Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Notification of a Compromised Email Account.msg

Overview

General Information

Sample name:	Notification of a Compromised Email Account.msg
Analysis ID:	1586759
MD5:	fc1996bf5ff9d481207a4308813b7664
SHA1:	bd5fab6cc11e0b6ae81d6e31195800b90c5bba32
SHA256:	d831fc71e32982ee94e8944ff97cf8205b984b49a5cfa16c24e5eb06d0de26f5
Infos:

Detection

Score:	48
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

AI detected potential phishing Email

Email SPF failed

Queries the volume information (name, serial number etc) of a device

Sigma detected: Office Autorun Keys Modification

Classification

×

Process Tree

System is w10x64

OUTLOOK.EXE (PID: 2184 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /f "C:\Users\user\Desktop\Notification of a Compromised Email Account.msg" MD5: 91A5292942864110ED734005B7E005C0)

ai.exe (PID: 6196 cmdline: "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "15AB6D5B-DD4C-4021-92C2-89AAE7974098" "633592FF-07EB-4F19-8BC6-95D7F4FA68D7" "2184" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx" MD5: EC652BEDD90E089D9406AFED89A8A8BD)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

Sigma detected: Office Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE, ProcessId: 2184, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Addins\OneNote.OutlookAddin\1

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Phishing

AI detected potential phishing Email

Source: Email

Joe Sandbox AI: Detected potential phishing email: This is likely a phishing attempt masquerading as a security notification about a compromised account. The email creates urgency and references a previous phishing attempt, which is a common social usering tactic. While appearing professional, it asks recipients to contact the sender directly, which could be a way to establish malicious communication

Email SPF failed

Source: Notification of a Compromised Email Account.msg

Email attachement header: Authentication-Results: fail (sender IP is 170.10.152.241)

Source: Email

Classification: Credential Stealer

Source: Notification of a Compromised Email Account.msg

String found in binary or memory: https://nam02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.witoneng.co.uk%2F&data=05%7C02%

Source: classification engine

Classification label: mal48.winMSG@3/4@0/0

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

File created: C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmp

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

File created: C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20250109T0947580130-2184.etl

Jump to behavior

Source: unknown	Process created: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /f "C:\Users\user\Desktop\Notification of a Compromised Email Account.msg"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "15AB6D5B-DD4C-4021-92C2-89AAE7974098" "633592FF-07EB-4F19-8BC6-95D7F4FA68D7" "2184" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "15AB6D5B-DD4C-4021-92C2-89AAE7974098" "633592FF-07EB-4F19-8BC6-95D7F4FA68D7" "2184" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"			Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: apphelp.dll			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: c2r64.dll			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: userenv.dll			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: msasn1.dll			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: cryptsp.dll			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: rsaenh.dll			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: cryptbase.dll			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: gpapi.dll			Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{F959DBBB-3867-41F2-8E5F-3B8BEFAA81B3}\InprocServer32

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

Window found: window name: SysTabControl32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common

Jump to behavior

Source: Notification of a Compromised Email Account.msg

Static file information: File size 2760192 > 1048576

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX			Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe

Queries volume information: C:\Program Files (x86)\Microsoft Office\root\Office16\AI\WordCombinedFloatieLreOnline.onnx VolumeInformation

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	11 Browser Extensions	1 Process Injection	1 Masquerading	OS Credential Dumping	1 Process Discovery	Remote Services	Data from Local System	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 DLL Side-Loading	1 Process Injection	LSASS Memory	12 System Information Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 DLL Side-Loading	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

⊘No Antivirus matches

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
s-part-0017.t-0009.fb-t-msedge.net	13.107.253.45	true	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://nam02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.witoneng.co.uk%2F&data=05%7C02%	Notification of a Compromised Email Account.msg	false		high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1586759
Start date and time:	2025-01-09 15:46:47 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 32s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Notification of a Compromised Email Account.msg
Detection:	MAL
Classification:	mal48.winMSG@3/4@0/0
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .msg

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.109.32.97, 52.113.194.132, 52.111.236.32, 52.111.236.35, 52.111.236.33, 52.111.236.34, 20.189.173.1, 13.107.253.45, 20.109.210.53, 184.28.90.29
Excluded domains from analysis (whitelisted): ecs.office.com, azurefd-t-fb-prod.trafficmanager.net, onedscolprdwus00.westus.cloudapp.azure.com, slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, prod.configsvc1.live.com.akadns.net, s-0005-office.config.skype.com, mobile.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com, ecs-office.s-0005.s-msedge.net, prod1.naturallanguageeditorservice.osi.office.net.akadns.net, nleditor.osi.office.net, ocsp.digicert.com, prod-eu-resolver.naturallanguageeditorservice.osi.office.net.akadns.net, s-0005.s-msedge.net, config.officeapps.live.com, azureedge-t-prod.trafficmanager.net, officeclient.microsoft.com, ecs.office.trafficmanager.net, ukw-azsc-config.officeapps.live.com, europe.configsvc1.live.com.akadns.net, mobile.events.data.trafficmanager.net, storeedgefd.dsx.mp.microsoft.com
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
VT rate limit hit for: Notification of a Compromised Email Account.msg

Simulations

Behavior and APIs

⊘No simulations

LLM Input / Output

Input	Output
URL: email Model: Joe Sandbox AI	{ "explanation": [ "This is likely a phishing attempt masquerading as a security notification about a compromised account", "The email creates urgency and references a previous phishing attempt, which is a common social usering tactic", "While appearing professional, it asks recipients to contact the sender directly, which could be a way to establish malicious communication" ], "phishing": true, "confidence": 8, "generated_by_ai": false }
{ "date": "Thu, 09 Jan 2025 15:18:34 +0100", "subject": "Notification of a Compromised Email Account", "communications": [ "CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.\n\n\nRichard Moody has had his email account compromised and it has been used by a third party to send out phishing emails.\n\n \n\nRichards Moodys email account has now been secured however I am writing to you to inform you that you will have received an email from what appears to be Richard Moody on Tuesday 7th January 2025 entitled Cost Proposal Needed, however this was NOT from Richard Moody and should be discarded immediately.\n\n \n\nIf you have had any concerns or issues regarding this email please contact me directly at scott@witoneng.co.uk <mailto:scott@witoneng.co.uk> \n\n \n\nKind Regards\n\n \n\nScott Barwick\n\n Quality Manager\n\n <https://nam02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.witoneng.co.uk%2F&data=05%7C02%7Cjason.schumacher%40nationalmi.com%7C921e9e78546a41b9132608dd30b88d22%7C00ba92ebb0004ac1aa36470e8b3a6a63%7C0%7C0%7C638720291438710587%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=wwkoxEL1r0NHgHkXtowuCEea2LzR%2FFRYkt1nrhYQoTY%3D&reserved=0> \n\n Pilland Way, Pottington Business Park\n\n Barnstaple, North Devon, EX31 1QW\n\n Tel: 01271 374 177\n\n Fax: 01271 322 170\n\n\n \n\n \n\n" ], "from": "Scott Barwick <scott@witoneng.co.uk>", "to": "Jason Schumacher <jason.schumacher@nationalmi.com>", "attachements": [ "image001.jpg", "image002.jpg" ] }
URL: Email Model: Joe Sandbox AI	{ "contains_trigger_text": true, "trigger_text": "Cost Proposal Needed", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": true, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_fake_security_alerts": false }

URL: Email Model: Joe Sandbox AI	{ "brands": [ "UKAS", "ISO 9001" ] }
	{ "brands": [ "UKAS", "ISO 9001" ] }
URL: Email Model: Joe Sandbox AI	{"classification":"Credential Stealer"}
Email: Detected potential phishing email: This is likely a phishing attempt masquerading as a security notification about a compromised account. The email creates urgency and references a previous phishing attempt, which is a common social usering tactic. While appearing professional, it asks recipients to contact the sender directly, which could be a way to establish malicious communication	{"classification":"Credential Stealer"}

Joe Sandbox View / Context

IPs

⊘No context

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
s-part-0017.t-0009.fb-t-msedge.net	https://combatironapparel.com/collections/ranger-panty-shorts	Get hash	malicious	Unknown	Browse	13.107.253.45
	https://meliopayments.cloudfilesbureau.com/j319C	Get hash	malicious	HTMLPhisher	Browse	13.107.253.45
	Setup64v9.9.8.msi	Get hash	malicious	Unknown	Browse	13.107.253.45
	https://clicktoviewdocumentonadovemacroreader.federalcourtbiz.com/lhvBR/?e=amFtZXMuYm9zd2VsbEBvdmVybGFrZWhvc3BpdGFsLm9yZw==	Get hash	malicious	HTMLPhisher	Browse	13.107.253.45
	Play_VM-NowAccountingAudiowav011.html	Get hash	malicious	Unknown	Browse	13.107.253.45
	17363482243fcf48f1d103ef5a4702c871424ad69b9eb7d3f5e5957f5c4810f2a51fea8e76776.dat-decoded.exe	Get hash	malicious	XWorm	Browse	13.107.253.45
	https://www.dollartip.info/unsubscribe/?d=mdlandrec.net	Get hash	malicious	Unknown	Browse	13.107.253.45
	invoice-1623385214.pdf.js	Get hash	malicious	PureLog Stealer, RHADAMANTHYS, zgRAT	Browse	13.107.253.45
	invoice-1623385214 pdf.js	Get hash	malicious	PureLog Stealer, RHADAMANTHYS, zgRAT	Browse	13.107.253.45
	https://docs.google.com/presentation/d/e/2PACX-1vT2PGn0zBbaptqxmzd37o4wD_789vdOk0IyvB9NJB93qGFh_af8Du5RuZX0G1lsycIP1UzhONEj31sn/pub?start=false&loop=false&delayms=3000	Get hash	malicious	Unknown	Browse	13.107.253.45

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20250109T0947580130-2184.etl

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	data
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	4.479289048932752
Encrypted:	false
SSDEEP:	1536:QVZu66Z4sTfgi9ivyuuy2IGhsCLQpJXuQx:QV24qgiQvFJXu4
MD5:	BEB2B3C227165BBB1346184801662E93
SHA1:	EAEE48525FF4B5E26EE52B948194A344DA6D15E7
SHA-256:	00AD5755E066A5F523131162B41149EE50D687BD9399B6F1AD4B191D3A43D084
SHA-512:	54A90430E70095B0D89D83CC066A3835A517B2B2B98B23FB27A4DEA824C83EC9167F8B41ECDB763A1C1DEE03E7A8EA9E90EE4AA469CCA77D0CDAE9FBA53DB251
Malicious:	false
Reputation:	low
Preview:	............................................................................f.............Ey.b..................eJ..............Zb..2...................................,...@.t.z.r.e.s...d.l.l.,.-.1.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.1.1.1.............................................................G.............Ey.b..........v.2._.O.U.T.L.O.O.K.:.8.8.8.:.5.7.b.4.1.9.1.7.e.9.6.9.4.7.b.c.8.b.d.f.2.5.0.1.6.d.6.a.2.d.5.5...C.:.\.U.s.e.r.s.\.e.n.g.i.n.e.e.r.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.O.u.t.l.o.o.k. .L.o.g.g.i.n.g.\.O.U.T.L.O.O.K._.1.6._.0._.1.6.8.2.7._.2.0.1.3.0.-.2.0.2.5.0.1.0.9.T.0.9.4.7.5.8.0.1.3.0.-.2.1.8.4...e.t.l.........P.P...........Ey.b..................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF0FFDF700EDCF5210.TMP

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	data
Category:	dropped
Size (bytes):	163840
Entropy (8bit):	0.3852744457170522
Encrypted:	false
SSDEEP:	192:LjmG1EwPixfxP7JCs0Rwxl3b3kHAUpG/YLci1hNgz0XHWQOGIAbAFAqwNh/:LH1DKRWsgIkHxpWi10z0XHOGIMu
MD5:	D5A0661C93C68FECE8DC5BFF5927C5C8
SHA1:	9DC820B5B08DD6705A0F102499AC34DA3C092BF4
SHA-256:	A59687929D3FF6F8B6CA71D8DFD3FA0C1A7B0D45344DEA7D34162163A51BB975
SHA-512:	D5F2398935D30606C6509D11CCE593C298D91781EA0C5B9A9B43E138A8D8E179DC6BCC2160B19258AD84B98D8191F7F8F4D725C3492E7F354CA0097C84A24920
Malicious:	false
Reputation:	low
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Documents\Outlook Files\Outlook Data File - NoEmail.pst

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	Microsoft Outlook email folder (>=2003)
Category:	dropped
Size (bytes):	271360
Entropy (8bit):	1.272625599176315
Encrypted:	false
SSDEEP:	768:mpQc/dj7WLU7c97Amm8WxmXw7QD8BUTIZIgYXjIGFHk7vC9iCBfp:Ydj4UgJWxmgueNZsjs5Afp
MD5:	86A5E550FB24A9ACDD4FC24AAC72AE3E
SHA1:	50CFD8BBA27D36839C22D3973A37159D7095BC47
SHA-256:	1DAE3E4138852AE16BF5CB6916DF62C62E9CE69B68766256BB82EE3CF3E7FB46
SHA-512:	E4C637DA4327A5F65D99EB0B9C1C27EB61BD6E1D7CFD939DDBB92ABAB4C8C10B7C26F2E25DFBA228E3D26C6D9040EC283B3966C7BBC5FEE0F1BF19492D59F242
Malicious:	true
Reputation:	low
Preview:	!BDN.../SM......\...............=.......U................@...........@...@...................................@...........................................................................$.......D......@Q..............;........\|......8........p...........................................................................................................................................................................................................................................................................................$.qy......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmp

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	data
Category:	dropped
Size (bytes):	131072
Entropy (8bit):	0.9643031097625203
Encrypted:	false
SSDEEP:	384:dIR74raJ6DejjqHvtSS7Mtyvg47W1RVf:S74A6Oivtn7EyoN
MD5:	51404BD165C6FC2A3767580B3C7EE0F2
SHA1:	D5546D04AB48297A78428B83C455D7D722BE48D8
SHA-256:	301BB958F8A272082700E62C1BEA8D22C73D6CF1E44C04B3AD6D5CD0DC624D58
SHA-512:	AD7B996ADBA6061BDEEDC9A82401F1DC31790DB75D70C168C44FAEAFCE53EED5613F84B38141DDC83BC946C0D649E08EA347746EAD924AEEFA6E453CB6E3A8F4
Malicious:	true
Reputation:	low
Preview:	<.uz0...[...........V.pw.b.......B............#...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................=G....=...........C...\...........V.pw.b....................#.!BDN.../SM......\...............=.......U................@...........@...@...................................@...........................................................................$.......D......@Q..............;........\|......8........p......................................................................................................................................................

Static File Info

General

File type:	CDFV2 Microsoft Outlook Message
Entropy (8bit):	7.299995899497818
TrID:	Outlook Message (71009/1) 58.92% Outlook Form Template (41509/1) 34.44% Generic OLE2 / Multistream Compound File (8008/1) 6.64%
File name:	Notification of a Compromised Email Account.msg
File size:	2'760'192 bytes
MD5:	fc1996bf5ff9d481207a4308813b7664
SHA1:	bd5fab6cc11e0b6ae81d6e31195800b90c5bba32
SHA256:	d831fc71e32982ee94e8944ff97cf8205b984b49a5cfa16c24e5eb06d0de26f5
SHA512:	e9bfec5b76c9d61f17ae410094b200607bd2ad9b9846a2a82bd902d139810d7ed5d7b1022f86a627d02a2f9687e14508cb4f8fafb95bc367fad3699577aa4406
SSDEEP:	24576:ppCVyea7jXKKKKKKm7wSxNCuxAYkYnWDu7wmIrkqha4Yyid8SJlqonA4VR7D7V7z:D7QwIN9AYPWaIz1FSJlqonDTNEXO
TLSH:	A2D51213EA999B0AE9235BB504EA58368C6ABD506D44C40776DE3F1A7336B10FDC073E
File Content Preview:	........................>...................+...................................x...y...z...{...\|...}...~......................................................................................................................................................

Static Mail

General

Subject:	Notification of a Compromised Email Account
From:	Scott Barwick <scott@witoneng.co.uk>
To:	Jason Schumacher <jason.schumacher@nationalmi.com>
Cc:
BCC:
Date:	Thu, 09 Jan 2025 15:18:34 +0100
Communications:	CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe. Richard Moody has had his email account compromised and it has been used by a third party to send out phishing emails. Richards Moodys email account has now been secured however I am writing to you to inform you that you will have received an email from what appears to be Richard Moody on Tuesday 7th January 2025 entitled Cost Proposal Needed, however this was NOT from Richard Moody and should be discarded immediately. If you have had any concerns or issues regarding this email please contact me directly at scott@witoneng.co.uk <mailto:scott@witoneng.co.uk> Kind Regards Scott Barwick Quality Manager <https://nam02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.witoneng.co.uk%2F&data=05%7C02%7Cjason.schumacher%40nationalmi.com%7C921e9e78546a41b9132608dd30b88d22%7C00ba92ebb0004ac1aa36470e8b3a6a63%7C0%7C0%7C638720291438710587%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=wwkoxEL1r0NHgHkXtowuCEea2LzR%2FFRYkt1nrhYQoTY%3D&reserved=0> Pilland Way, Pottington Business Park Barnstaple, North Devon, EX31 1QW Tel: 01271 374 177 Fax: 01271 322 170
Attachments:	image001.jpg image002.jpg

Headers

Key	Value
Received	from VI1PR0602MB3344.eurprd06.prod.outlook.com
14	19:03 +0000
(2603	10a6:10:1a3::15) with Microsoft SMTP Server (version=TLS1_2,
2025 14	18:34 +0000
Thu, 9 Jan 2025 14	18:56 +0000
15.20.8335.7 via Frontend Transport; Thu, 9 Jan 2025 14	18:55 +0000
usb-mta-40-hA09Usq9Mumx3sKMByfpFw-1; Thu, 09 Jan 2025 06	18:45 -0800
([fe80	:b37c:2f94:ba8c:5d00%7]) with mapi id 15.20.8314.018; Thu, 9 Jan
Arc-Seal	i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none;
Arc-Message-Signature	i=1; a=rsa-sha256; c=relaxed/relaxed;
h=From	Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
h=from	from:reply-to:subject:subject:date:date:message-id:message-id:to:
cc	mime-version:mime-version:content-type:content-type:dkim-signature;
Arc-Authentication-Results	i=1; mx.microsoft.com 1; spf=pass
("microsoft.com	s=arcselector10001:i=1"); dmarc=pass (policy=none)
header.from=witoneng.co.uk; spf=pass (relay.mimecast.com	domain of
Authentication-Results	spf=fail (sender IP is 170.10.152.241)
Received-Spf	Fail (protection.outlook.com: domain of witoneng.co.uk does
Authentication-Results-Original	relay.mimecast.com; dkim=pass
X-Mc-Unique	hA09Usq9Mumx3sKMByfpFw-1
X-Mimecast-Mfc-Agg-Id	hA09Usq9Mumx3sKMByfpFw
Dkim-Signature	v=1; a=rsa-sha256; c=relaxed/relaxed; d=witoneng.co.uk;
From	Scott Barwick <scott@witoneng.co.uk>
Subject	=?UTF-8?B?Tm90aWZpY2F0aW9uIG9mIGEgQ29tcHJvbWlzZWQgRW1haWwgQWNj?=
Thread-Topic	Notification of a Compromised Email Account
Thread-Index	AdtioT7AlR5xG6xCQpeNtU3se5uGfw==
Date	Thu, 9 Jan 2025 14:18:34 +0000
Message-Id	<VI1PR0602MB334461A0F506F95B811DD05790132@VI1PR0602MB3344.eurprd06.prod.outlook.com>
Accept-Language	en-GB, en-US
X-Ms-Has-Attach	yes
X-Ms-Traffictypediagnostic	VI1PR0602MB3344:EE_\|DBAPR06MB6951:EE_\|SN1PEPF000397B3:EE_\|LV3PR17MB7118:EE_\|SA3PR17MB6777:EE_
X-Ms-Office365-Filtering-Correlation-Id	921e9e78-546a-41b9-1326-08dd30b88d22
X-Ms-Exchange-Senderadcheck	1
X-Ms-Exchange-Antispam-Relay	0
X-Microsoft-Antispam-Untrusted	BCL:0;ARA:13230040\|1800799024\|366016\|7416014\|376014\|8096899003\|38070700018\|27013499003\|105050200037
X-Microsoft-Antispam-Message-Info-Original	s90MV/Yu0G/JBTLgTjflMLQxBrsTzvBeMTSQgtTBxUDCxW5hTlH1jeXdxu9+hYonTi5lZqACE+2235hJu6oA59NT30hWNF1WsPFvNuCPLP40AV/Ggb5y9QwTDVL9w+1rtJ5Ucvrnsyyf4Im7XHAT1mZomGgzqAhnYJJnOX0rNSgEZe69UkL5QSvI8KfrSO9hmWPmL+gUkRKmhrphlghcwgWJalrQHf97lWc6+lNEsM425tffN1IDD7NriMKfwNpVt+56LB+boY4vIPpFGFF6EmTzw56Vk6PCvO+0riR45jYcYSHr0f2OWNxHCVqq3iUS/rhyW6IDBoZAr5FDjd53vlDtETOzrpkZYrNlIQyPghW+Q6Ieqnbrqu7ufH4Xpc0VBN46SVqR5iD+o237NCIATdKyBD6lJ4tEec28B83pzEpdyNzVZEG4sXlWVBtbumEfZOR7G/yR9nc27vI3Yr2UQgyHXtF0moCstTzbYydGWWp/l1Dhcecb+9+vCEHw5xR7oGLwLTQQlYkNKhPTfGRYs4JjUIV01RyLfeLBmLBdJNHGZH+N+/4he2B2qwbF8R7ZqWuUcYqsvTSB5WmlVVpjAQsxWiH85xK7NJIora3GfagzOTyCEKIMVuB2bQf6mDUoq/CZvlgi8hdrhV9M4UXXbuLrs4U0P7GXHFl9Dbpc/Alg39akVykkOY7qm3FUiyJzQMIwrC8dsDJe0ztLBHUYL/gYCf6e7hlUCr2OOkrt3oAYJmuh380prQ4b50iLu5h9fQXtf606fDmJWbgTvIZfLzC3b7TxFPDR9rqKiMTMkXvzfKS6/ZiliNZEspJfYKojtq/PDfZd6SI27s8LXykYOJvw9csdk7eBKphgwr+m2ijEYwWbauFMbtAxnCBzCgDdOvVxIWNtWaEX4YWwfdwz/KWjAu3IrEA7TDmPUjcJukWPG8RDCEi+Z06OmmbqULhGC8dewyS3ubiGl/0RodG+PZIDmAzMRrzKbBWB1UTDr3Kv3go/o8Ez8aqvWNxeihbWgWuF9+Loib9BSg39EdjR75+qOT1qY21onDwDf9LlRh4ce9QYXzD/uFvnNoZyAOEPZngH92vGRtfjgewwLD9Of1SOf0RcRu0s9jjEw4HkvrT1flblh996BFDKUlLnqm1Bc5d4jGh1xBfZychcSaiTMuvFPgDd9FtH2uz7Vw3yimTedrQRm41nVLKNJvWMmO5fRkXhjJu1zv46NL1zzsoQFRGYpHXhC6393/ZJqJ4NpByb67u7YpqEo9NJWVDwDc8gb6Oqy3Wvtgbm9FBfhPOvzInxUePGYEf3JFS+7DI0yIkIbNxMwrTkk1DOB6Esz6QwCVmkYwYO6ZxwRvKoRLvLMT2HRbRIiltcAzxoiBqOTjG9+9oWPekJO4SgsWSn94Zk7uJr/7zFLrgzhDFLl7mX8fDn1s0rQ0VEXSQUlG7dG6k=
X-Forefront-Antispam-Report-Untrusted	CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:VI1PR0602MB3344.eurprd06.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(1800799024)(366016)(7416014)(376014)(8096899003)(38070700018)(27013499003)(105050200037);DIR:OUT;SFP:1102
MIME-Version	1.0
X-Ms-Exchange-Transport-Crosstenantheadersstamped	LV3PR17MB7118
X-Mimecast-Spam-Score	2
X-Mimecast-Mfc-Proc-Id	f9GfOltlfPbiupEDPGmKdS0tlNWHs2FaFK15Tbsc4gA_1736432318
Content-Language	en-US
Content-Type	multipart/mixed;
Return-Path	scott@witoneng.co.uk
X-Ms-Exchange-Organization-Expirationstarttime	09 Jan 2025 14:18:55.6414
X-Ms-Exchange-Organization-Expirationstarttimereason	OriginalSubmit
X-Ms-Exchange-Organization-Expirationinterval	1:00:00:00.0000000
X-Ms-Exchange-Organization-Expirationintervalreason	OriginalSubmit
X-Ms-Exchange-Organization-Network-Message-Id	921e9e78-546a-41b9-1326-08dd30b88d22
X-Eopattributedmessage	0
X-Eoptenantattributedmessage	00ba92eb-b000-4ac1-aa36-470e8b3a6a63:0
X-Ms-Exchange-Organization-Messagedirectionality	Incoming
X-Ms-Exchange-Transport-Crosstenantheadersstripped	SN1PEPF000397B3.namprd05.prod.outlook.com
X-Ms-Publictraffictype	Email
X-Ms-Exchange-Organization-Authsource	SN1PEPF000397B3.namprd05.prod.outlook.com
X-Ms-Exchange-Organization-Authas	Anonymous
X-Ms-Office365-Filtering-Correlation-Id-Prvs	7ed4648c-8fdb-454f-f0ca-08dd30b8805f
X-Ms-Exchange-Atpmessageproperties	SA\|SL
Msip_labels	MSIP_Label_5eb92aab-0d78-4ab5-9e11-340a5b254389_Enabled=True;MSIP_Label_5eb92aab-0d78-4ab5-9e11-340a5b254389_SiteId=00ba92eb-b000-4ac1-aa36-470e8b3a6a63;MSIP_Label_5eb92aab-0d78-4ab5-9e11-340a5b254389_SetDate=2025-01-09T14:19:01.7321440Z;MSIP_Label_5eb92aab-0d78-4ab5-9e11-340a5b254389_Name=5eb92aab-0d78-4ab5-9e11-340a5b254389;MSIP_Label_5eb92aab-0d78-4ab5-9e11-340a5b254389_ContentBits=0;MSIP_Label_5eb92aab-0d78-4ab5-9e11-340a5b254389_Method=Standard;
X-Ms-Exchange-Organization-Scl	-1
X-Microsoft-Antispam	BCL:0;ARA:13230040\|31092699021\|35042699022\|5073199012\|5063199012\|4073199012\|22003199012\|8096899003\|4076899003\|105050200037;
X-Forefront-Antispam-Report	CIP:170.10.152.241;CTRY:US;LANG:en;SCL:-1;SRV:;IPV:CAL;SFV:SKN;H:usb-smtp-inbound-delivery-1.mimecast.com;PTR:usb-smtp-inbound-delivery-1.mimecast.com;CAT:NONE;SFS:(13230040)(31092699021)(35042699022)(5073199012)(5063199012)(4073199012)(22003199012)(8096899003)(4076899003)(105050200037);DIR:INB;
X-Ms-Exchange-Crosstenant-Originalarrivaltime	09 Jan 2025 14:18:55.4539
X-Ms-Exchange-Crosstenant-Network-Message-Id	921e9e78-546a-41b9-1326-08dd30b88d22
X-Ms-Exchange-Crosstenant-Id	00ba92eb-b000-4ac1-aa36-470e8b3a6a63
X-Ms-Exchange-Crosstenant-Authsource	SN1PEPF000397B3.namprd05.prod.outlook.com
X-Ms-Exchange-Crosstenant-Authas	Anonymous
X-Ms-Exchange-Crosstenant-Fromentityheader	Internet
X-Ms-Exchange-Transport-Endtoendlatency	00:00:07.7834005
X-Ms-Exchange-Processed-By-Bccfoldering	15.20.8335.010
X-Microsoft-Antispam-Mailbox-Delivery	ucf:0;jmr:0;auth:0;dest:I;ENG:(910001)(944506478)(944626604)(920097)(930097)(140003)(1420198);
X-Microsoft-Antispam-Message-Info	Leko3vBmTw6sAZUEeLhCn/qovazKjMUt8h69P9ONrihqgvQLrjeR4KXcuTqiJNTPXgtDxydqlz/YxawOuVbdrg+1RZYu/xSJjD5vc2cJCQg4vXAQjT7t8rK9dt7m7UJ13/shqFq7bBeK+f11WsF8KZlp1pQBrxgENRDCR1J8iC+skOgJNpqBKBKkXxUqL5Acq9aXJDxV3LFUmAJTli4oq0f1WMFs9v0sMoihYdw7+GQlJ7d4pccM8TquRBcrp4xbPmIWb8T+yJ+RYj3AoMilyjTrsueYlpBPrvpApBDbBQJjDMhZTzPn7UoTJ4Bs6KJyxxavf0uQGg2tePzz+o0YEK8kJ3KJpI+tI24EQAp9QnXP2M996WWhGljtxRxWJBeg6LVe07KPz/RN1q/XIf1W4TPccNuXOn87yQhtzZU98zvuH2hABN0hV3lPH4u/XSv++0Bl7gvqy1C2MUO+VoizYyPMEWRqKa+Y3HJ+KgjKWhIYoyDzRApg84pb97/rionKGFMHk8wDznmJEFzbbbmqkZE85pBZePyHR8Cjqnm/HheKF3/DCRku9VXB3q9gvGPZ0i6LmKb7uIJHPd9AZ8PvT6z7APF3/Ut0UP0gs3xDQGhViRDgNh5CDuTJOHN+Hlfnd58SYM9RGdFURdCj2wg9eijaitLgGzZVgEXgasG3lml6wsc2EPPa5jIN3BUgTDmCz9m+xBhSKaIZJqzTRlaWLxXBAatOXMuK7IVaVrVrA7rsDMzIXvCYu82etu7Qz1g0dN1U/Ocq9RxbhZm2JHXGj5sjWPsI8GyKgQQ2pH6d4gtKIgD1/YbAdysD9Q6MN2DRf4pTCwimu+/BgdYP2aTQfjPkUNxxC6pOf5fzcZmgWw8yTAK4AFTTYKlYOYCpyIlEqbo9r40mybu8AvnBJbdJ3IK5XsXM4bukduePaIG6yPfleIbg+IIKQZWta3+N8GrGTuIWshQYGd/SIsNEyKg2/mnnGyWKk/jAulJPxEDDrmdV9YKS+ubxVto0C3NyikIERwaCt22ZvHJ3v7Bk/tZHxrPUwWjww2fyYiI/RMpb7U0aAw6DAVXJgLMnk646m7vLyWfM+HnOviq602N/nzLEZLttN4VjCJLnb+9WQjqmyHc2ub4S+7LAjwWblbxv+4fSJG2PM8mnt99DZrCg74bQWOoRLEmxd3UuZ1EEW8S7z+PiV0Wu5S5PTKQf3jSVGDdnWRq56cpIhRn5vA48VT0pQYiX53RbtTx1xjmDnOtEEzWRD1WZo2Qkzw1sll15lTfs62t90O0Xz33eHQws9k3orVqhJYBY36aaLU+PyaZisPERwcye72spNqxlr25V52+EisV6uzRMEw5gXtbvQOn8OzswGfbPEhVluyGB1w9jBmPLrggaYkuzVswkpJiEjvIAvCA1T2f+pKKdD0fKCvDdkdpl8Bn3BPh0ciPEptAmCvpDNct1cFBT+f7YWqcsneZ98ByWFnlXx9qBIzPKMXMyEB34T03QYjKvX6oVSkND1An1IYR2LvNIzl7jfzWNUub0nKBy3XOLq23YTK9SKhycX5w35l3l6seY6KJwCupfDXPh2r+KuyS1CLR8QKYbwy8WQOmfyAJ4BtMaRJgHJhb3pXMmr27wP2gZeQGxfi+K72tEK0vwqRfjFbiitDv8leWnbmAVCzFyZOccUj0kFNExOhYkGT8lZzLM+ee/Ev2FPBu+7+4GvFxlFpfYIEeN1vhB/hCuwIscPt6AtL+a0IYwZE0HXLr45mg9SLchWehWsfCQ8CoYnHBwVrTPGOLB/pmapR6oxBrS2KPkQlWRQuH4PmBj0yTWT0zDzaTSZ0HzhR7qJmuCzeOC2mnqR8hXEmenpxBHc3CrnxDCEBk+LihhQnCBQU+Duqp8oTKuJdYtlQCOR0v5DE87rMhqgiz+FcqdsHs8Ng5zR+3Xecfjaw5/W17bVCfi2RDqL7duXzMh4Y+k9AV2zY600JWNyFj22TgQdGPYPKB1uJH6o7FFVQwl2cxFNMjnD+ymWLhcSs0+g+Vjmdkjsik2oC05OwrWCAKBT0cX1avoZD+bCPuGqcpFhY1cR3mgYNsc0I/Zy217ySaSEhoNAF/IWUeXVKNXINvvDRiQhH/hfY0F537SNwk2vBqJwlF2NxBq4pLDFJfBzQo=
To	Jason Schumacher <jason.schumacher@nationalmi.com>
Content-Transfer-Encoding	7bit
date	Thu, 09 Jan 2025 15:18:34 +0100

File Icon


Icon Hash:	c4e1928eacb280a2

Network Behavior

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 9, 2025 15:47:52.727042913 CET	1.1.1.1	192.168.2.6	0xc01b	No error (0)	shed.dual-low.s-part-0017.t-0009.t-msedge.net	azurefd-t-fb-prod.trafficmanager.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 9, 2025 15:47:52.727042913 CET	1.1.1.1	192.168.2.6	0xc01b	No error (0)	dual.s-part-0017.t-0009.fb-t-msedge.net	s-part-0017.t-0009.fb-t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 9, 2025 15:47:52.727042913 CET	1.1.1.1	192.168.2.6	0xc01b	No error (0)	s-part-0017.t-0009.fb-t-msedge.net		13.107.253.45	A (IP address)	IN (0x0001)	false

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: OUTLOOK.EXEPID: 2184, Parent PID: 4004

General

Target ID:	1
Start time:	09:47:55
Start date:	09/01/2025
Path:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /f "C:\Users\user\Desktop\Notification of a Compromised Email Account.msg"
Imagebase:	0xd90000
File size:	34'446'744 bytes
MD5 hash:	91A5292942864110ED734005B7E005C0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Chronological Activities

Analysis Process: ai.exePID: 6196, Parent PID: 2184

General

Target ID:	5
Start time:	09:48:02
Start date:	09/01/2025
Path:	C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "15AB6D5B-DD4C-4021-92C2-89AAE7974098" "633592FF-07EB-4F19-8BC6-95D7F4FA68D7" "2184" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
Imagebase:	0x7ff605570000
File size:	710'048 bytes
MD5 hash:	EC652BEDD90E089D9406AFED89A8A8BD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly