkiXCEk
                    MD5:C7D39AC37F63768E6600073DE68DA047
                    SHA1:DFDD5CE6FA120D93918A832C677C9AB53AC77293
                    SHA-256:1A3441F8EEF05ED542BE55ADDE65F3275F49923D973A87E20A57C905E21D1DF9
                    SHA-512:23076FD0A76667EB6E5A67597453AB7DAEDF5F2A0ABC96AB3224A1FB168E510C1EFC1CDF1F4E0FD274DF35D4EA341584ECD3E054376608EEB764E705C180D131
                    Malicious:true
                    Reputation:low
                    Preview:!BDN.J..SM......\.......................X................@...........@...@...................................@...........................................................................$.......D.......{..........................................................................................................................................................................................................................................................................................................................X........[.(..7.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmp

                    Download File
                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                    File Type:data
                    Category:dropped
                    Size (bytes):131072
                    Entropy (8bit):3.8263909122812763
                    Encrypted:false
                    SSDEEP:1536:OW53jEpEHP4qQ10PAwr1hDOncCEkiXCEko0QlKjikW53jEpEHP4qQ10PAwrkwo+s:8p9jcCEkiXCEkwmp9DGfw
                    MD5:912FB69A1F02BEBEA5AFBA18909ED924
                    SHA1:D357E891326255DC7B221DADA41EA467BA59FF30
                    SHA-256:C1AD03D8F4DB3ED7572F2A44F8AF3EED94F13A8978F01AD3A90589CFFD19A120
                    SHA-512:5B2C0BD78E684659C0D739D2240FA97D58FE973BBA2737EB69695D6787169F84BD2B712B8A8CE3098CE4C846CEEF6CFDA13743416BE9967C5B132EA2AA7D07C5
                    Malicious:true
                    Reputation:low
                    Preview:..$.C...j............~......................#.!BDN.J..SM......\.......................X................@...........@...@...................................@...........................................................................$.......D.......{..........................................................................................................................................................................................................................................................................................................................X........[.(..7..~.........B............#.........................................................................................................................................................................................................................................................................................................................................................................................................

                    Static File Info

                    General

                    File type:RFC 822 mail, ASCII text, with very long lines (339), with CRLF line terminators
                    Entropy (8bit):5.598046075570246
                    TrID:
                    • E-Mail message (Var. 5) (54515/1) 100.00%
                    File name:e73fd063-ee8a-a9c6-f391-834415836051.eml
                    File size:30'643 bytes
                    MD5:0591a0d418cea56e92360436de6df692
                    SHA1:c890f388ad9b5d68f031b6bf68c6d8382bef024b
                    SHA256:2fb0e5872be17ec630de5c356b94cf7892bec16ebf0c06dd197c34e8f7137689
                    SHA512:91d041a1f768741b9f169eb9901cafb04255d1d564dd300f3510086ee276c0fed94effc3bff9459620ef145f9825e183f3cbfd003e0cff4c248359ea7dd99b9b
                    SSDEEP:384:aZsoS3TFrriSzFTfKSiz61To/iEK4RFBS/IpIkpi/t:aZw3VrispKSiz61To/iEKwFBS/APi/t
                    TLSH:3BD2D517E7C01C11DE6B48A06543377DBB7849DB8B6288B468AB7F3E0B4DCE782C5248
                    File Content Preview:Received: from SY8PR01MB9300.ausprd01.prod.outlook.com (2603:10c6:10:22e::19).. by ME2PR01MB3572.ausprd01.prod.outlook.com with HTTPS; Wed, 16 Apr 2025.. 14:14:02 +0000..Received: from SY6PR01CA0075.ausprd01.prod.outlook.com (2603:10c6:10:110::8).. by SY8

                    Static Mail

                    General

                    Subject:New(2) electronic signature/16/Apr/25JUREFIDREFID:156aeeca716ce806390a
                    From:DigiSigner_eSign-9282 <notice@qc.disneytech.asia>
                    To:gillian.nichols@skills.tas.gov.au
                    Cc:
                    BCC:
                    Date:Wed, 16 Apr 2025 14:13:54 +0000
                    Communications:
                    • You don't often get email from notice@qc.disneytech.asia. Learn why this is important<https://aka.ms/LearnAboutSenderIdentification> [https://storage.procore.com/api/v5/files/us-east-1/pro-core.com/prostore/20181115142657_production_1831139134.jpg?companyId=29203&toolName=admin&itemType=company_logo&itemId=29203&fileType=prostore_file&fileId=1831139134&sig=33adffa7272c6c010c50d6b67a57fdcc20e02de27c7085053d99d70bdb189306] DO NOT REPLY TO THIS EMAIL This is a notification sent from an unmonitored email address. Here is the PDF report you requested: Project: DOMs-Contract/Agreement_M4Q 3NUMBER FQE.pdf View PDF: DOMs-Contract/Agreement_M4Q 3NUMBER FQE_detail_clarification-202504012230.pdf<https://1d7005-668.icpage.net/analytics/click/?d=https%3A%2F%2Fwtltransport.com%2Fcss%2F&h=e50db9fcea&p=1&l=149&n=122&f=4a60ff7cbaaec5331e581d050c4afd55> Powered By Procore<https://procore.com> | support@procore.com<mailto:support@procore.com> | https://support.procore.com
                    Attachments:
                      Key Value
                      Receivedfrom e232-8.smtp-out.ap-southeast-1.amazonses.com (23.251.232.8) by SY3PEPF0000A725.mail.protection.outlook.com (10.167.241.21) with Microsoft SMTP Server (version=TLS1_3, cipher=TLS_AES_256_GCM_SHA384) id 15.20.8655.12 via Frontend Transport; Wed, 16 Apr 2025 14:13:55 +0000
                      Authentication-Resultsspf=pass (sender IP is 23.251.232.8) smtp.mailfrom=ap-southeast-1.amazonses.com; dkim=pass (signature was verified) header.d=qc.disneytech.asia;dkim=pass (signature was verified) header.d=amazonses.com;dmarc=pass action=none header.from=qc.disneytech.asia;compauth=pass reason=100
                      Received-SPFPass (protection.outlook.com: domain of ap-southeast-1.amazonses.com designates 23.251.232.8 as permitted sender) receiver=protection.outlook.com; client-ip=23.251.232.8; helo=e232-8.smtp-out.ap-southeast-1.amazonses.com; pr=C
                      DKIM-Signaturev=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple; s=iowwo7fd7wqffpmrry5t52h55zq2wg7s; d=amazonses.com; t=1744812834; h=Message-ID:From:To:Subject:Date:MIME-Version:Content-Type:Feedback-ID; bh=cTVo6d8pJ7YdNlURfXChzo1+lRyyq/F1CjdThnLaJ1Q=; b=XUKcm3PRA1iYMp/c3uk+iIv7MyOnKwjXww51sCfX2/KSKcnYXeyrsGpICuWiGREK NANxnZKsLcbf/ugDq25t46vxDO0xhonogd03Y/XXWa2SnjOCkHFUsKCEGLLuivDlH8p /oxxwEmq1ay6g+9ZYkpvuyiqQzW4YEDgHkP6I3Dw=
                      Message-ID<010e01963ef2fe60-81dfddf9-aae8-44c6-a84f-2da8f9b164b0-000000@ap-southeast-1.amazonses.com>
                      X-Entity-Ref-IDfba83b9ebc5b61522192b1bc5d6b52bca5ac129cf6f145846ba8dfaa072cdc78
                      X-Campaign-IDcampaign-c0154cc627e5
                      FromDigiSigner_eSign-9282 <notice@qc.disneytech.asia>
                      Togillian.nichols@skills.tas.gov.au
                      SubjectNew(2) electronic signature/16/Apr/25JUREFIDREFID:156aeeca716ce806390a
                      DateWed, 16 Apr 2025 14:13:54 +0000
                      Content-Typemultipart/alternative; boundary="--_NmP-efec200cc4747ec4-Part_1"
                      Feedback-ID::1.ap-southeast-1.Us16YYR7succb2FX0ao/OkMTR79D6OVjrMpa3mM2Evk=:AmazonSES
                      X-SES-Outgoing2025.04.16-23.251.232.8
                      Return-Path010e01963ef2fe60-81dfddf9-aae8-44c6-a84f-2da8f9b164b0-000000@ap-southeast-1.amazonses.com
                      X-EOPAttributedMessage0
                      X-EOPTenantAttributedMessage64ebab8a-ccf4-4b5c-a2d3-2b4e972d96b2:0
                      X-MS-PublicTrafficTypeEmail
                      X-MS-TrafficTypeDiagnosticSY3PEPF0000A725:EE_|SY8PR01MB9300:EE_|ME2PR01MB3572:EE_
                      X-MS-Office365-Filtering-Correlation-Ide1db5f1d-75e0-4d22-772e-08dd7cf0ecbe
                      X-MS-Exchange-AtpMessagePropertiesSA|SL
                      X-Microsoft-AntispamBCL:0;ARA:13230040|12012899012|32142699015|69100299015|5073199012|13003099007|4076899003|8096899003|43540500003;
                      X-Forefront-Antispam-ReportCIP:23.251.232.8;CTRY:US;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:e232-8.smtp-out.ap-southeast-1.amazonses.com;PTR:e232-8.smtp-out.ap-southeast-1.amazonses.com;CAT:NONE;SFTY:9.25;SFS:(13230040)(12012899012)(32142699015)(69100299015)(5073199012)(13003099007)(4076899003)(8096899003)(43540500003);DIR:INB;SFTY:9.25;
                      X-MS-Exchange-CrossTenant-OriginalArrivalTime16 Apr 2025 14:13:55.8629 (UTC)
                      X-MS-Exchange-CrossTenant-Network-Message-Ide1db5f1d-75e0-4d22-772e-08dd7cf0ecbe
                      X-MS-Exchange-CrossTenant-Id64ebab8a-ccf4-4b5c-a2d3-2b4e972d96b2
                      X-MS-Exchange-CrossTenant-AuthSourceSY3PEPF0000A725.ausprd01.prod.outlook.com
                      X-MS-Exchange-CrossTenant-AuthAsAnonymous
                      X-MS-Exchange-CrossTenant-FromEntityHeaderInternet
                      X-MS-Exchange-Transport-CrossTenantHeadersStampedSY8PR01MB9300
                      X-MS-Exchange-Transport-EndToEndLatency00:00:06.7067002
                      X-MS-Exchange-Processed-By-BccFoldering15.20.8632.017
                      X-Microsoft-Antispam-Mailbox-Deliveryucf:0;jmr:0;auth:0;dest:I;ENG:(910005)(944506478)(944626604)(4710137)(4712077)(4999068)(920097)(930097)(140003)(1420198);
                      X-Microsoft-Antispam-Message-InfocxyUt5Q2ZipWMfYPR9xegNgyzWaQMOI4P1KhGsch+OAOO+E0GwZ+lwOeyPiN3ziTZP1Mt1MWmI1jKBBMAeqZpSnqdWvoNGotg+NN7fgnKo4J/KsAhwcJd58lvWB6YKPtlgfkBQFgM3DSKAsGdY+xXi+GgKkyh9epSIWwqMEAbhi7oH/bGosGLcoQw8YOqHf8YZjNmSA1kzOIANaF/bnOerLjZ5wzP7LOG64GcfbuTnuMM7VFGKth59Fh8Q0jL6Fq6vEaxo1sFJN5zmNGAHvACY3Gcvfz5ZKzNleKhGzMMpAudLtvxrxSOQJ1mz/ulBUpGwjWc4OVnSthskdm+0CRe3f5OcliLagtgUIriMbBdDsYeiEMtMcYNpk8+C+FEktj0nxFKlqgNtZPF3BvsixisKb+oZA7icSaFxR5+4+paUeVFA0AicqFjyN2zDa/xA7n39lIKa4xnEEnDgHBHpsJBbwyOZZ9anISLcRqcddCgLNkUs/UPdg4PNXmSmJQc9NM5FePc3NrV+VTHcZTpNLkMN7apxKN6ulttPPJJ+gdw3QQh3XZ3gKiB96vR/BFT5BYys4LoY57El3uqi43CrFptCro0K2zNlorLGjMifwML8MtvFmW3EToyUy9dclEkk1cA8ULq86VMql041nR7vtz53xXfV/yL+gLJCWooQ6VpW6LWn0joLEDK9ca2Z9DqQIqfXMmt/3oCF++2+6hddtAUzwz6bskUd+CuBOMkzNHS3KzY+Gd8xixwThh589Nreh8gHvtbaFhJ/dfKvFjBIlnqQ/jpwQmKw7+TA8QQIFzybr8dYMZ+w7PrWmjeilvprali2d8sgUCOJfpMtajmBY4y18aSPuyRj0hWMDA3oKs9I+JKVgV+ktnCJqx7GNFaARTdEToZJugOXFFMwNDCiJIobxQlFxNxjT6WMf5MYt7B6fd3YaFi15qMxHJeH/aO1jOs8d3vNoX5XTn/caQ5jMfKGcYXZbtCBBMa1D742vxgLLG0n5PDOt0SlsM+JrytqMQK06tAu4mmN3uKMGCw79MR/421giCdvPw/LVW9oDDsHdbNVwRwhOfGHRKBrLh+HDMPSJhMJ/+WxXytozzNqHDtKf8b9e1Kws2KL0jQoXMsuvVcq6tWC6vDVTSR9UvNLhF9yCGtvtjvs59KgpCwC9oncVf2sLfFjMj4vPQqkZfSLYxwMPZBpL8bdprQDdzYIf2DCr0kWt6aGRAdOZnsA+KGBRUIvTCQP4wbPMuQjceWCqNhCP7ZZbwj4FQZVqg2bRiS5IUy7ntCO/CiA4igNluAnQV1ybdjsbtexJeB5ihxLLLi1L18Ih36SKLqwBthaZKptNBjCZ5MKG7kUg3g2DOKF5SNksqqpPsg8pGsvSG3o94uogD3A1TfvZ06sani3jiGSbGazCLW6x2J+2nmiy6Hy9PL8uBPjaCDiM2a9C3qNrrnwhu9y8v52YswXn3LT2hdq2euKTAtRZIPPqXirn3Z9MLi6FbNbgW55RaaP8kcy7DJtIeRuHR1S11DJjAm2WN+DL+zaQ6NAPlMZVInPBPbP9IwYua+k7nqjd54bCXwKuqgGMv/7K6uQ9LROH4OCZV0biySZ/ZC+wK8fRZ4tOQuyKIHzTuy3cWmCA2rlCup2/ZFMcF/MSKxdxU7qiBLk2JtQFO+60PKZipxhRb28FZIzVEMTVcq/oQ3zkIVRew7kmigjPw349xzAOBVq5qds7l5s7hyR6kxT8eh6L/eih3SiBSpa9R3AYM9pigb5jsKnxCopMUZDuTSk+ER+XLsgJLSWug99eLf/W7nQaMHlJhcu7zJm2BaZ3WBWY+I1sfzXOcD1rfvRsLWdjikg1kOGTQnUAsk4aSTS5J9tcFYRydWWssnnfh6f95b13vXbKlOfLs3p3g0r8Xf/cnVElJPFbqxxaHGhLn/jUVdN0bl9U6nzLHoA9vCgnIZ050Y2vw2EB2Ebx9lYb4d5UjbhTt2lbgsQDcNiRkCF/aZmbeVV0s4GQKBxmTHE3/RKWEQ96vYrWj1rrZ/MwCIXxyYnlEK97/7XlblbfJfDkEYGe63SOwAlElBdSwSGzHXzMAxfWRdN0o4gyAWxEG09Q/HRx7218GjvYqwSWnpqDjLBdt2mNCGdCfovMn4oCYnowiN0Ecv61Dt3dh7PipwUn3xU2iPTVByeYCaMGVE3GK+I97j22NNVu6aK0EdS7ZlppHhBZtb7/zl3ouJzdS/O2A5LjHFXbVA2BY5FXbhUPtaBKSQ5x9H3CTNU/GpqHYNGi5NFWqyVfP5JG0U7qZcsjsO5tV+kqBi+RxICllE+2S4zjqo7ac/CElAPri+ud18lXrK1iOpLUO3V1NcwIlxhBp0eQTriHEM8L2xI9L51NgKo4HqAo5WkxNi0fn3NNGwAFatRkgMkTki7mkKyrC/zmyuU/T/xXu2UyMfOlSpV+uOQuS7uyJKkuFu9Q+08IjtNRmvTcWvzc=
                      MIME-Version1.0

                      File Icon

                      Icon Hash:46070c0a8e0c67d6

                      Network Behavior

                      DNS Answers

                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                      Apr 28, 2025 03:05:45.619761944 CEST1.1.1.1192.168.2.80x23No error (0)ecs-office.s-0005.dual-s-msedge.nets-0005.dual-s-msedge.netCNAME (Canonical name)IN (0x0001)false
                      Apr 28, 2025 03:05:45.619761944 CEST1.1.1.1192.168.2.80x23No error (0)s-0005.dual-s-msedge.net52.123.129.14A (IP address)IN (0x0001)false
                      Apr 28, 2025 03:05:45.619761944 CEST1.1.1.1192.168.2.80x23No error (0)s-0005.dual-s-msedge.net52.123.128.14A (IP address)IN (0x0001)false

                      Statistics

                      CPU Usage

                      050100s020406080100

                      Click to jump to process

                      Memory Usage

                      050100s0.0050100MB

                      Click to jump to process

                      High Level Behavior Distribution

                      • File
                      • Registry

                      Click to dive into process behavior distribution

                      Behavior

                      Click to jump to process

                      System Behavior

                      General

                      Target ID:0
                      Start time:21:05:41
                      Start date:27/04/2025
                      Path:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                      Wow64 process (32bit):true
                      Commandline:"C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\e73fd063-ee8a-a9c6-f391-834415836051.eml"
                      Imagebase:0xab0000
                      File size:34'446'744 bytes
                      MD5 hash:91A5292942864110ED734005B7E005C0
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:false
                      Show Windows behavior

                      File Activities

                      Show Windows behavior

                      Section Activities

                      Show Windows behavior

                      Registry Activities

                      Show Windows behavior

                      COM Activities

                      Show Windows behavior

                      Mutex Activities

                      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                      Show Windows behavior

                      Thread Activities

                      Show Windows behavior

                      Memory Activities

                      Show Windows behavior

                      System Activities

                      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                      Show Windows behavior

                      Windows UI Activities

                      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                      General

                      Target ID:2
                      Start time:21:05:43
                      Start date:27/04/2025
                      Path:C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe
                      Wow64 process (32bit):false
                      Commandline:"C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "39D5AE5F-278B-4B07-A02C-37C9C7DFD5E7" "969BD495-0C59-4644-953F-3B2F2050D124" "7084" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
                      Imagebase:0x7ff74e120000
                      File size:710'048 bytes
                      MD5 hash:EC652BEDD90E089D9406AFED89A8A8BD
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:false
                      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                      Show Windows behavior

                      Section Activities

                      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                      Show Windows behavior

                      Mutex Activities

                      Show Windows behavior

                      Process Activities

                      Show Windows behavior

                      Thread Activities

                      Show Windows behavior

                      Memory Activities

                      Show Windows behavior

                      System Activities

                      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                      Disassembly

                      No disassembly