Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
LinkedIn Message.eml

Overview

General Information

Sample name:LinkedIn Message.eml
Analysis ID:1634225
MD5:a5505cea6a07bdbb8fa139e796a39978
SHA1:d5638de0ca23c3140c7fb81dfd42d91af6864365
SHA256:09070c3ae794eced7ea9b721c43e2f3e6e35b1f4a4fbefa0685ffd5c0ecf06cd
Infos:

Detection

Score:48
Range:0 - 100
Confidence:100%

Signatures

AI detected suspicious elements in Email content
AI detected suspicious elements in Email header
Queries the volume information (name, serial number etc) of a device
Sigma detected: Office Autorun Keys Modification
Sigma detected: Suspicious Office Outbound Connections

Classification

Process Tree

  • System is w11x64_office
  • OUTLOOK.EXE (PID: 7748 cmdline: "C:\Program Files\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\LinkedIn Message.eml" MD5: 7F59D020035411A4BCF731A8320581A4)
    • ai.exe (PID: 7956 cmdline: "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\AI\ai.exe" "F3372AE9-95A3-4689-9422-0CF66FC305F2" "30DBAC32-8DEB-44C7-BB8E-E1055402745A" "7748" "C:\Program Files\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx" MD5: 0ED71A2D20424DC7942E810F359DA066)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

Sigma detected: Office Autorun Keys Modification
Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE, ProcessId: 7748, TargetObject: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Addins\AdobeAcroOutlook.SendAsLink\1
Sigma detected: Suspicious Office Outbound Connections
Source: Network ConnectionAuthor: X__Junior (Nextron Systems): Data: DestinationIp: 192.168.2.26, DestinationIsIpv6: false, DestinationPort: 60316, EventID: 3, Image: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE, Initiated: true, ProcessId: 7748, Protocol: tcp, SourceIp: 52.123.128.14, SourceIsIpv6: false, SourcePort: 443

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Phishing

barindex
AI detected suspicious elements in Email content
Source: EmailJoe Sandbox AI: Detected potential phishing email: The domain 'executiverecruiters.online' and interview link 'jdlsourcing.online' are suspicious non-standard domains commonly used in recruitment scams. The email shows position inconsistency - starts with 'Remote Recruiter' position but references a CFO role in the thread. The email contains multiple duplicate copies of the same message, which is typical of poorly crafted phishing attempts
AI detected suspicious elements in Email header
Source: EmailJoe Sandbox AI: Detected suspicious elements in Email header: Suspicious domain 'executiverecruiters.online' in return-path - .online TLD is commonly used in phishing. Mismatch between sending server (titan.email) and return-path domain (executiverecruiters.online). Unknown IP address in received headers (10.10.168.85) suggests potential masking. Internal IP address (10.10.x.x) in received headers is suspicious for external email. Domain 'executiverecruiters.online' appears to be a recruitment scam attempt. Feedback-ID format is unusual and appears to be crafted rather than from a legitimate bulk email service
Source: EmailClassification: Task Manipulation
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficDNS traffic detected: DNS query: browser.events.data.msn.cn
Source: prep___Program Files_Microsoft Office_root_Office16_AugLoop_bundle_js_V8_perf.cache.0.drString found in binary or memory: http://augloop.office.com/settings.json
Source: prep___Program Files_Microsoft Office_root_Office16_AugLoop_bundle_js_V8_perf.cache.0.drString found in binary or memory: http://json-schema.org/draft-07/schema#
Source: LinkedIn Message.emlString found in binary or memory: https://jdlsourcing.o=
Source: unknownNetwork traffic detected: HTTP traffic on port 60316 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60316
Source: classification engineClassification label: mal48.winEML@3/4@1/1
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEFile created: C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmpJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEFile created: C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_18129_20158-20250310T1504100280-7748.etlJump to behavior
Source: unknownProcess created: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE "C:\Program Files\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\LinkedIn Message.eml"
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\AI\ai.exe "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\AI\ai.exe" "F3372AE9-95A3-4689-9422-0CF66FC305F2" "30DBAC32-8DEB-44C7-BB8E-E1055402745A" "7748" "C:\Program Files\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\AI\ai.exe "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\AI\ai.exe" "F3372AE9-95A3-4689-9422-0CF66FC305F2" "30DBAC32-8DEB-44C7-BB8E-E1055402745A" "7748" "C:\Program Files\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"Jump to behavior
Source: C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\AI\ai.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\AI\ai.exeSection loaded: c2r64.dllJump to behavior
Source: C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\AI\ai.exeSection loaded: vcruntime140_1.dllJump to behavior
Source: C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\AI\ai.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\AI\ai.exeSection loaded: msvcp140.dllJump to behavior
Source: C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\AI\ai.exeSection loaded: userenv.dllJump to behavior
Source: C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\AI\ai.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\AI\ai.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\AI\ai.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\AI\ai.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\AI\ai.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\AI\ai.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\AI\ai.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\AI\ai.exeSection loaded: version.dllJump to behavior
Source: C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\AI\ai.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\AI\ai.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\AI\ai.exeSection loaded: profapi.dllJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\CLSID\{F959DBBB-3867-41F2-8E5F-3B8BEFAA81B3}\InprocServer32Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEWindow found: window name: SysTabControl32Jump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\CommonJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\AI\ai.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\AI\ai.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\AI\ai.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\AI\ai.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\AI\ai.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\AI\ai.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\AI\ai.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEFile Volume queried: C:\Windows\System32 FullSizeInformationJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information queried: ProcessInformationJump to behavior
Source: C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\AI\ai.exeQueries volume information: C:\Program Files\Microsoft Office\root\Office16\AI\WordCombinedFloatieLreOnline.onnx VolumeInformationJump to behavior
Source: C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\AI\ai.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation11
Browser Extensions		1
Process Injection		1
Masquerading		OS Credential Dumping1
Process Discovery		Remote ServicesData from Local System2
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/Job1
DLL Side-Loading		1
DLL Side-Loading		1
Process Injection		LSASS Memory13
System Information Discovery		Remote Desktop ProtocolData from Removable Media1
Non-Application Layer Protocol		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
DLL Side-Loading		Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared Drive2
Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
LinkedIn Message.eml0%VirustotalBrowse
LinkedIn Message.eml0%ReversingLabs

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://jdlsourcing.o=0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
onedscolprduks03.uksouth.cloudapp.azure.com
51.105.71.137
truefalse
    		high
    s-0005.dual-s-msedge.net
    		52.123.128.14
    		truefalse
      		high
      browser.events.data.msn.cn
      		unknown
      		unknownfalse
        		high

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        http://augloop.office.com/settings.jsonprep___Program Files_Microsoft Office_root_Office16_AugLoop_bundle_js_V8_perf.cache.0.drfalse
          		high
          https://jdlsourcing.o=LinkedIn Message.emlfalse
          • Avira URL Cloud: safe
          		unknown
          http://json-schema.org/draft-07/schema#prep___Program Files_Microsoft Office_root_Office16_AugLoop_bundle_js_V8_perf.cache.0.drfalse
            		high

            World Map of Contacted IPs

            • No. of IPs < 25%
            • 25% < No. of IPs < 50%
            • 50% < No. of IPs < 75%
            • 75% < No. of IPs

            Public IPs

            IPDomainCountryFlagASNASN NameMalicious
            52.123.128.14
            		s-0005.dual-s-msedge.netUnited States
            		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse

            General Information

            Joe Sandbox version:42.0.0 Malachite
            Analysis ID:1634225
            Start date and time:2025-03-10 20:03:06 +01:00
            Joe Sandbox product:CloudBasic
            Overall analysis duration:0h 5m 46s
            Hypervisor based Inspection enabled:false
            Report type:full
            Cookbook file name:default.jbs
            Analysis system description:Windows 11 23H2 with Office Professional Plus 2021, Chrome 131, Firefox 133, Adobe Reader DC 24, Java 8 Update 431, 7zip 24.09
            Number of analysed new started processes analysed:3
            Number of new started drivers analysed:0
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:0
            Technologies:
            • EGA enabled
            • AMSI enabled
            Analysis Mode:default
            Analysis stop reason:Timeout
            Sample name:LinkedIn Message.eml
            Detection:MAL
            Classification:mal48.winEML@3/4@1/1
            Cookbook Comments:
            • Found application associated with file extension: .eml

            Warnings

            • Exclude process from analysis (whitelisted): SIHClient.exe
            • Excluded IPs from analysis (whitelisted): 52.109.28.46, 52.109.89.19, 2.22.242.112, 2.22.242.104, 2.22.242.121, 2.22.242.226, 2.22.242.81, 2.22.242.130, 2.22.242.97, 2.22.242.113, 20.189.173.8
            • Excluded domains from analysis (whitelisted): omex.cdn.office.net, ecs.office.com, slscr.update.microsoft.com, prod.configsvc1.live.com.akadns.net, weu-azsc-000.roaming.officeapps.live.com, prod.roaming1.live.com.akadns.net, eur.roaming1.live.com.akadns.net, mobile.events.data.microsoft.com, roaming.officeapps.live.com, osiprod-weu-buff-azsc-000.westeurope.cloudapp.azure.com, weathermapdata.blob.core.windows.net, onedscolprdwus07.westus.cloudapp.azure.com, dual-s-0005-office.config.skype.com, login.live.com, config.officeapps.live.com, officeclient.microsoft.com, ecs.office.trafficmanager.net, omex.cdn.office.net.akamaized.net, europe.configsvc1.live.com.akadns.net, mobile.events.data.trafficmanager.net, uks-azsc-config.officeapps.live.com, a1864.dscd.akamai.net
            • Report size getting too big, too many NtQueryAttributesFile calls found.
            • Report size getting too big, too many NtQueryValueKey calls found.
            • Report size getting too big, too many NtReadVirtualMemory calls found.

            Simulations

            Behavior and APIs

            No simulations

            Joe Sandbox View / Context

            IPs

            No context

            Domains

            No context

            ASNs

            No context

            JA3 Fingerprints

            No context

            Dropped Files

            No context

            Created / dropped Files

            C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_18129_20158-20250310T1504100280-7748.etl

            Download File
            Process:C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE
            File Type:data
            Category:dropped
            Size (bytes):106496
            Entropy (8bit):4.491620504284344
            Encrypted:false
            SSDEEP:1536:YD13fte4JuEVPKzcfZJJCXcqopOXWLa3D8:Se4IEl4cfZJAXupOXWLa3D8
            MD5:CC782F3AFE37ADD34D129C1C9E3F1011
            SHA1:3D6EC2FDE8E2BB0298FA1405CB937D02175AAAB2
            SHA-256:1A7C49E011C6BF22703622FB2A9AB873243438BE3082220E0FC59925C9CC2282
            SHA-512:9032A472208D4261329AE1D841DD0DF4E88E756AC3F542309D87B1F8CB286D02697E0105B45CC44990AD227A1452A3A24F0E5B56CE08A77445BBDB7E536A91BF
            Malicious:false
            Preview:............................................................................j...H...D...x.4...................gX..............Zb..2...........................................,...@.t.z.r.e.s...d.l.l.,.-.1.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.1.1.1..............................................................w.r..........x.4...........v.2._.O.U.T.L.O.O.K.:.1.e.4.4.:.c.6.e.a.c.8.a.f.5.9.c.0.4.7.f.8.9.6.f.f.c.a.2.8.5.1.b.4.9.0.3.e...C.:.\.U.s.e.r.s.\.G.a.n.j.i.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.O.u.t.l.o.o.k. .L.o.g.g.i.n.g.\.O.U.T.L.O.O.K._.1.6._.0._.1.8.1.2.9._.2.0.1.5.8.-.2.0.2.5.0.3.1.0.T.1.5.0.4.1.0.0.2.8.0.-.7.7.4.8...e.t.l.............P.P.H...D...P-.4...........................................................................................................................................................................................................................................................................................

            C:\Users\user\AppData\Local\Temp\prep___Program Files_Microsoft Office_root_Office16_AugLoop_bundle_js_V8_perf.cache

            Download File
            Process:C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE
            File Type:data
            Category:dropped
            Size (bytes):629547
            Entropy (8bit):5.8330723381337535
            Encrypted:false
            SSDEEP:12288:D/ROG68mFSN/uRQ6fXm1q5IjxGk0xJpFk:VOGd/uRQ6f21Lx1
            MD5:0733C1C226E119782AE8E03F06A497DB
            SHA1:02744CC69EE22E3025954011457B1D19AEDE84D5
            SHA-256:F75CBE06E35AF43FB58FD03E75DC9F0E5FAB10BFFF37B4E75363133175E6E94F
            SHA-512:5DBCD97D8E12499BA41ECFC1B3FE055177B14AC8184AC312A527FB051D265B42832673FB487C94D4D15FB19888CB8E082E1E024A46F2B911FCEBD1D5FAA48C79
            Malicious:false
            Preview:RNWPREP.....&.0.[.X............JKC...iMbg,...NJ."m?.m................q...[ d..w.w............,T.0..`......L`.....,T...`bw.....L`.....a.Sb.................c.@........... ...D..Rb...2....ey..`.....D..Rb........MM..`l.....Rb.@......zk..`......Rb.@R.....bk..`P.....Rb".iS....el..`......Rb"@.j....hp..`.....D..Rb..sS....es..`.....D..Rb:@@.....Hb..`......D..Rbn@......Cv..`v.....Rbn@.}....Yd..`&....D..Rbz.(.....UT..`......Rbz.\.....Zo..`.....D..Rb.@u.....TT..`.....D..Rb..p.....Hx..`.....D..Rb........Pi..`z....D..Rb........Ch..`.....D..Rb.......O_..`p.....Rb........xv..`.....D..Rb..[p....Ql..`:....D..Rb.......ZA..`T....D..Rb.@......At..`......Rb...^....Yk..`.....D..Rb........Wu..`2....D..Rb........wy..`......Rb...k....Sm..`@....D..Rb...@....us..`j.....Rb........Ln..`6....D..Rb".......AC..`.....D..Rb..c.....Vk..`.....D..Rb6.......IM..`<....D..RbN..6....Ti..`&....D..Rbj.q.....Gy..`......RbjA......XC..`J....D..RbzA......fn..`......Rbz..h....Bd..`......Rb.Am.....Uh..`.....D..Rb.......xC..`..

            C:\Users\user\Documents\Outlook Files\Outlook Data File - NoEmail.pst

            Download File
            Process:C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE
            File Type:Microsoft Outlook email folder (>=2003)
            Category:dropped
            Size (bytes):271360
            Entropy (8bit):2.667048378197271
            Encrypted:false
            SSDEEP:1536:rX3Hk9CSZSLOupwXzOBSKEPW53jEpEHP4qQ10sWAwrMtuUuEW53jEpEHP4qQ10sA:wZxxp9Tf9p9
            MD5:1BA940AF3E185C41CB138A115C2E49DC
            SHA1:29CAE5E6FBAA24884E6D4C623D5708616ED2FDE1
            SHA-256:DB57336312EDD851F129CAD1B2C1353649404491679E2C079852742203F72957
            SHA-512:A875B93236F2C1D6FA0FEAEB1AFD03256F5493688D82CDB84B0A1585ACE9A9C864572E0B9E1B940A98F4042EFCABC2D470B1BB177887D4B1C4A45F0D86BE05F1
            Malicious:true
            Preview:!BDN%K..SM......x.......................`................@...........@...@...................................@...........................................................................$.......D......@...........................................................................................................................................................................................................................................................................................................................D........y.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

            C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmp

            Download File
            Process:C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE
            File Type:data
            Category:dropped
            Size (bytes):131072
            Entropy (8bit):2.8986075876056243
            Encrypted:false
            SSDEEP:1536:EW53jEpEHP4qQ10sWAwr1ZlyUOBiW53jEpEHP4qQ10sWAwr5Mj8Vano:Gp92Dp9Do
            MD5:894A523C39AA9F88AD21EE05ED09F879
            SHA1:B60B55DE14D9EDE808F4D296D4E69E8312B549AA
            SHA-256:E7699C4B8BD63ABE87B79FE02741AD474C5B1122B42F71776F3E56BCB4CA6020
            SHA-512:96609B09FE2E2EA305DB07A8A8FB14D0B0260DABE36C9488ACCE4D558E0A34A7393274DC863C0DF39FB2C8C9672963BA320AAAED522D7CC9156632BD24A69B56
            Malicious:true
            Preview:...)C...^.......D....3.3.....................#.!BDN%K..SM......x.......................`................@...........@...@...................................@...........................................................................$.......D......@...........................................................................................................................................................................................................................................................................................................................D........y......3.3........B............#.........................................................................................................................................................................................................................................................................................................................................................................................................

            Static File Info

            General

            File type:SMTP mail, ASCII text, with CRLF line terminators
            Entropy (8bit):5.383453238252517
            TrID:
              File name:LinkedIn Message.eml
              File size:22'078 bytes
              MD5:a5505cea6a07bdbb8fa139e796a39978
              SHA1:d5638de0ca23c3140c7fb81dfd42d91af6864365
              SHA256:09070c3ae794eced7ea9b721c43e2f3e6e35b1f4a4fbefa0685ffd5c0ecf06cd
              SHA512:0fbf12b6e9c5ad31ecc8af9b1d344632e92706da06771819ef1096205d94da63d58f5ece3b0e46dc8c884bb9f1a6337114be33fa3e9cd07280889bf934ad6504
              SSDEEP:384:zIVt6HelAdeoKzMikdeoLbPciMNKiSXyi49fUidI0+XN8ikDemHIP9gYsqirtYkb:zIa+1ofi/o0iRiHiVidI0+GiB2IqYBiX
              TLSH:04A28401E24007E282FB996476DE670CA7360F8F5F078AF4396E1964DB4E67E23C2759
              File Content Preview:Delivered-To: jesse.mortensen5@gmail.com..Received: by 2002:a05:6f02:58f:b0:7c:faee:b960 with SMTP id g15csp723rcc;.. Thu, 20 Feb 2025 10:28:11 -0800 (PST)..X-Google-Smtp-Source: AGHT+IFSoMb3lZrdAs2FYbRlrgeX6+ohQJ+58shQkFiMpuRWAeo9REWl7b7K2TajUkmg4

              Static Mail

              General

              Subject:Re: LinkedIn Message
              From:TalentsConnect <talentsconnect@executiverecruiters.online>
              To:Jesse Mortensen <jesse.mortensen5@gmail.com>
              Cc:
              BCC:
              Date:Thu, 20 Feb 2025 18:28:11 +0000
              Communications:
              • Dear Jesse, Thank you for applying for the Remote Recruiter position. After reviewing your resume, we were highly impressed with your experience and believe you could be a great fit for our team. We would love to set up an interview to explore your skills in more detail and discuss how you could contribute to our dynamic work environment. The interview will be conducted via: Zoom/Google Meet Zoom/Google Meet https://jdlsourcing.online/ Zoom/Google Meet Zoom/Google Meet Please use the link below to schedule a time that works best for you. This conversation will allow us to gain deeper insight into your expertise while giving you the chance to ask any questions you may have about the role. We look forward to speaking with you soon! Best regards, Best regards, On Feb 20 2025, at 12:21 pm, Jesse Mortensen <jesse.mortensen5@gmail.com> wrote: Hi Jah-Nella,I got your message on LinkedIn. I'd be interested to have a discussion about the CFO role you mentioned. I didn't see it posted on LinkedIn with the other jobs, so I couldn't look more closely at what you're looking for. I have some time tomorrow between 3 - 4:30 ET, or on Monday after 2 pm ET. I'm in the mountain time zone just so you know.I look forward to speaking with you.Thank you,Jesse Mortensen On Feb 20 2025, at 12:21 pm, Jesse Mortensen <jesse.mortensen5@gmail.com> wrote: Hi Jah-Nella,I got your message on LinkedIn. I'd be interested to have a discussion about the CFO role you mentioned. I didn't see it posted on LinkedIn with the other jobs, so I couldn't look more closely at what you're looking for. I have some time tomorrow between 3 - 4:30 ET, or on Monday after 2 pm ET. I'm in the mountain time zone just so you know.I look forward to speaking with you.Thank you,Jesse Mortensen Hi Jah-Nella,I got your message on LinkedIn. I'd be interested to have a discussion about the CFO role you mentioned. I didn't see it posted on LinkedIn with the other jobs, so I couldn't look more closely at what you're looking for. I have some time tomorrow between 3 - 4:30 ET, or on Monday after 2 pm ET. I'm in the mountain time zone just so you know.I look forward to speaking with you.Thank you,Jesse Mortensen Hi Jah-Nella, I got your message on LinkedIn. I'd be interested to have a discussion about the CFO role you mentioned. I didn't see it posted on LinkedIn with the other jobs, so I couldn't look more closely at what you're looking for. I have some time tomorrow between 3 - 4:30 ET, or on Monday after 2 pm ET. I'm in the mountain time zone just so you know. I look forward to speaking with you. Thank you, Jesse Mortensen
              Attachments:

                Headers

                Key Value
                Delivered-Tojesse.mortensen5@gmail.com
                Receivedfrom webmail-out.titan.email (unknown [10.10.168.85]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp-out.flockmail.com (Postfix) with ESMTPSA id 202F814055B for <jesse.mortensen5@gmail.com>; Thu, 20 Feb 2025 18:28:11 +0000 (UTC)
                X-Google-Smtp-SourceAGHT+IFSoMb3lZrdAs2FYbRlrgeX6+ohQJ+58shQkFiMpuRWAeo9REWl7b7K2TajUkmg4XIRshqT
                X-Receivedby 2002:a05:622a:1394:b0:471:fa40:cb1b with SMTP id d75a77b69052e-47222961212mr3418441cf.38.1740076091594; Thu, 20 Feb 2025 10:28:11 -0800 (PST)
                ARC-Seali=1; a=rsa-sha256; t=1740076091; cv=none; d=google.com; s=arc-20240605; b=KOpnZXxXw8eYWfmyde3uQ4FU2u5JQVUc12BCEre9xpu/n4RIDqJCudZ+5tsV7J8uEd c0/M9baCwD1iotwMdulWXlDJT2x+UeAnYQXYcfeAMr+MbtoJC+M9P+7pXm/ohjwIRUny REZsEHlVGcAU5En8vD/uO6oRFgKE31pUHC5EqYtiRx+dOyQE0o89rqYlZ2TwZMJ3rDLX RC8kPfixDmLckHlY+8R9k9boUs1P6jvg/vvLSZMZHvnUKMsMU4WWV22wr7hbRpcwyYBY SrmItejGlqFe+REt/YERHtMP7eR9dXpOUr/SRRkB41WJfPXEkfLQ8SsXaznKR9yX2Cj1 +MEg==
                ARC-Message-Signaturei=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=mime-version:subject:references:in-reply-to:message-id:to:from :feedback-id:date:dkim-signature; bh=glzRciTalAfOy55Kgn+ruMzDbg/C67qWGvUcUuHUzn8=; fh=GTf/adB4BlUJmBy2WiGgjSOmuWrulx0egDP952b9byA=; b=bQyZ3E/RwqXElhmB9H7Fw2an40yQehxRbokwzVJhFc4m8VRCyGOn+zxOIPKc+V/xTL FdFuCOa4bEEwAdJENbWHcBvqPlSUM/xkF+GRo4/9NhGacj22WYybauSJxzWH9xEJK2P0 xKjJGMmSvwM+y2oRa+INU2av6XcysN1gXxmXXXBFb/oBAgboAcUENusdoS3vPFmG/CH+ l/dmwuD9lwawEn7S5fNFkqsp9OhzahOOCayXqqUuyUD5uMWMbYVgKpMpuq1roiztMhBQ YT/ga4T8pgVqXVVdHJ9D0MHc87t36EMRFWCMt9+lD5ZPAoc5rqmqteWs2d6yfaAqLAMH eldA==; dara=google.com
                ARC-Authentication-Resultsi=1; mx.google.com; dkim=pass header.i=@executiverecruiters.online header.s=titan1 header.b=X98eCmsY; spf=pass (google.com: domain of talentsconnect@executiverecruiters.online designates 52.206.209.181 as permitted sender) smtp.mailfrom=talentsconnect@executiverecruiters.online
                Return-Path<talentsconnect@executiverecruiters.online>
                Received-SPFpass (google.com: domain of talentsconnect@executiverecruiters.online designates 52.206.209.181 as permitted sender) client-ip=52.206.209.181;
                Authentication-Resultsmx.google.com; dkim=pass header.i=@executiverecruiters.online header.s=titan1 header.b=X98eCmsY; spf=pass (google.com: domain of talentsconnect@executiverecruiters.online designates 52.206.209.181 as permitted sender) smtp.mailfrom=talentsconnect@executiverecruiters.online
                DKIM-Signaturea=rsa-sha256; bh=glzRciTalAfOy55Kgn+ruMzDbg/C67qWGvUcUuHUzn8=; c=relaxed/relaxed; d=executiverecruiters.online; h=mime-version:date:message-id:to:references:subject:from:in-reply-to:from:to:subject:date:message-id:in-reply-to:references:cc:reply-to; q=dns/txt; s=titan1; t=1740076091; v=1; b=X98eCmsYqYQ6bllaAhrcJxS47bWe8CRAcOpoLPIlkQ76BOhcYyQaPq92YXh5cm4b7lPKTi37 ANyULWMmayd8wejgVafrhOqCJfhJ2KsxSYz07QIEA+wMLUr9lXqdeduRqs8AV/70MxjiSZVqYkZ ZUK0JgAvIlP0EfojdPs8vtmQ=
                DateThu, 20 Feb 2025 18:28:11 +0000
                Feedback-ID:talentsconnect@executiverecruiters.online:executiverecruiters.online:flockmailId
                FromTalentsConnect <talentsconnect@executiverecruiters.online>
                ToJesse Mortensen <jesse.mortensen5@gmail.com>
                Message-ID<170120213141799936.0.v2@titan.email>
                In-Reply-To<CAB8rZ5mvzV8Sx8yQzaMFbOfTwp3Vk_2v0N7Z1-v9RS0Patoj0w@mail.gmail.com>
                References<CAB8rZ5mvzV8Sx8yQzaMFbOfTwp3Vk_2v0N7Z1-v9RS0Patoj0w@mail.gmail.com> <170120213141799936.0.v2@titan.email>
                SubjectRe: LinkedIn Message
                MIME-Version1.0
                Content-Typemultipart/related; boundary="----=_Part_2631273_410948239.1740076091118"
                X-F-VerdictSPFVALID
                X-Titan-Src-Out1740076091157722944.32605.3755427858744724718@prod-use1-smtp-out1003.
                X-CMAE-Score0
                X-CMAE-Analysisv=2.4 cv=bq22BFai c=1 sm=1 tr=0 ts=67b7743b a=1+P3+fEeChycT/Km5gNS4g==:117 a=MKtGQD3n3ToA:10 a=1oJP67jkp3AA:10 a=CEWIc4RMnpUA:10 a=mJuYbuCAAAAA:8 a=xBh4JgPmAAAA:8 a=pGLkceISAAAA:8 a=Fqg_6W1zVX9FU9f40gIA:9 a=otTNm43WNoCVQzZ-:21 a=QEXdDO2ut3YA:10 a=-FEs8UIgK8oA:10 a=7dmgxLo7aYgc5-pCpkrl:22 a=4a_c2-cl22bMPPxq3aM5:22

                File Icon

                Icon Hash:46070c0a8e0c67d6

                Network Behavior

                Network Port Distribution

                TCP Packets

                TimestampSource PortDest PortSource IPDest IP
                Mar 10, 2025 20:04:45.095630884 CET60316443192.168.2.2652.123.128.14
                Mar 10, 2025 20:04:45.095675945 CET4436031652.123.128.14192.168.2.26
                Mar 10, 2025 20:04:45.095735073 CET60316443192.168.2.2652.123.128.14
                Mar 10, 2025 20:04:45.099602938 CET60316443192.168.2.2652.123.128.14
                Mar 10, 2025 20:04:45.099616051 CET4436031652.123.128.14192.168.2.26
                Mar 10, 2025 20:05:45.039889097 CET60316443192.168.2.2652.123.128.14

                UDP Packets

                TimestampSource PortDest PortSource IPDest IP
                Mar 10, 2025 20:04:04.159631968 CET5540753192.168.2.261.1.1.1
                Mar 10, 2025 20:04:04.167239904 CET53554071.1.1.1192.168.2.26

                DNS Queries

                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                Mar 10, 2025 20:04:04.159631968 CET192.168.2.261.1.1.10xc4ebStandard query (0)browser.events.data.msn.cnA (IP address)IN (0x0001)false

                DNS Answers

                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                Mar 10, 2025 20:04:04.167239904 CET1.1.1.1192.168.2.260xc4ebNo error (0)browser.events.data.msn.cnglobal.asimov.events.data.trafficmanager.netCNAME (Canonical name)IN (0x0001)false
                Mar 10, 2025 20:04:04.167239904 CET1.1.1.1192.168.2.260xc4ebNo error (0)global.asimov.events.data.trafficmanager.netonedscolprduks03.uksouth.cloudapp.azure.comCNAME (Canonical name)IN (0x0001)false
                Mar 10, 2025 20:04:04.167239904 CET1.1.1.1192.168.2.260xc4ebNo error (0)onedscolprduks03.uksouth.cloudapp.azure.com51.105.71.137A (IP address)IN (0x0001)false
                Mar 10, 2025 20:04:45.091798067 CET1.1.1.1192.168.2.260xe2e7No error (0)ecs-office.s-0005.dual-s-msedge.nets-0005.dual-s-msedge.netCNAME (Canonical name)IN (0x0001)false
                Mar 10, 2025 20:04:45.091798067 CET1.1.1.1192.168.2.260xe2e7No error (0)s-0005.dual-s-msedge.net52.123.128.14A (IP address)IN (0x0001)false
                Mar 10, 2025 20:04:45.091798067 CET1.1.1.1192.168.2.260xe2e7No error (0)s-0005.dual-s-msedge.net52.123.129.14A (IP address)IN (0x0001)false

                Statistics

                CPU Usage

                Click to jump to process

                Memory Usage

                Click to jump to process

                High Level Behavior Distribution

                Click to dive into process behavior distribution

                Behavior

                Click to jump to process

                System Behavior

                General

                Target ID:0
                Start time:15:04:09
                Start date:10/03/2025
                Path:C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE
                Wow64 process (32bit):false
                Commandline:"C:\Program Files\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\LinkedIn Message.eml"
                Imagebase:0x7ff752b10000
                File size:44'112'520 bytes
                MD5 hash:7F59D020035411A4BCF731A8320581A4
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:moderate
                Has exited:false

                General

                Target ID:1
                Start time:15:04:12
                Start date:10/03/2025
                Path:C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\AI\ai.exe
                Wow64 process (32bit):false
                Commandline:"C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\AI\ai.exe" "F3372AE9-95A3-4689-9422-0CF66FC305F2" "30DBAC32-8DEB-44C7-BB8E-E1055402745A" "7748" "C:\Program Files\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
                Imagebase:0x7ff7e0ae0000
                File size:827'048 bytes
                MD5 hash:0ED71A2D20424DC7942E810F359DA066
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:low
                Has exited:false

                Disassembly

                No disassembly