Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Rappel vous n'avez pas encore sign#U00e9 mon invitation.msg

Overview

General Information

Sample name:Rappel vous n'avez pas encore sign#U00e9 mon invitation.msg
renamed because original name is a hash value
Original sample name:Rappel vous n'avez pas encore sign mon invitation.msg
Analysis ID:1636210
MD5:3313fff0d34723eb62aecea4bdb1dad8
SHA1:f89ef1e57ae4492f3b3a054b44d2af10b93600f6
SHA256:b564f128e8c4724355f4b915671dc1edd357bc52351a33c1df8e3636aa9b49e1
Infos:

Detection

Score:48
Range:0 - 100
Confidence:100%

Signatures

AI detected landing page (webpage, office document or email)
AI detected suspicious elements in Email content
Queries the volume information (name, serial number etc) of a device
Sigma detected: Office Autorun Keys Modification

Classification

Process Tree

  • System is w11x64_office
  • OUTLOOK.EXE (PID: 7768 cmdline: "C:\Program Files\Microsoft Office\Root\Office16\OUTLOOK.EXE" /f "C:\Users\user\Desktop\Rappel vous n'avez pas encore sign#U00e9 mon invitation.msg" MD5: 7F59D020035411A4BCF731A8320581A4)
    • ai.exe (PID: 7952 cmdline: "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\AI\ai.exe" "BEBD22F3-DA64-4794-A97B-CAEDAF465374" "D659FF91-10B8-414B-97CC-D8BD2BC30811" "7768" "C:\Program Files\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx" MD5: 0ED71A2D20424DC7942E810F359DA066)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

Sigma detected: Office Autorun Keys Modification
Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE, ProcessId: 7768, TargetObject: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Addins\AdobeAcroOutlook.SendAsLink\1

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Phishing

barindex
AI detected landing page (webpage, office document or email)
Source: EmailJoe Sandbox AI: Email contains prominent button: 'signer mes documents'
AI detected suspicious elements in Email content
Source: EmailJoe Sandbox AI: Detected potential phishing email: The email uses urgency tactics and time pressure to push for immediate action. The sender domain 'secure-sign.fr' appears suspicious and mimics legitimate signing services. Contains suspicious tracking/redirect links with multiple layers of URL obfuscation
Source: EmailClassification: Credential Stealer
Source: prep___Program Files_Microsoft Office_root_Office16_AugLoop_bundle_js_V8_perf.cache.0.drString found in binary or memory: http://augloop.office.com/settings.json
Source: prep___Program Files_Microsoft Office_root_Office16_AugLoop_bundle_js_V8_perf.cache.0.drString found in binary or memory: http://json-schema.org/draft-07/schema#
Source: Rappel vous n'avez pas encore sign#U00e9 mon invitation.msgString found in binary or memory: https://aka.ms/LearnAbo__substg1.0_8017001F
Source: Rappel vous n'avez pas encore sign#U00e9 mon invitation.msgString found in binary or memory: https://aka.ms/LearnAboutSenderIdentification
Source: Rappel vous n'avez pas encore sign#U00e9 mon invitation.msgString found in binary or memory: https://fra01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fr.smtp.extranet-it.fr%2Ftr%2Fcl%2F
Source: Rappel vous n'avez pas encore sign#U00e9 mon invitation.msgString found in binary or memory: https://fra01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fr.smtp.extranet-it.fr%2Ftr%2Fun%2F
Source: Rappel vous n'avez pas encore sign#U00e9 mon invitation.msgString found in binary or memory: https://r.smtp.extranet-it.fr/tr/op/C1jMfdeWVbLUtHZ-KUEEWdAz45yzRSa5d3WIXmmhoGd-4Ibiy2NbEIl-wkSyjjUg
Source: Rappel vous n'avez pas encore sign#U00e9 mon invitation.msgString found in binary or memory: https://r.smtp.extranet-it.fr/tr/un/li/8QlAc4aSv4J7vMmCAFHqlSfQaJDB_-SKHIPs6zXrMrwgLVnm7EL6QbfHKRMc7
Source: classification engineClassification label: mal48.winMSG@3/5@0/0
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEFile created: C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmpJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEFile created: C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_18129_20158-20250312T0930170205-7768.etlJump to behavior
Source: unknownProcess created: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE "C:\Program Files\Microsoft Office\Root\Office16\OUTLOOK.EXE" /f "C:\Users\user\Desktop\Rappel vous n'avez pas encore sign#U00e9 mon invitation.msg"
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\AI\ai.exe "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\AI\ai.exe" "BEBD22F3-DA64-4794-A97B-CAEDAF465374" "D659FF91-10B8-414B-97CC-D8BD2BC30811" "7768" "C:\Program Files\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\AI\ai.exe "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\AI\ai.exe" "BEBD22F3-DA64-4794-A97B-CAEDAF465374" "D659FF91-10B8-414B-97CC-D8BD2BC30811" "7768" "C:\Program Files\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"Jump to behavior
Source: C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\AI\ai.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\AI\ai.exeSection loaded: c2r64.dllJump to behavior
Source: C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\AI\ai.exeSection loaded: vcruntime140_1.dllJump to behavior
Source: C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\AI\ai.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\AI\ai.exeSection loaded: msvcp140.dllJump to behavior
Source: C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\AI\ai.exeSection loaded: userenv.dllJump to behavior
Source: C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\AI\ai.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\AI\ai.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\AI\ai.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\AI\ai.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\AI\ai.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\AI\ai.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\AI\ai.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\AI\ai.exeSection loaded: version.dllJump to behavior
Source: C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\AI\ai.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\AI\ai.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\AI\ai.exeSection loaded: profapi.dllJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\CLSID\{F959DBBB-3867-41F2-8E5F-3B8BEFAA81B3}\InprocServer32Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEWindow found: window name: SysTabControl32Jump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\CommonJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\AI\ai.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\AI\ai.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\AI\ai.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\AI\ai.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\AI\ai.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\AI\ai.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\AI\ai.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEFile Volume queried: C:\Windows\System32 FullSizeInformationJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information queried: ProcessInformationJump to behavior
Source: C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\AI\ai.exeQueries volume information: C:\Program Files\Microsoft Office\root\Office16\AI\WordCombinedFloatieLreOnline.onnx VolumeInformationJump to behavior
Source: C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\AI\ai.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation21
Browser Extensions		1
Process Injection		1
Masquerading		OS Credential Dumping1
Process Discovery		Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/Job1
DLL Side-Loading		1
DLL Side-Loading		1
Process Injection		LSASS Memory13
System Information Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
DLL Side-Loading		Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://r.smtp.extranet-it.fr/tr/un/li/8QlAc4aSv4J7vMmCAFHqlSfQaJDB_-SKHIPs6zXrMrwgLVnm7EL6QbfHKRMc70%Avira URL Cloudsafe
https://r.smtp.extranet-it.fr/tr/op/C1jMfdeWVbLUtHZ-KUEEWdAz45yzRSa5d3WIXmmhoGd-4Ibiy2NbEIl-wkSyjjUg0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
a726.dscd.akamai.net
2.22.242.226
truefalse
    		high
    s-0005.dual-s-msedge.net
    		52.123.128.14
    		truefalse
      		high

      URLs from Memory and Binaries

      NameSourceMaliciousAntivirus DetectionReputation
      http://augloop.office.com/settings.jsonprep___Program Files_Microsoft Office_root_Office16_AugLoop_bundle_js_V8_perf.cache.0.drfalse
        		high
        https://aka.ms/LearnAbo__substg1.0_8017001FRappel vous n'avez pas encore sign#U00e9 mon invitation.msgfalse
          		high
          https://r.smtp.extranet-it.fr/tr/un/li/8QlAc4aSv4J7vMmCAFHqlSfQaJDB_-SKHIPs6zXrMrwgLVnm7EL6QbfHKRMc7Rappel vous n'avez pas encore sign#U00e9 mon invitation.msgfalse
          • Avira URL Cloud: safe
          		unknown
          http://json-schema.org/draft-07/schema#prep___Program Files_Microsoft Office_root_Office16_AugLoop_bundle_js_V8_perf.cache.0.drfalse
            		high
            https://r.smtp.extranet-it.fr/tr/op/C1jMfdeWVbLUtHZ-KUEEWdAz45yzRSa5d3WIXmmhoGd-4Ibiy2NbEIl-wkSyjjUgRappel vous n'avez pas encore sign#U00e9 mon invitation.msgfalse
            • Avira URL Cloud: safe
            		unknown
            https://fra01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fr.smtp.extranet-it.fr%2Ftr%2Fun%2FRappel vous n'avez pas encore sign#U00e9 mon invitation.msgfalse
              		high
              https://aka.ms/LearnAboutSenderIdentificationRappel vous n'avez pas encore sign#U00e9 mon invitation.msgfalse
                		high
                https://fra01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fr.smtp.extranet-it.fr%2Ftr%2Fcl%2FRappel vous n'avez pas encore sign#U00e9 mon invitation.msgfalse
                  		high

                  World Map of Contacted IPs

                  No contacted IP infos

                  General Information

                  Joe Sandbox version:42.0.0 Malachite
                  Analysis ID:1636210
                  Start date and time:2025-03-12 14:29:06 +01:00
                  Joe Sandbox product:CloudBasic
                  Overall analysis duration:0h 4m 22s
                  Hypervisor based Inspection enabled:false
                  Report type:full
                  Cookbook file name:default.jbs
                  Analysis system description:Windows 11 23H2 with Office Professional Plus 2021, Chrome 131, Firefox 133, Adobe Reader DC 24, Java 8 Update 431, 7zip 24.09
                  Number of analysed new started processes analysed:12
                  Number of new started drivers analysed:0
                  Number of existing processes analysed:0
                  Number of existing drivers analysed:0
                  Number of injected processes analysed:0
                  Technologies:
                  • EGA enabled
                  • AMSI enabled
                  Analysis Mode:default
                  Analysis stop reason:Timeout
                  Sample name:Rappel vous n'avez pas encore sign#U00e9 mon invitation.msg
                  renamed because original name is a hash value
                  Original Sample Name:Rappel vous n'avez pas encore sign mon invitation.msg
                  Detection:MAL
                  Classification:mal48.winMSG@3/5@0/0
                  Cookbook Comments:
                  • Found application associated with file extension: .msg

                  Warnings

                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, SecurityHealthHost.exe, dllhost.exe, RuntimeBroker.exe, ShellExperienceHost.exe, WMIADAP.exe, SIHClient.exe, appidcertstorecheck.exe, conhost.exe
                  • Excluded IPs from analysis (whitelisted): 20.42.65.89, 20.42.73.26, 52.123.128.14, 20.109.210.53, 2.22.242.226
                  • Excluded domains from analysis (whitelisted): ecs.office.com, dual-s-0005-office.config.skype.com, slscr.update.microsoft.com, uci.cdn.office.net, onedscolprdeus11.eastus.cloudapp.azure.com, ecs.office.trafficmanager.net, res-stls-prod.edgesuite.net, mobile.events.data.microsoft.com, mobile.events.data.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
                  • Not all processes where analyzed, report is missing behavior information
                  • Report size getting too big, too many NtQueryAttributesFile calls found.
                  • Report size getting too big, too many NtQueryValueKey calls found.
                  • Report size getting too big, too many NtReadVirtualMemory calls found.

                  Simulations

                  Behavior and APIs

                  No simulations

                  Joe Sandbox View / Context

                  IPs

                  No context

                  Domains

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  s-0005.dual-s-msedge.netSecuriteInfo.com.Exploit.CVE-2017-0199.05.Gen.17087.14702.xlsxGet hashmaliciousUnknownBrowse
                  • 52.123.128.14
                  SecuriteInfo.com.Exploit.CVE-2017-0199.05.Gen.17087.14702.xlsxGet hashmaliciousUnknownBrowse
                  • 52.123.129.14
                  SecuriteInfo.com.Exploit.CVE-2017-0199.05.Gen.17087.14702.xlsxGet hashmaliciousUnknownBrowse
                  • 52.123.128.14
                  REFUND STATUS.docxGet hashmaliciousUnknownBrowse
                  • 52.123.128.14
                  Message.emlGet hashmaliciousHTMLPhisherBrowse
                  • 52.123.129.14
                  Purchase Inquiry.xla.xlsxGet hashmaliciousUnknownBrowse
                  • 52.123.129.14
                  Invoice#3121408663.emlGet hashmaliciousUnknownBrowse
                  • 52.123.129.14
                  Fiyat teklifi.docxGet hashmaliciousUnknownBrowse
                  • 52.123.129.14
                  Fiyat teklifi.docxGet hashmaliciousUnknownBrowse
                  • 52.123.129.14
                  PO 0059.docxGet hashmaliciousUnknownBrowse
                  • 52.123.128.14
                  a726.dscd.akamai.netSecuriteInfo.com.Exploit.CVE-2017-0199.05.Gen.17087.14702.xlsxGet hashmaliciousUnknownBrowse
                  • 2.22.242.9
                  REFUND STATUS.docxGet hashmaliciousUnknownBrowse
                  • 2.22.242.121
                  Purchase Inquiry.xla.xlsxGet hashmaliciousUnknownBrowse
                  • 2.22.242.9
                  Purchase Inquiry.xla.xlsxGet hashmaliciousUnknownBrowse
                  • 2.22.242.113
                  Fiyat teklifi.docxGet hashmaliciousUnknownBrowse
                  • 2.16.164.65
                  PO 0059.docxGet hashmaliciousUnknownBrowse
                  • 2.19.11.98
                  expense-report.xlsxGet hashmaliciousUnknownBrowse
                  • 2.22.242.98
                  NEW__Review_202551087.svgGet hashmaliciousHTMLPhisherBrowse
                  • 2.22.242.88
                  Purchase Inquiry.xla.xlsxGet hashmaliciousUnknownBrowse
                  • 2.22.242.113
                  Bozza nuovo ordine 0010979742.xlsGet hashmaliciousUnknownBrowse
                  • 2.22.242.99

                  ASNs

                  No context

                  JA3 Fingerprints

                  No context

                  Dropped Files

                  No context

                  Created / dropped Files

                  C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_18129_20158-20250312T0930170205-7768.etl

                  Download File
                  Process:C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE
                  File Type:data
                  Category:dropped
                  Size (bytes):94208
                  Entropy (8bit):4.43802986225851
                  Encrypted:false
                  SSDEEP:768:vot95e4pNCFZuvwVVjWm4mmJXbxs26SX5B8uwbHhKQ:vKvV8/T4mmJXb+26SX5LU5
                  MD5:DA2ABE945800FF7B18AB4B54A9B4A357
                  SHA1:9AEC202719D6C7989C1BCF89F6F4148E98F3BCA2
                  SHA-256:CF4D5B1F488AAB3FB53A94F1985B107A4335B035277ACA70AD37CCDA5977FF17
                  SHA-512:D2FC3BB91CE132F87A7214DE73EED4F9B70E03C8C1A4EDB8BF25C4C03D09900A062D9BC004251DD3A031837819BB9DBAB524D3A21255DC05C840D7F2BE55C8AB
                  Malicious:false
                  Reputation:low
                  Preview:............................................................................j...\...X......R...................gX..............Zb..2...........................................,...@.t.z.r.e.s...d.l.l.,.-.1.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.1.1.1...........................................................`..p.r.............R...........v.2._.O.U.T.L.O.O.K.:.1.e.5.8.:.0.8.6.8.b.b.8.e.8.c.3.2.4.5.f.b.9.c.c.1.2.4.9.a.3.c.4.4.3.6.9.b...C.:.\.U.s.e.r.s.\.H.a.n.z.o.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.O.u.t.l.o.o.k. .L.o.g.g.i.n.g.\.O.U.T.L.O.O.K._.1.6._.0._.1.8.1.2.9._.2.0.1.5.8.-.2.0.2.5.0.3.1.2.T.0.9.3.0.1.7.0.2.0.5.-.7.7.6.8...e.t.l.............P.P.\...X.......R...........................................................................................................................................................................................................................................................................................

                  C:\Users\user\AppData\Local\Temp\prep___Program Files_Microsoft Office_root_Office16_AugLoop_bundle_js_V8_perf.cache

                  Download File
                  Process:C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE
                  File Type:data
                  Category:dropped
                  Size (bytes):629547
                  Entropy (8bit):5.8330723381337535
                  Encrypted:false
                  SSDEEP:12288:D/ROG68mFSN/uRQ6fXm1q5IjxGk0xJpFk:VOGd/uRQ6f21Lx1
                  MD5:0733C1C226E119782AE8E03F06A497DB
                  SHA1:02744CC69EE22E3025954011457B1D19AEDE84D5
                  SHA-256:F75CBE06E35AF43FB58FD03E75DC9F0E5FAB10BFFF37B4E75363133175E6E94F
                  SHA-512:5DBCD97D8E12499BA41ECFC1B3FE055177B14AC8184AC312A527FB051D265B42832673FB487C94D4D15FB19888CB8E082E1E024A46F2B911FCEBD1D5FAA48C79
                  Malicious:false
                  Reputation:moderate, very likely benign file
                  Preview:RNWPREP.....&.0.[.X............JKC...iMbg,...NJ."m?.m................q...[ d..w.w............,T.0..`......L`.....,T...`bw.....L`.....a.Sb.................c.@........... ...D..Rb...2....ey..`.....D..Rb........MM..`l.....Rb.@......zk..`......Rb.@R.....bk..`P.....Rb".iS....el..`......Rb"@.j....hp..`.....D..Rb..sS....es..`.....D..Rb:@@.....Hb..`......D..Rbn@......Cv..`v.....Rbn@.}....Yd..`&....D..Rbz.(.....UT..`......Rbz.\.....Zo..`.....D..Rb.@u.....TT..`.....D..Rb..p.....Hx..`.....D..Rb........Pi..`z....D..Rb........Ch..`.....D..Rb.......O_..`p.....Rb........xv..`.....D..Rb..[p....Ql..`:....D..Rb.......ZA..`T....D..Rb.@......At..`......Rb...^....Yk..`.....D..Rb........Wu..`2....D..Rb........wy..`......Rb...k....Sm..`@....D..Rb...@....us..`j.....Rb........Ln..`6....D..Rb".......AC..`.....D..Rb..c.....Vk..`.....D..Rb6.......IM..`<....D..RbN..6....Ti..`&....D..Rbj.q.....Gy..`......RbjA......XC..`J....D..RbzA......fn..`......Rbz..h....Bd..`......Rb.Am.....Uh..`.....D..Rb.......xC..`..

                  C:\Users\user\AppData\Local\Temp\~DFD1C13D3AD8C9D80C.TMP

                  Download File
                  Process:C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE
                  File Type:data
                  Category:dropped
                  Size (bytes):163840
                  Entropy (8bit):0.46607996773869725
                  Encrypted:false
                  SSDEEP:192:/1HplSgMzPKJvY5ugVd753uUIMn4HOAgAbAWa1cLLwi1EE1X2NgiXHWQOopp/:djrM7dLVeUIMn4uHMwi1EEFZiXHOop
                  MD5:46B56287FA6049BE20D5EF40B1B912C7
                  SHA1:8F941FF544D7463B8C96D228F50C57A099C709E2
                  SHA-256:4E632D37597D17EB7491A35C40CA2850E19C6006C275BA5FD350CCEE8FE206B3
                  SHA-512:5AD05C628BB63C24CBADCB16532AE2D1EC9DA35C0E017B223C6A1A6558E86CA54C95A2625FA10DF64593774967872AF0E7425FCF2596BDCBF571882715ACDCBF
                  Malicious:false
                  Reputation:low
                  Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                  C:\Users\user\Documents\Outlook Files\Outlook Data File - NoEmail.pst

                  Download File
                  Process:C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE
                  File Type:Microsoft Outlook email folder (>=2003)
                  Category:dropped
                  Size (bytes):271360
                  Entropy (8bit):1.2322226331308352
                  Encrypted:false
                  SSDEEP:768:YNQcIozwmieGSTrKw7GMS0sN9+4xBfvj/n8BUTIZ:DEhhnsPffvj/eNZ
                  MD5:77A3366C6054F1B2336D456B5968F03F
                  SHA1:2A363404E77B2985F8A6363569DB822CA9B0D32F
                  SHA-256:332DC5B21C46AA9193BABBC73F31A5404849C620A39DEC198BAE2061FBBDEB85
                  SHA-512:E5FBA2ABF993183DCDB8C2D6AFBF9CF24FBBAAB9DE35CFF17B59BF15AF77397F53AB5040FD98723C6CD13F2626512C6FA2825136DC274199880613CA936FC390
                  Malicious:true
                  Reputation:low
                  Preview:!BDN...SM......x...>W..........=.......T................@...........@...@...................................@...........................................................................$.......D.......R..............9...............<...................................................................................................................................................................................................................................................................................................3qw.~.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                  C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmp

                  Download File
                  Process:C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE
                  File Type:data
                  Category:dropped
                  Size (bytes):131072
                  Entropy (8bit):0.902907282775106
                  Encrypted:false
                  SSDEEP:192:1oOJMmDexVfrzTMHB+LoL230mpOetL7Ici1R434EO7z:1XJfDenjMHBDC3pH17S1R8O
                  MD5:C2E3B79EDBCB5F8E1BDB701D464A3105
                  SHA1:C58829FD1F5392E496EFD7B1DEF48ECE3855CF11
                  SHA-256:38D006A8AC606954D9EFA331DB7A747C11101200FCCAB4A929947A0E819BBA9D
                  SHA-512:83284180CBAC9C778582134DF34E1E5EF3A7F1BFDD97E843000017EACB8D7AC1860A7307D41AED87E001A3ED70272A9557CE8960DA8F1D299A0E6434536DDDC4
                  Malicious:true
                  Reputation:low
                  Preview:?..SC...S.......X...PGj.R.....................#.!BDN...SM......x...>W..........=.......T................@...........@...@...................................@...........................................................................$.......D.......R..............9...............<...................................................................................................................................................................................................................................................................................................3qw.~...PGj.R........B............#.........................................................................................................................................................................................................................................................................................................................................................................................................

                  Static File Info

                  General

                  File type:CDFV2 Microsoft Outlook Message
                  Entropy (8bit):4.249814082383801
                  TrID:
                  • Outlook Message (71009/1) 58.92%
                  • Outlook Form Template (41509/1) 34.44%
                  • Generic OLE2 / Multistream Compound File (8008/1) 6.64%
                  File name:Rappel vous n'avez pas encore sign#U00e9 mon invitation.msg
                  File size:129'536 bytes
                  MD5:3313fff0d34723eb62aecea4bdb1dad8
                  SHA1:f89ef1e57ae4492f3b3a054b44d2af10b93600f6
                  SHA256:b564f128e8c4724355f4b915671dc1edd357bc52351a33c1df8e3636aa9b49e1
                  SHA512:5375024ef2a2d0878462c9843b0578f3c69cfff7131115a08e91b22646239800d94ec7438d667fba6a605c2a985ce3b2a9a2ccd0859577117f47d3f1cfe1fef0
                  SSDEEP:1536:W1coW2WlXTg3kOFrAk2kWeWIHvk3k+1xrnrxrVLBW/C8ZXs8MwueMXVzvHauL:W1cTlsAnCPF4WY8MwueMXB
                  TLSH:30C333243AEA111EF3B3AF718FE6A4AF8526FC536E15955E2095330D0732D41D862F3A
                  File Content Preview:........................>......................................................................................................................................................................................................................................

                  Static Mail

                  General

                  Subject:Rappel: vous n'avez pas encore sign mon invitation
                  From:<noreply@secure-sign.fr>
                  To:<bperan@sicakerisnel.com>
                  Cc:
                  BCC:
                  Date:Wed, 12 Mar 2025 11:51:42 +0100
                  Communications:
                  • Vous nobtenez pas souvent de-mail partir de noreply@secure-sign.fr. Pourquoi cest important <https://aka.ms/LearnAboutSenderIdentification> Ce message provient d'un expditeur externe Veuillez faire preuve de prudence : ce courriel provient de l'extrieur de l'organisation. Ne cliquez pas sur les liens et n'ouvrez pas les pices jointes si vous ne reconnaissez pas l'expditeur et si vous n'tes pas sr du contenu. <https://r.smtp.extranet-it.fr/tr/op/C1jMfdeWVbLUtHZ-KUEEWdAz45yzRSa5d3WIXmmhoGd-4Ibiy2NbEIl-wkSyjjUgzpL9VONxjvhCojOhrBKtRGx-vjjxMg92oj7TpxKhVUopG_dxQIXW6tV1YeJ961DRgiY0BaQF_v2paj_BuBXtOD2MWwKpjrCXQ4yyUm0JXfk10yBe0t5EmDfS2CusRWlX4WVMnOrNfIL6o1E> Procdure de signature propose par Secure Sign Documents en attente de signature Bonjour PERAN BRUNO Nous tenons vous rappeler qu'un document ncessite votre signature depuis le 10/03/2025 15:52:11 Il vous reste 178 jours pour finaliser la signature de ces documents. Pour procder la signature, veuillez cliquer sur le bouton ci-dessous : Signer mes documents <https://fra01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fr.smtp.extranet-it.fr%2Ftr%2Fcl%2FoWlyvglry0_EhduUTPejg6RneyTucTlgIU7eA9ehvctPV53T70SVoXFeyUvcntgAsJB_LAkhjFgcD71VBTb7U-5t81Em90s8BqOH1vnD4IsWbCQxQsZS1ha2FbbcQNvvpgeq-k37RCkm-BHEdVCG9k2BbI9-vUN6Xt4dMnToINLoCFt8J2F0Gasu0nRnXSFiuG3cxmtXuEYkck906uDgMxDWpiWM2-Hib3t6prOdMAEp5wANWnvhUrtZARFfSdEo144GTo-shRg-NuLWbaLqUaBgNkklEjkfKxL4TwiSRFMEmPok2qm3RCmSB4nhekzuw5BQ4hW_GZr3DO_putdmdP5xkuyGts_byTZCvEhu17da7f-XxKkNiDyay0GWbA&data=05%7C02%7Cbperan%40sicakerisnel.com%7C584312da0b174783698708dd6153e346%7C10673b25755f4fae8d1785013a410262%7C0%7C0%7C638773735271864200%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C60000%7C%7C%7C&sdata=xo2ZBBCu6ztyfikxynt4gbM1rkNeCMueVsUfJ7ZKp84%3D&reserved=0> Conservez prcieusement cet email. Pour plus d'informations, rendez-vous sur notre site SecureSign.fr Merci pour votre confiance Merci de ne pas rpondre ce courrier lectronique. France Numrique, SAS au capital de 37 666 712,00 immatricule au Registre du Commerce et des Socits de Bobigny sous le n 840 361 745 - 41 rue Delizy, 93500 Pantin.
                  Attachments:

                    Headers

                    Key Value
                    Receivedby smtp-relay.sendinblue.com with ESMTP id 917d64da-d0b2-40e3-b44d-fe5f1e5750b5; Wed, 12 March 2025 10:51:47 +0000 (UTC)
                    1052:06 +0000
                    by AS2PR09MB6079.eurprd09.prod.outlook.com (260310a6:20b:55a::5) with
                    2025 1051:49 +0000
                    (260310a6:102:11e::20) with Microsoft SMTP Server (version=TLS1_3,
                    12 Mar 2025 1051:48 +0000
                    Authentication-Resultsspf=pass (sender IP is 172.246.32.203)
                    Received-SPFPass (protection.outlook.com: domain of smtp.extranet-it.fr
                    via Frontend Transport; Wed, 12 Mar 2025 1051:47 +0000
                    DKIM-Signaturev=1; a=rsa-sha256; c=relaxed/relaxed; d=secure-sign.fr;
                    h=fromsubject:date:to:mime-version:content-type:content-transfer-encoding:list-unsubscribe:x-csa-complaints:list-unsubscribe-post:message-id:x-sib-id:feedback-id;
                    X-Mailin-EIDMjA2NjIyMjAyfmJwZXJhbkBzaWNha2VyaXNuZWwuY29tfjwyMDI1MDMxMjEwNTEuODQ4MTUzODgyNDdAc210cC1yZWxheS5zZW5kaW5ibHVlLmNvbT5%2Bc210cC5leHRyYW5ldC1pdC5mcg%3D%3D
                    Date12 Mar 2025 11:51:42 +0100
                    Subject=?UTF-8?Q?Rappel:_vous_n'avez_pas_encore_sign=C3=A9_mon_invitation?=
                    Mime-Version1.0
                    Content-Typetext/html; charset=utf-8
                    Content-Transfer-Encodingbase64
                    Message-Id<202503121051.84815388247@smtp-relay.sendinblue.com>
                    Origin-messageId<202503121051.84815388247@smtp-relay.sendinblue.com>
                    To<bperan@sicakerisnel.com>
                    X-sib-idXSE2oMaA4cWEewrpR853yQ-vis8PTswg_JAAjWxdugOcuByqEdCCsPFTE0DlBruShK4txSOr993vG0PxrhBQBvgQArJcAbbBMsWJvWPv28M5LZz6q1B04UCr_kYPXUAkPafwdf0ULdVphugU2JM40tV6MPLUNOLA2ekhfY8nHq4A-5gBgQ
                    X-CSA-Complaintscsa-complaints@eco.de
                    List-Unsubscribe-PostList-Unsubscribe=One-Click
                    Feedback-ID172.246.32.203:5924504_-1:5924504:Sendinblue
                    From<noreply@secure-sign.fr>
                    List-Unsubscribe<https://r.smtp.extranet-it.fr/tr/un/li/8QlAc4aSv4J7vMmCAFHqlSfQaJDB_-SKHIPs6zXrMrwgLVnm7EL6QbfHKRMc7JpnOVin6MSULdSPiL2ZkBCvEI2oVP1SufAGxXVNyiu9ZKTtoD80rY5sr52aWOn-YxL8OWQRoAootcicW0wkV-wMKHCdSwU9aC65Vv_zL4rrz6aNZRoU2yrNWqFnAnbdtw6T5f7TqjeElHDKT-AWZmMqgsMPjDtMKId6RvhZMErNkkcCevUsAgVPvfNFHYvrnkFaHlfoSLzwpg>
                    Return-Pathbounces-206622202-668858699@smtp.extranet-it.fr
                    X-MS-Exchange-Organization-ExpirationStartTime12 Mar 2025 10:51:47.9700
                    X-MS-Exchange-Organization-ExpirationStartTimeReasonOriginalSubmit
                    X-MS-Exchange-Organization-ExpirationInterval1:00:00:00.0000000
                    X-MS-Exchange-Organization-ExpirationIntervalReasonOriginalSubmit
                    X-MS-Exchange-Organization-Network-Message-Id584312da-0b17-4783-6987-08dd6153e346
                    X-EOPAttributedMessage0
                    X-EOPTenantAttributedMessage10673b25-755f-4fae-8d17-85013a410262:0
                    X-MS-Exchange-Organization-MessageDirectionalityIncoming
                    X-MS-PublicTrafficTypeEmail
                    X-MS-TrafficTypeDiagnosticPA2PEPF00019232:EE_|AS2PR09MB6079:EE_|DU2PR09MB5311:EE_
                    X-MS-Exchange-Organization-AuthSourcePA2PEPF00019232.FRAP264.PROD.OUTLOOK.COM
                    X-MS-Exchange-Organization-AuthAsAnonymous
                    X-MS-Office365-Filtering-Correlation-Id584312da-0b17-4783-6987-08dd6153e346
                    X-MS-Exchange-AtpMessagePropertiesSA|SL
                    X-MS-Exchange-Organization-SCL1
                    X-Microsoft-AntispamBCL:0;ARA:13230040|4022899009|69100299015|5073199012|12012899012|8096899003|4076899003;
                    X-Forefront-Antispam-ReportCIP:172.246.32.203;CTRY:FR;LANG:fr;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:smtp.extranet-it.fr;PTR:smtp.extranet-it.fr;CAT:NONE;SFTY:9.25;SFS:(13230040)(4022899009)(69100299015)(5073199012)(12012899012)(8096899003)(4076899003);DIR:INB;SFTY:9.25;
                    X-MS-Exchange-CrossTenant-OriginalArrivalTime12 Mar 2025 10:51:47.9544
                    X-MS-Exchange-CrossTenant-Network-Message-Id584312da-0b17-4783-6987-08dd6153e346
                    X-MS-Exchange-CrossTenant-Id10673b25-755f-4fae-8d17-85013a410262
                    X-MS-Exchange-CrossTenant-AuthSourcePA2PEPF00019232.FRAP264.PROD.OUTLOOK.COM
                    X-MS-Exchange-CrossTenant-AuthAsAnonymous
                    X-MS-Exchange-CrossTenant-FromEntityHeaderInternet
                    X-MS-Exchange-Transport-CrossTenantHeadersStampedAS2PR09MB6079
                    X-MS-Exchange-Transport-EndToEndLatency00:00:18.8709963
                    X-MS-Exchange-Processed-By-BccFoldering15.20.8511.025
                    X-Microsoft-Antispam-Mailbox-Deliveryucf:0;jmr:0;auth:0;dest:I;ENG:(910005)(944506478)(944626604)(4710137)(4712020)(920097)(930097)(140003)(1420198);
                    X-Microsoft-Antispam-Message-Info=?us-ascii?Q?rsRcDmVHMuomy0xzr4/raN/B62gXzxLkBLOwKXNbZU8vBcQTzPnCLDabq2dM?=
                    dateWed, 12 Mar 2025 11:51:42 +0100

                    File Icon

                    Icon Hash:c4e1928eacb280a2

                    Network Behavior

                    DNS Answers

                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                    Mar 12, 2025 14:30:19.963524103 CET1.1.1.1192.168.2.270xd812No error (0)ecs-office.s-0005.dual-s-msedge.nets-0005.dual-s-msedge.netCNAME (Canonical name)IN (0x0001)false
                    Mar 12, 2025 14:30:19.963524103 CET1.1.1.1192.168.2.270xd812No error (0)s-0005.dual-s-msedge.net52.123.128.14A (IP address)IN (0x0001)false
                    Mar 12, 2025 14:30:19.963524103 CET1.1.1.1192.168.2.270xd812No error (0)s-0005.dual-s-msedge.net52.123.129.14A (IP address)IN (0x0001)false
                    Mar 12, 2025 14:30:38.173544884 CET1.1.1.1192.168.2.270x31adNo error (0)res-stls-prod.edgesuite.net.globalredir.akadns88.neta726.dscd.akamai.netCNAME (Canonical name)IN (0x0001)false
                    Mar 12, 2025 14:30:38.173544884 CET1.1.1.1192.168.2.270x31adNo error (0)a726.dscd.akamai.net2.22.242.226A (IP address)IN (0x0001)false
                    Mar 12, 2025 14:30:38.173544884 CET1.1.1.1192.168.2.270x31adNo error (0)a726.dscd.akamai.net2.22.242.224A (IP address)IN (0x0001)false
                    Mar 12, 2025 14:30:38.173544884 CET1.1.1.1192.168.2.270x31adNo error (0)a726.dscd.akamai.net2.22.242.131A (IP address)IN (0x0001)false
                    Mar 12, 2025 14:30:38.173544884 CET1.1.1.1192.168.2.270x31adNo error (0)a726.dscd.akamai.net2.22.242.138A (IP address)IN (0x0001)false
                    Mar 12, 2025 14:30:38.173544884 CET1.1.1.1192.168.2.270x31adNo error (0)a726.dscd.akamai.net2.22.242.129A (IP address)IN (0x0001)false
                    Mar 12, 2025 14:30:38.173544884 CET1.1.1.1192.168.2.270x31adNo error (0)a726.dscd.akamai.net2.22.242.144A (IP address)IN (0x0001)false
                    Mar 12, 2025 14:30:38.173544884 CET1.1.1.1192.168.2.270x31adNo error (0)a726.dscd.akamai.net2.22.242.225A (IP address)IN (0x0001)false
                    Mar 12, 2025 14:30:38.173544884 CET1.1.1.1192.168.2.270x31adNo error (0)a726.dscd.akamai.net2.22.242.136A (IP address)IN (0x0001)false
                    Mar 12, 2025 14:30:38.173544884 CET1.1.1.1192.168.2.270x31adNo error (0)a726.dscd.akamai.net2.22.242.130A (IP address)IN (0x0001)false

                    Statistics

                    CPU Usage

                    Click to jump to process

                    Memory Usage

                    Click to jump to process

                    High Level Behavior Distribution

                    Click to dive into process behavior distribution

                    Behavior

                    Click to jump to process

                    System Behavior

                    General

                    Target ID:0
                    Start time:09:30:16
                    Start date:12/03/2025
                    Path:C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE
                    Wow64 process (32bit):false
                    Commandline:"C:\Program Files\Microsoft Office\Root\Office16\OUTLOOK.EXE" /f "C:\Users\user\Desktop\Rappel vous n'avez pas encore sign#U00e9 mon invitation.msg"
                    Imagebase:0x7ff74e8b0000
                    File size:44'112'520 bytes
                    MD5 hash:7F59D020035411A4BCF731A8320581A4
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:moderate
                    Has exited:false

                    General

                    Target ID:2
                    Start time:09:30:18
                    Start date:12/03/2025
                    Path:C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\AI\ai.exe
                    Wow64 process (32bit):false
                    Commandline:"C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\AI\ai.exe" "BEBD22F3-DA64-4794-A97B-CAEDAF465374" "D659FF91-10B8-414B-97CC-D8BD2BC30811" "7768" "C:\Program Files\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
                    Imagebase:0x7ff6c2850000
                    File size:827'048 bytes
                    MD5 hash:0ED71A2D20424DC7942E810F359DA066
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:moderate
                    Has exited:false

                    Disassembly

                    No disassembly