Joe Sandbox Cloud Basic Analysis Report
Edit tour

Windows Analysis Report
Message.eml

Overview

General Information

Sample name:Message.eml
Analysis ID:1625915
MD5:c15590a6b60ac428d86530513abd37f5
SHA1:642621b07bbe361eb19e63fc892bf8188755bd12
SHA256:7e0df8b8070421dfad58080b3e928589bebcf192451a2c6df5f460b1f887a838
Infos:

Detection

Score:48
Range:0 - 100
Confidence:100%

Signatures

AI detected suspicious elements in Email content
AI detected suspicious elements in Email header
Queries the volume information (name, serial number etc) of a device
Sigma detected: Office Autorun Keys Modification
Stores large binary data to the registry

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

Process Tree

  • System is w10x64
  • OUTLOOK.EXE (PID: 5060 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\Message.eml" MD5: 91A5292942864110ED734005B7E005C0)
    • ai.exe (PID: 7856 cmdline: "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "592371A3-070E-4F29-A9F9-6773D99E35AC" "2C980A41-FEAC-442C-BE35-F520B695017A" "5060" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx" MD5: EC652BEDD90E089D9406AFED89A8A8BD)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE, ProcessId: 5060, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Addins\OneNote.OutlookAddin\1

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

  • Phishing
  • Networking
  • System Summary
  • Hooking and other Techniques for Hiding and Protection
  • Malware Analysis System Evasion
  • Language, Device and Operating System Detection

Click to jump to signature section

Show All Signature Results

Phishing

barindex
Source: EmailJoe Sandbox AI: Detected potential phishing email: Email sender address (vito.ranieri@uniba.it) doesn't match the displayed name (Michael Sadler) and claimed organization (PARIVEDA CONSULTING). The email chain shows inconsistent sender addresses (Pariveda.Receipts@consultant.com vs vito.ranieri@uniba.it). Contains classic phishing elements: urgency about payment, attachments including suspicious invoice and W-9 form
Source: EmailJoe Sandbox AI: Detected suspicious elements in Email header: IP mismatch: Email claims to be from uniba.it but originates from 84.17.46.11 while claiming localhost [127.0.0.1]. Authentication inconsistency: Claims authenticated sender 'sarah.ismail' but return-path shows 'vito.ranieri@uniba.it'. Suspicious routing: Connection claims to be from localhost but shows external IP. Multiple security headers present but show conflicting trust levels (SCL:1 but SFTY:9.25). Unusual boundary string format in content-type header. Anonymous cross-tenant access indicated by x-ms-exchange-crosstenant-authas
Source: EmailClassification: Invoice Scam
Source: Message.emlString found in binary or memory: https://aka.ms/LearnAboutSenderIdentification
Source: classification engineClassification label: mal48.winEML@3/4@0/0
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile created: C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmpJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile created: C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20250227T1401060488-5060.etlJump to behavior
Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\Message.eml"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "592371A3-070E-4F29-A9F9-6773D99E35AC" "2C980A41-FEAC-442C-BE35-F520B695017A" "5060" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "592371A3-070E-4F29-A9F9-6773D99E35AC" "2C980A41-FEAC-442C-BE35-F520B695017A" "5060" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: c2r64.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: userenv.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{F959DBBB-3867-41F2-8E5F-3B8BEFAA81B3}\InprocServer32Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEWindow found: window name: SysTabControl32Jump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\CommonJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{2B379600-B42B-4FE9-A59C-A312FB934935} DeviceTicketJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: Message.emlBinary or memory string: hgkTM1TzVjewHGfs80EVrbnyjGrIt1qh4FrsWtHkbTzTOFpA7LLnDEDRbFGO5KyBM31PXnMC9sAx
Source: Message.emlBinary or memory string: XEgWkem4F/fhPtyDXsUfXogUXIzL8RL6VE00hvmCiXTgI4B/YWAqZsi/xb3yfFwu34l8+SjWy2sQ
Source: Message.emlBinary or memory string: yNiYMrgZhVC4oQemuGFPLYkAs2PouUD64RTrdcyyUA2NgavZbv4fPOWWNyOqJhMKZW5kc3RyZWFt
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information queried: ProcessInformationJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeQueries volume information: C:\Program Files (x86)\Microsoft Office\root\Office16\AI\WordCombinedFloatieLreOnline.onnx VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation11
Browser Extensions		1
Process Injection		1
Masquerading		OS Credential Dumping1
Security Software Discovery		Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/Job1
DLL Side-Loading		1
DLL Side-Loading		1
Modify Registry		LSASS Memory1
Process Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Process Injection		Security Account Manager12
System Information Discovery		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
DLL Side-Loading		NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1625915 Sample: Message.eml Startdate: 27/02/2025 Architecture: WINDOWS Score: 48 15 AI detected suspicious elements in Email header 2->15 17 AI detected suspicious elements in Email content 2->17 6 OUTLOOK.EXE 49 70 2->6         started        process3 file4 11 C:\...\~Outlook Data File - NoEmail.pst.tmp, data 6->11 dropped 13 C:\Users\...\Outlook Data File - NoEmail.pst, Microsoft 6->13 dropped 9 ai.exe 6->9         started        process5

Screenshots

Download Video

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
s-0005.dual-s-msedge.net
52.123.128.14
truefalse
    		high
    NameSourceMaliciousAntivirus DetectionReputation
    https://aka.ms/LearnAboutSenderIdentificationMessage.emlfalse
      		high

      World Map of Contacted IPs

      No contacted IP infos

      General Information

      Joe Sandbox version:42.0.0 Malachite
      Analysis ID:1625915
      Start date and time:2025-02-27 19:59:44 +01:00
      Joe Sandbox product:CloudBasic
      Overall analysis duration:0h 4m 33s
      Hypervisor based Inspection enabled:false
      Report type:full
      Cookbook file name:default.jbs
      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
      Number of analysed new started processes analysed:7
      Number of new started drivers analysed:0
      Number of existing processes analysed:0
      Number of existing drivers analysed:0
      Number of injected processes analysed:0
      Technologies:
      • EGA enabled
      • AMSI enabled
      Analysis Mode:default
      Analysis stop reason:Timeout
      Sample name:Message.eml
      Detection:MAL
      Classification:mal48.winEML@3/4@0/0
      Cookbook Comments:
      • Found application associated with file extension: .eml
      • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
      • Excluded IPs from analysis (whitelisted): 52.109.76.240, 13.69.116.108, 52.149.20.212, 52.123.128.14, 13.107.246.60
      • Excluded domains from analysis (whitelisted): ecs.office.com, slscr.update.microsoft.com, otelrules.azureedge.net, prod.configsvc1.live.com.akadns.net, mobile.events.data.microsoft.com, onedscolprdweu15.westeurope.cloudapp.azure.com, fe3cr.delivery.mp.microsoft.com, neu-azsc-config.officeapps.live.com, dual-s-0005-office.config.skype.com, config.officeapps.live.com, officeclient.microsoft.com, ecs.office.trafficmanager.net, europe.configsvc1.live.com.akadns.net, mobile.events.data.trafficmanager.net
      • Not all processes where analyzed, report is missing behavior information
      • Report size getting too big, too many NtQueryAttributesFile calls found.
      • Report size getting too big, too many NtQueryValueKey calls found.

      Simulations

      Behavior and APIs

      No simulations

      Joe Sandbox View / Context

      IPs

      No context

      Domains

      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
      s-0005.dual-s-msedge.netVM Audio and Transcription for you on Thu, February 27, 2025 ref_bnyiIW.emlGet hashmaliciousUnknownBrowse
      • 52.123.128.14
      original.emlGet hashmaliciousUnknownBrowse
      • 52.123.128.14
      Payout Receipt(171).pptxGet hashmaliciousUnknownBrowse
      • 52.123.129.14
      Microsoft subscription purchase confirmation.msgGet hashmaliciousUnknownBrowse
      • 52.123.128.14
      Purchase Order PO-C1J24023-0624-01-02.xlsGet hashmaliciousUnknownBrowse
      • 52.123.128.14
      Purchase Order PO-C1J24023-0624-01-02.xlsGet hashmaliciousUnknownBrowse
      • 52.123.128.14
      original.emlGet hashmaliciousUnknownBrowse
      • 52.123.128.14
      Barkingside invited you to their organisation on Appointedd!.emlGet hashmaliciousUnknownBrowse
      • 52.123.129.14
      phishing.emlGet hashmaliciousUnknownBrowse
      • 52.123.129.14
      RFQ#TLPO26-25.xla.xlsxGet hashmaliciousUnknownBrowse
      • 52.123.129.14

      ASNs

      No context

      JA3 Fingerprints

      No context

      Dropped Files

      No context

      Created / dropped Files

      C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20250227T1401060488-5060.etl

      Download File
      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
      File Type:data
      Category:dropped
      Size (bytes):110592
      Entropy (8bit):4.535944479518242
      Encrypted:false
      SSDEEP:768:8dtR14R/xBS5ujHaBLpD4B/9mFMEdRVSWTWpWuWyQ7x0WHk9VXb782PV8GPux+TK:8v4B/9mFZmQ7x0WHk9VXvqgCl
      MD5:023D0943EC328D2935C515120527A71C
      SHA1:4B896DF9C0FDAC0284ACE8F50B3DEA976F7B1610
      SHA-256:941CD46939AB4AFC03532B3C711EEF4723CC600EBD65E63947A13FD244858374
      SHA-512:2F844B825EB8CE391A35CF7302B67D35843393239602D1165CCF4C1ED14F76E095C5A6B163208A4384FB80DBCC16D974D5E7FCA5E974E5038CD45137D62B04A4
      Malicious:false
      Reputation:low
      Preview:............................................................................d...........\.{.I...................eJ..............Zb..2...................................,...@.t.z.r.e.s...d.l.l.,.-.1.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.1.1.1...........................................................@T.Z...........\.{.I...........v.2._.O.U.T.L.O.O.K.:.1.3.c.4.:.7.6.f.6.7.9.7.1.5.d.4.9.4.2.4.1.a.0.4.2.4.b.c.7.a.d.4.8.d.c.8.b...C.:.\.U.s.e.r.s.\.h.u.b.e.r.t.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.O.u.t.l.o.o.k. .L.o.g.g.i.n.g.\.O.U.T.L.O.O.K._.1.6._.0._.1.6.8.2.7._.2.0.1.3.0.-.2.0.2.5.0.2.2.7.T.1.4.0.1.0.6.0.4.8.8.-.5.0.6.0...e.t.l...........P.P..........g}.I...................................................................................................................................................................................................................................................................................................

      C:\Users\user\AppData\Local\Temp\olk89E7.tmp

      Download File
      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
      File Type:data
      Category:dropped
      Size (bytes):119019
      Entropy (8bit):7.886637436432704
      Encrypted:false
      SSDEEP:1536:mrecZjd62JpF9M+L9jhgOsgJz7cd2TxdciTU00K3POhZO2lEQtVtR+/rCW8HkRu8:mxzn7mHAzYdtIVaO2lwDEBcUvID
      MD5:005CFFE11AB5428D4F107C9E8513F123
      SHA1:C8C8FEF49B6625503C01A627AF531B8F91329A5D
      SHA-256:46648B87651C707E8D4360EAA90CCF280BCDCBEAFEC57685BB9A310227E65B51
      SHA-512:CFB8D818DA7020643DBC344D4B2214D13A8ED35756F24D8D78B6773BE28D153959A0A6269C170B1D94AB17DDFC6D6A3C22EC6C638D17407797A094AFBE80B3A5
      Malicious:false
      Reputation:low
      Preview:^f~H.....O.{....7..O..l....3....H..-.8.-..{..\)..Vp.q`...A.".Uk....:.6P.u.....k.Gu.2>.$.he.7...o.Y.N.{.}C(.-7....xI..f?.^...\gB`...."..c.....9...9....K.....T.'....$i..p...m.>{.I....j.$...........sY.K.. ...]..8....L^.ED.....(.D.A.(&..NY.,.j.yqp?.h.}.~....+.....4k...TY*.......(....z8p.........\..'..^.I'..e.....~>`y.0.A_.9..u...v`.c.].[...w<..A.i.g.H...Ja.G[c..V............]...^@.....$.@.".....M..Y....',.l}w..\....E..f.c.*.k.3.[e.X.....#......5%.9.endstream.endobj.108 0 obj.<</Filter /FlateDecode./Length 448>> stream.x.u.Kn.1.D.}.^`.V....A......3....Q......0.AO..8G~.BR...1y{.......+P..o.=E!cZ..%aTZ..Q..!....l.. ...n..0V...n....g5l....q.zm..\..8..5.3...S{wG.....s...F0...y................]![.N%0t..:..k...NZ.Iu./.#Z"G.........[.ro.o......._..O+...o~..s..4..c?=G.....R.4j.)n..-@k.s(.S;..2...q...1-X*.5B...%...C0.......y..v.?..T...li{.v1.P....N.po!m."..E-7..25G..W.~......'..q...8w.Z.0.{FS.:.....j....iS.k..........O..E........M.......L5..en

      C:\Users\user\Documents\Outlook Files\Outlook Data File - NoEmail.pst

      Download File
      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
      File Type:Microsoft Outlook email folder (>=2003)
      Category:dropped
      Size (bytes):2302976
      Entropy (8bit):2.210346313304643
      Encrypted:false
      SSDEEP:6144:hqe8sXcEFRhK6hzjRDWFMeqPveBUsnoFncCNu1LpBkx9NKjL:cssEFnXRDduvoFcB1Lfkx94
      MD5:6689DBDEA785DB61F6955F2645EC4425
      SHA1:81654ACDC9669796236095C82243997D3D8962D7
      SHA-256:A657385CAF60592BE528EC913FC5989797EAD5981C961F8783E6F1D80CA928A7
      SHA-512:1739549D38A61D05D4D801FB0B03FCA461C6B5D16138E630A8CF6F31D9C01B83457107A7019FE52C7A76BD06D407D970A68BF31098BB1AA36BAB736EE4B162FB
      Malicious:true
      Reputation:low
      Preview:!BDNN.[SM......\...+...................]................@...........@...@...................................@...........................................................................$#......D...............................T..................................................................................................................................................................................................................................................................................................p.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

      C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmp

      Download File
      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
      File Type:data
      Category:dropped
      Size (bytes):524288
      Entropy (8bit):6.75184273770098
      Encrypted:false
      SSDEEP:6144:K8qWLs3lPFEZeXhJuJDoFXezqW35sJYFHcNpucLNBkxK:KEsVPFKzJDj1y6F8KcLTkx
      MD5:6F0279BF99E53DC0DA017D5B0A6E8ABF
      SHA1:DDA9F316F70135A707135C5991C08B45DF648489
      SHA-256:E87DC298EBDCEFEDECC45F8C061C7445A153DBAF8BAFB4D8DE24D6C9ECF47380
      SHA-512:AFD5C4EF3D812E5EB99A587021111BDE876C894E8B0261F5A68B44ECD6818ACA1AA927F986FD6E2E7D5FD755CD27B08FDA20B2B9456D27C287687D61E2D71FEB
      Malicious:true
      Reputation:low
      Preview:..=.C................e..I.....................#.!BDNN.[SM......\...+...................]................@...........@...@...................................@...........................................................................$#......D...............................T..................................................................................................................................................................................................................................................................................................p..............e..I........$............#.........................................................................................................................................................................................................................................................................................................................................................................................................

      Static File Info

      General

      File type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
      Entropy (8bit):6.05615243172973
      TrID:
      • Text - UTF-8 encoded (3003/1) 100.00%
      File name:Message.eml
      File size:515'713 bytes
      MD5:c15590a6b60ac428d86530513abd37f5
      SHA1:642621b07bbe361eb19e63fc892bf8188755bd12
      SHA256:7e0df8b8070421dfad58080b3e928589bebcf192451a2c6df5f460b1f887a838
      SHA512:da3f45c890a0631d653f4c2d6b9956211b2a1c3b6431d7bab56bc5bc169b5f30242f92101d992035e158294c3c93b5f9de43c484b006645e1fcb2f8adcf0d935
      SSDEEP:12288:uX6Rc38JAaUJNhtYPqrTTYSjp6F6SDv2HQo12ukmkml:XWWoJ7fTTYSjsF6Go1Neml
      TLSH:05B4D06BDC1200E27360A39F9F1BDC4710973D2F195BDAEAB36D470891B477AA23485E
      File Content Preview:..."Received: from YQBPR0101MB6650.CANPRD01.PROD.OUTLOOK.COM (::1) by.. YT2PR01MB8839.CANPRD01.PROD.OUTLOOK.COM with HTTPS; Thu, 27 Feb 2025 17:34:45.. +0000..Received: from YQBPR0101CA0296.CANPRD01.PROD.OUTLOOK.COM.. (2603:10b6:c01:6d::22) by YQBPR0101MB

      Static Mail

      General

      Subject:Executive Brilliance Hub INV #20583244 Illuminate Ideas, Elevate Leadership
      From:Michael Sadler <vito.ranieri@uniba.it>
      To:wendell.satney@translink.ca
      Cc:
      BCC:
      Date:Thu, 27 Feb 2025 17:31:53 +0000
      Communications:
      • [You don't often get email from vito.ranieri@uniba.it. Learn why this is important at https://aka.ms/LearnAboutSenderIdentification ] EXTERNAL WARNING: This email came from an external source. Please use caution when opening attachments or clicking on links, and only do so when you are expecting them from a known sender or can confirm they are legitimate and safe. Hi, The attached bill covers fees for coaching, development, and Kevin Quinns premium membership. Take a look at the email thread for more information, and kindly complete the payment when you can. Regards Michael Sadler Controller PARIVEDA CONSULTING
      • From: Kevin Quinn Sent: Tuesday, February 25, 2025 02:44 PM To: Michael Sadler <Pariveda.Receipts@consultant.com> Subject: RE: Executive Brilliance Hub INV #20583244 Illuminate Ideas, Elevate Leadership Hi Michael, At the start of the setup, I mentioned that a copy should be sent to wendell.satney@translink.ca. Can you confirm if this has been done? If not, please send it when you have a moment. Kevin Quinn
      • From: Michael Sadler <Pariveda.Receipts@consultant.com> Sent: Friday, January 31, 2025 10:1S AM To: Kevin Quinn Subject: Executive Brilliance Hub INV #20583244 Illuminate Ideas, Elevate Leadership Dear Kevin Quinn, A quick reminder that the balance for BILL #20583244 is still due. Kindly take care of it as soon as possible. Regards Michael Sadler Controller PARIVEDA CONSULTING
      Attachments:
      • lNV20583244.pdf
      • W-9.pdf
      Key Value
      "Receivedfrom YQBPR0101MB6650.CANPRD01.PROD.OUTLOOK.COM (::1) by YT2PR01MB8839.CANPRD01.PROD.OUTLOOK.COM with HTTPS; Thu, 27 Feb 2025 17:34:45 +0000
      Receivedfrom [127.0.0.1] (unknown [84.17.46.11]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: sarah.ismail) by smtp.uniba.it (Postfix) with ESMTPSA id 0C890400ED31 for <wendell.satney@translink.ca>; Thu, 27 Feb 2025 18:31:54 +0100 (CET)
      Authentication-Resultsspf=pass (sender IP is 193.204.176.23) smtp.mailfrom=uniba.it; dkim=pass (signature was verified) header.d=uniba.it;dmarc=pass action=none header.from=uniba.it;compauth=pass reason=100
      Received-SPFPass (protection.outlook.com: domain of uniba.it designates 193.204.176.23 as permitted sender) receiver=protection.outlook.com; client-ip=193.204.176.23; helo=wolf.uniba.it; pr=C
      X-Virus-Scannedamavisd-new at uniba.it
      DKIM-FilterOpenDKIM Filter v2.11.0 smtp.uniba.it 0C890400ED31
      DKIM-Signaturev=1; a=rsa-sha256; c=relaxed/relaxed; d=uniba.it; s=20241030; t=1740677517; bh=2QxI1ipi8A7IztzQY2S+qxUZyWV67QY/HWSqVQfmEsA=; h=From:To:Reply-To:Subject:Date:From; b=Q+HDNXe7izCgHUjfshMAjud7Hm9N9aBvRbNEAmrPSOePeE+XL9lVaPgjz16xZqO/V 0UI3MeoFpsoX5Ruzsqq6enIgIdVpYYjuXKz9H8eyBsRFqMuVbLc9zwSsu2qjlYUDSF mUHE+h3VD3xgKGdIgwK9pF7Nq/rNRs7upnNCtwtAjmCagiMi6lcaVVjtQDcYCK2Mbs Xct1m9ZKVmvCXXpUhAvNTIad0slqL+8JzgE9V+uFQta553Yg9TVTZhlortTxxG/kz4 3chVfdyUpEkwxXFTYeR7FaIwZIQ00R5LKnVWHskb9Z0mCN7udFpew1YmKAgF48/8eL Onk9NIFSjlEww==
      FromMichael Sadler <vito.ranieri@uniba.it>
      Towendell.satney@translink.ca
      Reply-ToMichael Sadler <Pariveda.Receipts@consultant.com>
      SubjectExecutive Brilliance Hub INV #20583244 Illuminate Ideas, Elevate Leadership
      Message-ID<96187892-5448-1267-603f-ee2befec6d80@uniba.it>
      DateThu, 27 Feb 2025 17:31:53 +0000
      Content-Typemultipart/mixed; boundary="--_NmP-f77e3dace00be1c3-Part_1"
      Return-Pathvito.ranieri@uniba.it
      X-MS-Exchange-Organization-ExpirationStartTime27 Feb 2025 17:33:56.4440 (UTC)
      X-MS-Exchange-Organization-ExpirationStartTimeReasonOriginalSubmit
      X-MS-Exchange-Organization-ExpirationInterval1:00:00:00.0000000
      X-MS-Exchange-Organization-ExpirationIntervalReasonOriginalSubmit
      X-MS-Exchange-Organization-Network-Message-Ida89080ba-76a1-46a5-9d20-08dd5754e998
      X-EOPAttributedMessage0
      X-EOPTenantAttributedMessage4157b39d-533a-41f7-8314-898c4d2ff33b:0
      X-MS-Exchange-Organization-MessageDirectionalityIncoming
      X-MS-PublicTrafficTypeEmail
      X-MS-TrafficTypeDiagnosticQB1PEPF00004E0E:EE_|YQBPR0101MB6650:EE_|YT2PR01MB8839:EE_
      X-MS-Exchange-Organization-AuthSourceQB1PEPF00004E0E.CANPRD01.PROD.OUTLOOK.COM
      X-MS-Exchange-Organization-AuthAsAnonymous
      X-MS-Office365-Filtering-Correlation-Ida89080ba-76a1-46a5-9d20-08dd5754e998
      X-MS-Exchange-AtpMessagePropertiesSA|SL
      X-MS-Exchange-Organization-SCL1
      X-Microsoft-AntispamBCL:0;ARA:13230040|7053199007|4053099003|4013099003|43540500003;
      X-Forefront-Antispam-ReportCIP:193.204.176.23;CTRY:IT;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:wolf.uniba.it;PTR:wolf.uniba.it;CAT:NONE;SFTY:9.25;SFS:(13230040)(7053199007)(4053099003)(4013099003)(43540500003);DIR:INB;SFTY:9.25;
      X-MS-Exchange-CrossTenant-OriginalArrivalTime27 Feb 2025 17:33:56.1628 (UTC)
      X-MS-Exchange-CrossTenant-Network-Message-Ida89080ba-76a1-46a5-9d20-08dd5754e998
      X-MS-Exchange-CrossTenant-Id4157b39d-533a-41f7-8314-898c4d2ff33b
      X-MS-Exchange-CrossTenant-AuthSourceQB1PEPF00004E0E.CANPRD01.PROD.OUTLOOK.COM
      X-MS-Exchange-CrossTenant-AuthAsAnonymous
      X-MS-Exchange-CrossTenant-FromEntityHeaderInternet
      X-MS-Exchange-Transport-CrossTenantHeadersStampedYQBPR0101MB6650
      X-MS-Exchange-Transport-EndToEndLatency00:00:49.3444573
      X-MS-Exchange-Processed-By-BccFoldering15.20.8489.017
      Importancehigh
      X-Priority1
      X-Microsoft-Antispam-Mailbox-Delivery ucf:0;jmr:0;auth:0;dest:I;ENG:(910001)(944506478)(944626604)(4710117)(4712020)(920097)(930097)(140003)(1420198);
      X-Microsoft-Antispam-Message-Info NqoGDcM8atT1wvlN0YshjwR5Vg8DF7clImggHyiMTsCRZZbJ7IQ1k59oCalic6F9k8/a92xgTKWEs3YlNfDR8uFzoDKuPZzQe+xeq7eyEqb4VdRrABkqv8XmeWICIw/PftkzdT39/XACHqr7oYhgn+K00520/lkP7iU0b9m6DtilYL3W99dn7Z4I0AEH9QKUyxu8jJwIkt6BCnOd65FlrCgaqpiehmIZddusvXSTNkNS5xHBhvdeEWjwP5nAh4CC6rQMyYuMZLwgGYBO3sn2UvZfxW6oorWuX2RPhriHJhX+Utu7dI5xkqlM2xfpNprudfHkp8UPRn7YtcD7HXW0tBAwDWjzYcNWjI0THu4uuYyarsC4tUGMTDlT6YuZe8bTJdGFzUK9jq2+WafbMyi9Dgmi58z8dI+xXvEMjRybTqNza1Luu8aC3jpI98uaolUE5BHNa/d4jMAPg65G3qCSfk7pQvkJ+5X92GTfqKcY7P8nSolS1OHAL6Xkhq6X4m+O7oCEPu4hqF35mYLKDBxzWCAecsHxxCqBflZ89cIsPQJKfRnjg+b/LyRGBdWqw4Szo+5PJ8XmA3/cjNyHZhFzkHjYpsCwN5eL5+wmynCze3T73Ykie3C5ptFLCtCS9CyDu1nCJc85YqfPJ4c++Y4SicnGLQH4yoYFh/4+OHe3f+Z/cwbJzeQix5RtaC08M0DWd+SUG3fv1ZA9v1uD+9o7G/l4w3AqL9daKVDru1nLRCfYBUS2ZzETJcbTWEDfX60nbh/Rd5ve2nbk+k+WQs5xSSc2QcWnaqFf2O1dtuLWyovGV+yTPrTsVYBwL6t2pAE/n6FJHdjA6UoysJr1yKZGntNIXp0Q/KVE0LRYdJFn4emyIayr+2Ir8G3WDYe8mxQqVYKPQQ4YQRfRi+8hRM9kkbHftkveDrzC0+9JSlqW1EMIXZsrkCJxpIVvznwgVkbC2zM0k++2po7LL3BH0lm8b7tme4g/mHcgeGIXoZGjq0SVqJTe0v135qstpQjb4nJY06P9wZfQBMdio992anqQ10THF+k68vmnSy2iU8RhtEWvpJQMEDPWgduOPlFmfgiow8lNjVKgRDSYjTAgozbrg3mGN9Q2cZiFO5qEWgWcX+KlQyATaNOEQgDTV2CjNa3lyl9fTeGJgUzAn3ZfgBaJgTWMZc69/9qaJ/y5EmcooNug6+whLoN+4ANsuMiA0Ly7/TURAY5E4QVHVeFAF/tNezJO0mb3az5lrkoBsX6S97Ei3DgdRMTsJV3s/+gfzFOPSbIrcegd0EM0wS454Tjq4j8Wa0H3F1CcRaPNpRJggI6y9wmgxUb5lzMlQy2KCzvYBokabZOUrUtsPfHpL4A8nCWZsiUfT2boxnpkqrNcTLF6BBauFoLarrFw7s+NUlPDSeP8XCcK6qkGRlDmWejEC5EUlH2Dj5HRO7DdlBE7W9L6t+OzftwScA23puCBMoHXRvrDNPkpcGYH+f+ftfHX3o3eS2b9JJTfAmcN6tk7JnaR/jXKdHanZIPD0JX3RC47ya2F1ZQi6q0YwpZg3V4P303UZomkk81NASklT3UjTO8fnG0RXgrKSkgjxRQAA/u2tgiaXAvMUOXX7Mv0Nytgh4mjySd6w2uxhz+NMo7pL4xrY8r3Om3ZTZUORVtlD/xFgN3iqpH6r6FPUASzal6xzvXgoNgYLF52qboXgiHDE7RieC+D2ask5xGIoBNwehfgsOoxX8n7G01h1Cudhv1Xhf/PwICBXyXuLZO2br8OlmarVP4OOtIDp7c4l777pnkJwrMK+QBSSo8kctSEdfNEiiTeNIFZvUYziFZSTJiNufYjs5ukl3jlcRULV3YG0TtPJOyu50ZjyX79xi7NpXtgPsbZ4iM6d8cZYfSYn9WB7rRFKNOPSgBwVtxkc/bCmiC/ThbmYvSBshA6idcbhbiRXrfRc3gB2X58HzWcvqRDUBw2kplxmGUlY0vaz196Wlf1bMKPa4+lWdoLMstMJqJ3/sH2oW5iHHWYpBhqcEZNB/dqD+LxNOJWIyS1imxl38Qink/kjLstChnXFyl9VC5XT+Kpe3VgVYvTBBNIqgbbIbAn/HODAXE170pCVvU1ZUkSOzOglR9IwfCBJ+Ze6c+t4VT290Nk1VGYu6qicDVBoak/1C1b+7hF3EAP3jLxy0A2Jf4f+xVrLzq5g3DVItW/sDqLJISB9fXcFuHwO+VPUNJOQK7rI/tZaHdfS3neCThd1anJ2Be0nvgfklvpOJnQngxZRwZ0kWuDJhyIidWa+oNwJK30dDTjIrX8OUIikEkeT4F2WruykHmxvMcN7BgO4laMfwErk7RoQPfill9+taI=
      MIME-Version1.0

      File Icon

      Icon Hash:46070c0a8e0c67d6

      Network Behavior

      DNS Answers

      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
      Feb 27, 2025 20:01:10.737524033 CET1.1.1.1192.168.2.80x4d32No error (0)ecs-office.s-0005.dual-s-msedge.nets-0005.dual-s-msedge.netCNAME (Canonical name)IN (0x0001)false
      Feb 27, 2025 20:01:10.737524033 CET1.1.1.1192.168.2.80x4d32No error (0)s-0005.dual-s-msedge.net52.123.128.14A (IP address)IN (0x0001)false
      Feb 27, 2025 20:01:10.737524033 CET1.1.1.1192.168.2.80x4d32No error (0)s-0005.dual-s-msedge.net52.123.129.14A (IP address)IN (0x0001)false

      Statistics

      CPU Usage

      050100s020406080100

      Click to jump to process

      Memory Usage

      050100s0.0050100MB

      Click to jump to process

      High Level Behavior Distribution

      • File
      • Registry

      Click to dive into process behavior distribution

      Behavior

      Click to jump to process

      System Behavior

      General

      Target ID:0
      Start time:14:01:02
      Start date:27/02/2025
      Path:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
      Wow64 process (32bit):true
      Commandline:"C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\Message.eml"
      Imagebase:0x4e0000
      File size:34'446'744 bytes
      MD5 hash:91A5292942864110ED734005B7E005C0
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high
      Has exited:false
      Show Windows behavior

      File Activities

      Show Windows behavior

      Section Activities

      Show Windows behavior

      Registry Activities

      Show Windows behavior

      COM Activities

      Show Windows behavior

      Mutex Activities

      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
      Show Windows behavior

      Thread Activities

      Show Windows behavior

      Memory Activities

      Show Windows behavior

      System Activities

      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
      Show Windows behavior

      Windows UI Activities

      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

      General

      Target ID:3
      Start time:14:01:12
      Start date:27/02/2025
      Path:C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe
      Wow64 process (32bit):false
      Commandline:"C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "592371A3-070E-4F29-A9F9-6773D99E35AC" "2C980A41-FEAC-442C-BE35-F520B695017A" "5060" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
      Imagebase:0x7ff7e1840000
      File size:710'048 bytes
      MD5 hash:EC652BEDD90E089D9406AFED89A8A8BD
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high
      Has exited:false
      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
      Show Windows behavior

      Section Activities

      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
      Show Windows behavior

      Mutex Activities

      Show Windows behavior

      Process Activities

      Show Windows behavior

      Thread Activities

      Show Windows behavior

      Memory Activities

      Show Windows behavior

      System Activities

      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

      Disassembly

      No disassembly