Joe Sandbox Cloud Basic Analysis Report
Edit tour

Windows Analysis Report
Fw Microsoft account security alert.eml

Overview

General Information

Sample name:Fw Microsoft account security alert.eml
Analysis ID:1662017
MD5:4c89cb752570cdd4f52d35a698ce5d50
SHA1:305df8c4500d7ea0d76d6ee89529d24f31a6b3ba
SHA256:e8767750781b225815cfb5fc8df62a4342ee43f1cd203430519a32a492479731
Infos:

Detection

Score:21
Range:0 - 100
Confidence:80%

Signatures

AI detected suspicious elements in Email content
Queries the volume information (name, serial number etc) of a device
Stores large binary data to the registry

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

Process Tree

  • System is w10x64
  • OUTLOOK.EXE (PID: 6296 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\Fw Microsoft account security alert.eml" MD5: 91A5292942864110ED734005B7E005C0)
    • ai.exe (PID: 6832 cmdline: "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "C4D1528C-5EE1-4BA2-8C7D-CA8BCC23755A" "26EB5C07-BFA4-42B0-A714-3998933FECAF" "6296" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx" MD5: EC652BEDD90E089D9406AFED89A8A8BD)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE, ProcessId: 6296, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Addins\OneNote.OutlookAddin\1

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

  • Phishing
  • Networking
  • System Summary
  • Hooking and other Techniques for Hiding and Protection
  • Malware Analysis System Evasion
  • Language, Device and Operating System Detection

Click to jump to signature section

Show All Signature Results

Phishing

barindex
Source: Fw Microsoft account security alert.emlJoe Sandbox AI: Detected potential phishing email: The sender address 'account-security-noreply@accountprotection.microsoft.com' attempts to look legitimate but is suspicious for security alerts. The links are obfuscated through Proofpoint URL defense, making it difficult to verify the actual destination. The email creates urgency about account compromise to prompt immediate action, a common phishing tactic
Source: EmailClassification: Credential Stealer
Source: OUTLOOK_16_0_16827_20130-20250410T1110260206-6296.etl.0.drString found in binary or memory: https://login.windows.local
Source: OUTLOOK_16_0_16827_20130-20250410T1110260206-6296.etl.0.drString found in binary or memory: https://login.windows.localadMR
Source: OUTLOOK_16_0_16827_20130-20250410T1110260206-6296.etl.0.drString found in binary or memory: https://login.windows.localnullffiD
Source: Fw Microsoft account security alert.emlString found in binary or memory: https://urldefense.p=
Source: Fw Microsoft account security alert.emlString found in binary or memory: https://urldefense.proofpoint.co=
Source: Fw Microsoft account security alert.emlString found in binary or memory: https://urldefense.proofpoint.com/v2/url?u=3Dhttps-3=
Source: Fw Microsoft account security alert.emlString found in binary or memory: https://urldefense.proofpoint.com/v2/url?u=3Dhttps-3A__=
Source: Fw Microsoft account security alert.emlString found in binary or memory: https://urldefense.proofpoint.com/v2/url?u=3Dhttps-3A__acco=
Source: Fw Microsoft account security alert.emlString found in binary or memory: https://urldefense.proofpoint.com/v2/url?u=3Dhttps-3A__go.m=
Source: Fw Microsoft account security alert.emlString found in binary or memory: https://urldefense.proofpoint.com/v2/url?u=3Dhttps-3A__go=
Source: classification engineClassification label: sus21.winEML@3/3@0/0
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile created: C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmpJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile created: C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20250410T1110260206-6296.etlJump to behavior
Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\Fw Microsoft account security alert.eml"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "C4D1528C-5EE1-4BA2-8C7D-CA8BCC23755A" "26EB5C07-BFA4-42B0-A714-3998933FECAF" "6296" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "C4D1528C-5EE1-4BA2-8C7D-CA8BCC23755A" "26EB5C07-BFA4-42B0-A714-3998933FECAF" "6296" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: c2r64.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: userenv.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{F959DBBB-3867-41F2-8E5F-3B8BEFAA81B3}\InprocServer32Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEWindow found: window name: SysTabControl32Jump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\CommonJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\outlook\ConfigContextData 1Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information queried: ProcessInformationJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeQueries volume information: C:\Program Files (x86)\Microsoft Office\root\Office16\AI\WordCombinedFloatieLreOnline.onnx VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation11
Browser Extensions		1
Process Injection		1
Masquerading		OS Credential Dumping1
Process Discovery		Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/Job1
DLL Side-Loading		1
DLL Side-Loading		1
Modify Registry		LSASS Memory12
System Information Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Process Injection		Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
DLL Side-Loading		NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1662017 Sample: Fw Microsoft account securi... Startdate: 10/04/2025 Architecture: WINDOWS Score: 21 10 AI detected suspicious elements in Email content 2->10 6 OUTLOOK.EXE 136 73 2->6         started        process3 process4 8 ai.exe 6->8         started       

Screenshots

Download Video

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
Fw Microsoft account security alert.eml0%VirustotalBrowse
Fw Microsoft account security alert.eml0%ReversingLabs

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://login.windows.localadMR0%Avira URL Cloudsafe
https://login.windows.localnullffiD0%Avira URL Cloudsafe
https://urldefense.p=0%Avira URL Cloudsafe
https://urldefense.proofpoint.co=0%Avira URL Cloudsafe

Domains and IPs

Download Network PCAP: filteredfull

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
s-0005.dual-s-dc-msedge.net
52.123.131.14
truefalse
    		high
    NameSourceMaliciousAntivirus DetectionReputation
    https://login.windows.localOUTLOOK_16_0_16827_20130-20250410T1110260206-6296.etl.0.drfalse
      		high
      https://urldefense.p=Fw Microsoft account security alert.emlfalse
      • Avira URL Cloud: safe
      		unknown
      https://urldefense.proofpoint.com/v2/url?u=3Dhttps-3A__acco=Fw Microsoft account security alert.emlfalse
        		high
        https://urldefense.proofpoint.com/v2/url?u=3Dhttps-3A__go.m=Fw Microsoft account security alert.emlfalse
          		high
          https://urldefense.proofpoint.com/v2/url?u=3Dhttps-3A__go=Fw Microsoft account security alert.emlfalse
            		high
            https://urldefense.proofpoint.com/v2/url?u=3Dhttps-3A__=Fw Microsoft account security alert.emlfalse
              		high
              https://login.windows.localnullffiDOUTLOOK_16_0_16827_20130-20250410T1110260206-6296.etl.0.drfalse
              • Avira URL Cloud: safe
              		unknown
              https://login.windows.localadMROUTLOOK_16_0_16827_20130-20250410T1110260206-6296.etl.0.drfalse
              • Avira URL Cloud: safe
              		unknown
              https://urldefense.proofpoint.co=Fw Microsoft account security alert.emlfalse
              • Avira URL Cloud: safe
              		unknown
              https://urldefense.proofpoint.com/v2/url?u=3Dhttps-3=Fw Microsoft account security alert.emlfalse
                		high

                World Map of Contacted IPs

                No contacted IP infos

                General Information

                Joe Sandbox version:42.0.0 Malachite
                Analysis ID:1662017
                Start date and time:2025-04-10 17:09:00 +02:00
                Joe Sandbox product:CloudBasic
                Overall analysis duration:0h 4m 33s
                Hypervisor based Inspection enabled:false
                Report type:full
                Cookbook file name:default.jbs
                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                Number of analysed new started processes analysed:17
                Number of new started drivers analysed:0
                Number of existing processes analysed:0
                Number of existing drivers analysed:0
                Number of injected processes analysed:0
                Technologies:
                • EGA enabled
                • AMSI enabled
                Analysis Mode:default
                Analysis stop reason:Timeout
                Sample name:Fw Microsoft account security alert.eml
                Detection:SUS
                Classification:sus21.winEML@3/3@0/0
                Cookbook Comments:
                • Found application associated with file extension: .eml
                • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, RuntimeBroker.exe, SIHClient.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, TextInputHost.exe, svchost.exe
                • Excluded IPs from analysis (whitelisted): 52.109.6.53, 52.109.8.36, 23.215.0.46, 23.215.0.37, 23.53.11.13, 23.54.127.164, 20.42.65.89, 52.123.131.14, 52.149.20.212, 20.190.151.7, 23.9.183.29
                • Excluded domains from analysis (whitelisted): omex.cdn.office.net, slscr.update.microsoft.com, a767.dspw65.akamai.net, roaming.officeapps.live.com, dual-s-0005-office.config.skype.com, osiprod-cus-buff-azsc-000.centralus.cloudapp.azure.com, login.live.com, otelrules.svc.static.microsoft, eus2-azsc-config.officeapps.live.com, officeclient.microsoft.com, c.pki.goog, wu-b-net.trafficmanager.net, a1864.dscd.akamai.net, ecs.office.com, self-events-data.trafficmanager.net, fs.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, prod.configsvc1.live.com.akadns.net, self.events.data.microsoft.com, ctldl.windowsupdate.com, prod.roaming1.live.com.akadns.net, cus-azsc-000.roaming.officeapps.live.com, fe3cr.delivery.mp.microsoft.com, download.windowsupdate.com.edgesuite.net, us1.roaming1.live.com.akadns.net, config.officeapps.live.com, us.configsvc1.live.com.akadns.net, onedscolprdeus11.eastus.cloudapp.azure.com, ecs.office.trafficmanager.net, omex.cdn.office.net.akamaized.net
                • Not all processes where analyzed, report is missing behavior information
                • Report size getting too big, too many NtQueryAttributesFile calls found.
                • Report size getting too big, too many NtQueryValueKey calls found.
                • Report size getting too big, too many NtReadVirtualMemory calls found.

                Simulations

                Behavior and APIs

                No simulations

                Joe Sandbox View / Context

                IPs

                No context

                Domains

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                s-0005.dual-s-dc-msedge.netPayment Deposit.emlGet hashmaliciousUnknownBrowse
                • 52.123.131.14
                PURCHASE ORDER -6657-980.xla.xlsxGet hashmaliciousUnknownBrowse
                • 52.123.130.14
                TaU0Q96S38.xlsGet hashmaliciousUnknownBrowse
                • 52.123.131.14
                sipari#U015f - SO280721 .xlam.xlsxGet hashmaliciousUnknownBrowse
                • 52.123.130.14
                US Job Boards.xlsGet hashmaliciousUnknownBrowse
                • 52.123.130.14
                Message.emlGet hashmaliciousUnknownBrowse
                • 52.123.131.14
                7e02499c-2bea-a9d9-6a2f-934633fb5e94.emlGet hashmaliciousUnknownBrowse
                • 52.123.130.14
                Revised - Itw feg europe 2025 Handbook43630.docGet hashmaliciousUnknownBrowse
                • 52.123.131.14
                B_W_StarVPN.exeGet hashmaliciousUnknownBrowse
                • 52.123.130.14
                FINAL -Legal Notice Presentation (1).pptxGet hashmaliciousHTMLPhisherBrowse
                • 52.123.131.14

                ASNs

                No context

                JA3 Fingerprints

                No context

                Dropped Files

                No context

                Created / dropped Files

                C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20250410T1110260206-6296.etl

                Download File
                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                File Type:data
                Category:dropped
                Size (bytes):217088
                Entropy (8bit):4.91367309841274
                Encrypted:false
                SSDEEP:1536:clU4vl95GmswQBBXToG3MCI5xQic46Fq043EDN43is7rfnd0Q7E:clU4vl/GmswQ/X2Lh9Q
                MD5:B779E9456D031D4E736365012027E148
                SHA1:0771947069C637C654910ABF3216DCC7F8DC66A0
                SHA-256:FF915A31B387C1CD2939A1627F805FA3E9BEB6C6587ABEC877399649F9831ECF
                SHA-512:AF98477EF5101426A6F9224719D355CA11C914DA6493B3E2D35EEF89027D6FB0DE47B0721E7DE0384451ECC9095B37DD886B3759C269DEF7DE00375C54E3283A
                Malicious:false
                Reputation:low
                Preview:............................................................................d...........O&a.*...................eJ..............Zb..2...................................,...@.t.z.r.e.s...d.l.l.,.-.1.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.1.1.1...........................................................0.@.Y...........O&a.*...........v.2._.O.U.T.L.O.O.K.:.1.8.9.8.:.9.c.d.f.f.6.1.e.9.9.c.d.4.7.7.6.b.b.8.f.9.7.4.c.a.5.7.2.1.0.e.e...C.:.\.U.s.e.r.s.\.h.u.b.e.r.t.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.O.u.t.l.o.o.k. .L.o.g.g.i.n.g.\.O.U.T.L.O.O.K._.1.6._.0._.1.6.8.2.7._.2.0.1.3.0.-.2.0.2.5.0.4.1.0.T.1.1.1.0.2.6.0.2.0.6.-.6.2.9.6...e.t.l...........P.P.........O&a.*...................................................................................................................................................................................................................................................................................................

                C:\Users\user\Documents\Outlook Files\Outlook Data File - NoEmail.pst

                Download File
                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                File Type:Microsoft Outlook email folder (>=2003)
                Category:dropped
                Size (bytes):271360
                Entropy (8bit):2.7313824306508776
                Encrypted:false
                SSDEEP:1536:uTzMr/WMlqa38a9j8aEahr7UCUdd8hbMyeiJPfkpjQnU/tg3DpAXW53jEpEHPVQG:2wLWD3GpMakpjRpj
                MD5:741DCF7F4B6FD59E1CD78B896B23A57B
                SHA1:ED3E132674AA2E350B7E595D835507161EE7CF7E
                SHA-256:3322B4DF97A697DE4C1713E755EA4ACBE26BDB210B911D8BE30AE2215AD43E82
                SHA-512:D16433D0CCA1F50BBAAEEFC13304D5DEBB5EAA3F8BBDE1E185DF70AA890212B6986A13FA0D44113DF791A7E081011C352E64ABB5E590FF77441A657F6B2346AD
                Malicious:false
                Reputation:low
                Preview:!BDN..SM......\.......................X................@...........@...@...................................@...........................................................................$.......D..................................................................................................................................................................................................................................................................................................................................T.......e:....E.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmp

                Download File
                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                File Type:data
                Category:dropped
                Size (bytes):131072
                Entropy (8bit):3.6119694815359025
                Encrypted:false
                SSDEEP:1536:iW53jEpEHPVQ10BAwr14/TIlilld8hbMJl1eiJPfkpjQnU/tgKW53jEpEHPVQ10F:ApjCiPGpMkpjxuj
                MD5:1E65A74049D8C0E966448A5FC0B4EEF7
                SHA1:86C87FFF8A03E1C177A3BDEE04B3FD16F4CE2B0E
                SHA-256:202827082B15D05DDC147F81272F931C4BE73160DCA784663D044BBB48D46BEB
                SHA-512:68F504381F6EA3744AB40B8DB26CD83618F5EB63D43BEB0598C43AC3E91FC58B11EFCFD37819DDD9388A5C013936D69933B9E9F61BCCA840788C9B9DCC585D11
                Malicious:false
                Reputation:low
                Preview:Z&.~C...h.............9.*.....................#.!BDN..SM......\.......................X................@...........@...@...................................@...........................................................................$.......D..................................................................................................................................................................................................................................................................................................................................T.......e:....E...9.*........B............#.........................................................................................................................................................................................................................................................................................................................................................................................................

                Static File Info

                General

                File type:RFC 822 mail, ASCII text, with very long lines (347), with CRLF line terminators
                Entropy (8bit):6.02486961232216
                TrID:
                • E-Mail message (Var. 5) (54515/1) 100.00%
                File name:Fw Microsoft account security alert.eml
                File size:22'988 bytes
                MD5:4c89cb752570cdd4f52d35a698ce5d50
                SHA1:305df8c4500d7ea0d76d6ee89529d24f31a6b3ba
                SHA256:e8767750781b225815cfb5fc8df62a4342ee43f1cd203430519a32a492479731
                SHA512:390b30d9635de7972f4d2cdcfacf2755ee2393a7ec18430f00b76ac1ea8613e4f06aaf14d53368ab88b59ac34c544978540759f2d614b9b6ed1a1adec3f39b42
                SSDEEP:384:Q5mWfRsN9jICIDdlrnCSQMpJY1Kh7jR7gDFLWFo8qWu0wuklnacwWh:QoWfRs3jICIXrCSd6gh7jR7gDFLWFovl
                TLSH:F7A25C289E555015FEA134ECBC02BA8DF2520C9780B3F4D1F8A9D26F0CCE19D9B57A97
                File Content Preview:Received: from CY5PR14MB5728.namprd14.prod.outlook.com (2603:10b6:930:40::19).. by SA1PR14MB6629.namprd14.prod.outlook.com with HTTPS; Sun, 30 Mar 2025.. 03:52:25 +0000..ARC-Seal: i=2; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=fail;.. b=gICT9A

                Static Mail

                General

                Subject:Fw: Microsoft account security alert
                From:Vicki Hawkins <Vicki@kidsdevelopmentalclinic.com>
                To:Avatar Cs Support <Support@avatar-cs.net>
                Cc:
                BCC:
                Date:Sun, 30 Mar 2025 03:52:15 +0000
                Communications:
                • Is this spam? Vicki Get Outlook for iOS<https://urldefense.proofpoint.com/v2/url?u=https-3A__aka.ms_o0ukef&d=DwIFAg&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=jH6jQB7z1jeH7AvQ7qc0LChkO3mMxOkpBdNr7oY7eyc&m=s9QAAXhxki8-RJzFVzq8os2F6-Km4EgOt3O4VjfBBWhbrVbxURBi71I-V1sv7rPz&s=2Oyu7IJe350EKtCzalfF_o37CQJTKFeetrYR3tKx21s&e=> ________________________________
                • From: Microsoft account team <account-security-noreply@accountprotection.microsoft.com> Sent: Saturday, March 29, 2025 1:54:11 PM To: Vicki Hawkins <Vicki@kidsdevelopmentalclinic.com> Subject: Microsoft account security alert Microsoft account Security alert We think that someone else might have accessed the Microsoft account vi**i@kidsdevelopmentalclinic.com<mailto:vi**i@kidsdevelopmentalclinic.com>. When this happens, we require you to verify your identity with a security challenge and then change your password the next time you sign in. If someone else has access to your account, they have your password and might be trying to access your personal information or send junk email. If you haven't already recovered your account, we can help you do it now. Recover account<https://urldefense.proofpoint.com/v2/url?u=https-3A__account.live.com&d=DwIFAg&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=jH6jQB7z1jeH7AvQ7qc0LChkO3mMxOkpBdNr7oY7eyc&m=s9QAAXhxki8-RJzFVzq8os2F6-Km4EgOt3O4VjfBBWhbrVbxURBi71I-V1sv7rPz&s=SMx-EqvPmg5Ieh7wnWY0BOhfESFgrogz31Jv8u9nJcY&e=> Learn how to make your account more secure<https://urldefense.proofpoint.com/v2/url?u=http-3A__go.microsoft.com_fwlink_-3FLinkID-3D263818&d=DwIFAg&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=jH6jQB7z1jeH7AvQ7qc0LChkO3mMxOkpBdNr7oY7eyc&m=s9QAAXhxki8-RJzFVzq8os2F6-Km4EgOt3O4VjfBBWhbrVbxURBi71I-V1sv7rPz&s=pfx8CR8KPfwKsrhhHiCaCja_f6OkQI-xexBWP6solS8&e=>. Thanks, The Microsoft account team Privacy Statement<https://urldefense.proofpoint.com/v2/url?u=https-3A__go.microsoft.com_fwlink_-3FLinkId-3D521839&d=DwIFAg&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=jH6jQB7z1jeH7AvQ7qc0LChkO3mMxOkpBdNr7oY7eyc&m=s9QAAXhxki8-RJzFVzq8os2F6-Km4EgOt3O4VjfBBWhbrVbxURBi71I-V1sv7rPz&s=N_DYKiw3TQQw-J0--s51wLIB12noowO4D5LXfw6QL70&e=> Microsoft Corporation, One Microsoft Way, Redmond, WA 98052
                Attachments:
                  Key Value
                  Receivedfrom SA1PR14MB4691.namprd14.prod.outlook.com ([fe80::12b5:7309:c08e:ef6a]) by SA1PR14MB4691.namprd14.prod.outlook.com ([fe80::12b5:7309:c08e:ef6a%4]) with mapi id 15.20.8534.043; Sun, 30 Mar 2025 03:52:15 +0000
                  ARC-Seali=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=dS28gbBuPLgJ4jDC16PpDzghTjFR0uLIImjSCW5L7Ms9yoKKTlPOr7R1o7bVVPIGZVYoYEU+BzSmsSm2fQOocusE1bIl+JL/W5HI37JkC7kPcpC5K6RIiQc+CDLFc9+b8FewD+ip3EazLEc7ijuEpLnUWAcdZHA+hmiyd6RJsXzejN8USW4Da+ZFM0qQrnFPTG18XEif9FFut9TLKh4cPBg3i2HbNZrsaLeHZNK5niV5cgN9qTtEKF6WhqmzyqwgcpX2iAwDa/4A8DxhNZzKz99ZRh3SAI5nYxSSigs9qYA14hr+44phB2vLsqQCu2Z9ouco1AWQILbxoJIQmZl0Tg==
                  ARC-Message-Signaturei=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=kfEeXDxTz1mu9Y2+nkfaR51o1rZ3F75/SW+FbB+Y3TM=; b=oFqb0BiumbpZMK4HsBMXH7zLDyYvH0JDiVMp0wrOOGjmd3UNZhBgRzStkSFy2APpt7aa7TvuttVx/7iDtakjg0qPccWfvoSpE0K1kjTjTSzQU7BY3QSM72JRyLr7ifVGF65lUfwZZN1AAya9kpUsgxEw4JNHGJn/TrfJJH/0a8GwWEL1THJbOOB/rVo9+Mw6O5BLimSaa4yM95SK53fU1hgkYcxieKBxqfu2yzjyknrNB/VyEkM+6RBKbJbacd3bB33k91xBQx6OeCRVOJJJJp7RF+rZEVWCFupkvakgzbN6wPB2eI8AAJpVsO/Pi3cMWMExyZP89CTeNzN5CNiFmQ==
                  ARC-Authentication-Resultsi=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=kidsdevelopmentalclinic.com; dmarc=pass action=none header.from=kidsdevelopmentalclinic.com; dkim=pass header.d=kidsdevelopmentalclinic.com; arc=none
                  Authentication-Resultsspf=fail (sender IP is 148.163.129.48) smtp.mailfrom=kidsdevelopmentalclinic.com; dkim=fail (signature did not verify) header.d=kidsdevelopmentaltherapy.onmicrosoft.com;dmarc=none action=none header.from=kidsdevelopmentalclinic.com;compauth=none reason=405
                  Received-SPFFail (protection.outlook.com: domain of kidsdevelopmentalclinic.com does not designate 148.163.129.48 as permitted sender) receiver=protection.outlook.com; client-ip=148.163.129.48; helo=dispatch1-us1.ppe-hosted.com;
                  Authentication-Results-Originaldkim=none (message not signed) header.d=none;dmarc=none action=none header.from=kidsdevelopmentalclinic.com;
                  X-Virus-ScannedProofpoint Essentials engine
                  DKIM-Signaturev=1; a=rsa-sha256; c=relaxed/relaxed; d=kidsdevelopmentaltherapy.onmicrosoft.com; s=selector2-kidsdevelopmentaltherapy-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=kfEeXDxTz1mu9Y2+nkfaR51o1rZ3F75/SW+FbB+Y3TM=; b=q2avtJfcftr5pZEZEypkycOL9PAI+J/vCQLCKYM5cl4b+Bd9t4Z1/i2WvnnaFFFj3LNCVdVz536sOi/EUJjg/rRugbVcZvyiHGvkEn95HfxDUvfyjnc1sAMsQt056dq3Bgl1l6gj2TRROvmB4aiMvRqUoI/pv2ZPsvRoTIahAIk=
                  FromVicki Hawkins <Vicki@kidsdevelopmentalclinic.com>
                  ToAvatar Cs Support <Support@avatar-cs.net>
                  SubjectFw: Microsoft account security alert
                  Thread-TopicMicrosoft account security alert
                  Thread-IndexAQHboNv5Le0qFq1p+Ua2s/Pb7XZ8lLOLDId+
                  DateSun, 30 Mar 2025 03:52:15 +0000
                  Message-ID<SA1PR14MB46919BDE7A610E7960655611A2A22@SA1PR14MB4691.namprd14.prod.outlook.com>
                  References<A642VB7PRPU4.8K2MYI61KBWH3@bl02epf00024f3c>
                  In-Reply-To<A642VB7PRPU4.8K2MYI61KBWH3@bl02epf00024f3c>
                  Accept-Languageen-US
                  X-MS-Has-Attach
                  X-MS-TNEF-Correlator
                  x-ms-reactionsallow
                  x-ms-traffictypediagnosticSA1PR14MB4691:EE_|IA0PR14MB6910:EE_|SJ1PEPF00002320:EE_|CY5PR14MB5728:EE_|SA1PR14MB6629:EE_
                  X-MS-Office365-Filtering-Correlation-Id40cb1b86-a18a-4aa4-5732-08dd6f3e4745
                  x-ms-exchange-senderadcheck1
                  x-ms-exchange-antispam-relay0
                  X-Microsoft-Antispam-UntrustedBCL:0;ARA:13230040|10070799003|366016|1800799024|376014|38070700018|8096899003;
                  X-Microsoft-Antispam-Message-Info-OriginalVUKsbpUKodQVod2JPyuYLLx4xM0zepL1ETjxRLOw26BJEfZEUC7MysNSroztLzkt4j4mnpTUtJkOeFJwaZpdDFqCis7Leb47NX9sz4ELQXsfGsbw9QX6iEoRSfEMo46ue0mfpTWQw2WH8HUhVHQtDKlfbymm7C1aBrF3ctkHh56iRkA5uRjpXjUinb3DriuGiLMY679uL6PcuVF4b65PLkKtco18G7CiK/EveozK7p6CFGMQ9NE73zg1SxL5/E5h0xRdUXeydOeYTsG0Df82Moy0ykpY6NYd0ThWG1GaCdJoAC1yS6SyLUa6VKuk4oEAsKqqGI9DXNUfgX+i9wwPVB0aFBd3hp98MAm8xoc91NTXS8LeaxqgZU9gjbXGEgT/nl8lvImQezMlLouLGqYp1lTOiqt66LhoUjb3F+BPLQlLLRcoeWPkgA9HBhEz35a+Q3xPH5GsiC+jLjFPe8tLRP760ANCX39cPK6h6b0z9fvqh4US6BqAxZ6yeaaQ41lt/+pT87Cx0sbSoqb6sBfDvEvyuZN84XuTXG9FbHEzIIybNZOJDthPzzyCDlHKekk+PrGNeSiEibRDmoZq2RlNTlugI83BFSbmilwLedr9RG00j9LRaJpUvwG0IfHg3Pf2CrVR0g/L0GjpLa30QpgkWajhuxib/POnLPcJS+S9wWYw+aY9uTbuFy+AsjEknwBR50sS6yLrYI5M+Ln2j37OWtrBYcpVsfEO2OJt46Xt9fvWJR/pIr9otP/qCH4UjdRLqpX4O3dTmjGHl02IvXQITiNeNNWO7yFslZXCQQkXyAeo5OTloZL1AuecFS3xgLhq7GXwfEVae4gyRvbIlBniuAgOluXm7/VPFFl/Z4SgoObPfBhB7t37z0n8k4WOLfNsX7CNAVJ3UvSM5pMiEAD6tSZIyMT+PcsoQfEJewA4Fy6cRjx7SfRMym1aNZd2gif5Z/QNl0gMEVlmf4S/nUr0nvhYFWGReTel/ve2CRgqXZBBzaBQi52XMPvt6dvnpu+qluT0EzUo1uoPHTBMOKW5hnW3RdYYjwhpJebptD5xYSttOSDrkO4ybY7hNpj+IwKc9Nucyk/K3homL+LBC0jUDClANc5cjY5H2T2KD36U3MY+o+eAwgtYPo8JcW0Ko4y2GQ+D22fbyz6Ff5XI+q+h/Sr30Bh2KmGX++HlZHE9vSocpu4O0YzkNoEEzXornwIkw4LcYvDPnZujJctSYTlZeKIMd9Vaw2ASwShBVrKahEUh/UQnrF4n6QJl0c41Npi2yOllIq3Cj8/lvAAk6XS6I5MAVq6rEbU07dWu+/cwOe1ws8HRMvRJQKr6m1xwvcUYfpLABr/hzMNs7iM9F0t6ezHVtXo6l2A34szE97SFTanbna0XDgq06aUv4VZXozQV
                  X-Forefront-Antispam-Report-UntrustedCIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:SA1PR14MB4691.namprd14.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(10070799003)(366016)(1800799024)(376014)(38070700018)(8096899003);DIR:OUT;SFP:1102;
                  Content-Typemultipart/alternative; boundary="_000_SA1PR14MB46919BDE7A610E7960655611A2A22SA1PR14MB4691namp_"
                  X-MS-Exchange-Transport-CrossTenantHeadersStampedCY5PR14MB5728
                  X-MDID1743306739-VUELxRFAT6ed
                  X-MDID-Ius1;ut7;1743306739;VUELxRFAT6ed;<Vicki@kidsdevelopmentalclinic.com>;5cf9a4cf6273223b5172cfa417120dd2
                  X-PPE-TRUSTEDV=1;DIR=IN;
                  Return-PathVicki@kidsdevelopmentalclinic.com
                  X-MS-Exchange-Organization-ExpirationStartTime30 Mar 2025 03:52:23.0860 (UTC)
                  X-MS-Exchange-Organization-ExpirationStartTimeReasonOriginalSubmit
                  X-MS-Exchange-Organization-ExpirationInterval1:00:00:00.0000000
                  X-MS-Exchange-Organization-ExpirationIntervalReasonOriginalSubmit
                  X-MS-Exchange-Organization-Network-Message-Id40cb1b86-a18a-4aa4-5732-08dd6f3e4745
                  X-EOPAttributedMessage0
                  X-EOPTenantAttributedMessage8a90e1c2-aeed-4c51-a768-cfa73171e94c:0
                  X-MS-Exchange-Organization-MessageDirectionalityIncoming
                  X-MS-Exchange-Transport-CrossTenantHeadersStrippedSJ1PEPF00002320.namprd03.prod.outlook.com
                  X-MS-PublicTrafficTypeEmail
                  X-MS-Exchange-Organization-AuthSourceSJ1PEPF00002320.namprd03.prod.outlook.com
                  X-MS-Exchange-Organization-AuthAsAnonymous
                  X-MS-Office365-Filtering-Correlation-Id-Prvs0a443da3-3d07-425a-d229-08dd6f3e42ce
                  X-MS-Exchange-Organization-SCL-1
                  X-Microsoft-AntispamBCL:0;ARA:13230040|35042699022|82310400026|13003099007|8096899003;
                  X-Forefront-Antispam-ReportCIP:148.163.129.48;CTRY:US;LANG:en;SCL:-1;SRV:;IPV:NLI;SFV:NSPM;H:dispatch1-us1.ppe-hosted.com;PTR:dispatch1-us1.ppe-hosted.com;CAT:NONE;SFS:(13230040)(35042699022)(82310400026)(13003099007)(8096899003);DIR:INB;
                  X-MS-Exchange-CrossTenant-OriginalArrivalTime30 Mar 2025 03:52:22.9298 (UTC)
                  X-MS-Exchange-CrossTenant-Network-Message-Id40cb1b86-a18a-4aa4-5732-08dd6f3e4745
                  X-MS-Exchange-CrossTenant-Id8a90e1c2-aeed-4c51-a768-cfa73171e94c
                  X-MS-Exchange-CrossTenant-AuthSourceSJ1PEPF00002320.namprd03.prod.outlook.com
                  X-MS-Exchange-CrossTenant-AuthAsAnonymous
                  X-MS-Exchange-CrossTenant-FromEntityHeaderInternet
                  X-MS-Exchange-Transport-EndToEndLatency00:00:02.6884764
                  X-MS-Exchange-Processed-By-BccFoldering15.20.8534.033
                  X-Microsoft-Antispam-Mailbox-Delivery ucf:0;jmr:0;auth:0;dest:I;ENG:(910005)(944506478)(944626604)(920097)(930097)(140003);
                  X-Microsoft-Antispam-Message-Info WvB2dGaEq6Z+BNRhrsa/LlPKxqQrM+OnSYytTvufoco3o1PqL2fEXkK0deS8M7tUmFa4WiOZtLBvluKvuqpXubjXC7SprZreaAUklYSVD4D/KE4lBrGVYx/hyYtPB05vKYJnVeVRb+2Ob7vkWJ/hcvsbYrRdPoeEy9tpqkCqdQxfayBG28o0EI0C1P89MBOed8KTpu3Zm8rm+xI2IQQmdL/tkV9vJC9o+C3M75Kc1ldBL4dCBV9KEbIQHnMunriG0WEM8LZ5g1f3rltp4fk0iUKuRReiIKk0ghUgYTqfk/NwNe91bkHEgL/bfqnlkel8Fhm4TEs6Zat1abCs2Vzw0+rnslH+OL1OdnwD0WSoernG1bp6q//LILKNwciRPIjzirUWWMOXfUDylSx2xDa4HUGzaSwHNNdjE6KOHhNs5Jfniz4lnVm8gx68zycG0eQdbMowznnmxikyRuF9NNHG4kqqk8Szyj6HcvBuQYqjB2YBRMZm921tkCyMQybwlvAqJVdZAak4x6MgegQFc+hTNsDyry3VcHTn20VvrU045SOx3Xeq+AD2sOoXYBHbJzo1CHEp6QzMqTqgiDbE/pTR9oBs7x+vleAbf+xfXktiLmGaiUsCKS/uMgkqfoQgbvdHaxT9jeEF9lx14Q7WVn1O/5e5DHL/b2MSsGya/XIEQtf3GJvzVHn2qdtxZVB5+jjTnHJQbiK9kS/1VAZ6jaVQp/TtTvUXWBz57d4jNdhqM2cxZ8sxtQLvMXlqJ+KfBaTLGXYLWBA+QBQPEtgp3vy2otiPILjT3rkplegoiQ1XXA9rqdmFHD+yYc5SAc6NR4Yg8+OLrQRGf2mjBIuciawQnJPJ4x3j0XeE4Y6zNOu1LTun7uPpqjIOnwDvRUj9L1EgIH7HWGpPJtUMIAh3x7HUlnKdG4Q320rAbG0C6Fepe6NkiHjmyCJ5ajcDhSH+s4w6gsZ6sNnOWCToq9PqKrD3eWsuiI0gsXG8iaPqYzFr6XrIIdwVLhchEeVuSGZEPfAKaSj6Su1eT3CX1pPTNRP9Iwn/x9G+dXGBYt203P1CIGZstWnIf4ju/GsCWf/CUdhDUUVYREbfLnj/PA31YL8OWJ+nmAcbIx9nSj7DjriIjGqBOrXXoj8tBJRrzgaySu8TbWG5cMcJte0091/AT/DB6cfJ3KKYRi5IZFaw7lqROmtrZ+9QsMD3KBMqMj+3t8WkW0pk2WGfnH9ni+h56DbX/8gHCyCC20yboW06/GhzB/UZl9glz7MTXyAHYUdzvEA9Mo2of9muaa8PlVfEO6mTLSphE1xlkPJBSh4ITdDl12L2XBJwU7vLGgeRTALQV0uSMSsfKo/4AurCAJiInDYHWSdCUYHcGWqT/0XLNCENsc7vbjfdfJnK816wCzAd958OUfUu/M6qVnaPU0f846MoU+zEl4fIBaX6pwHo1fnMLPxIskro7H2VWYALNF5bLD6dkH2mVQeZIfs2ry7b4ZpxwxEXwPcLkMu34WfjkyxROXiO+uvOGrKT66N1LHHdj5VpPSvVxwPr18bg8cm+Kw8S4MfLiBgDMnFe9BDAVolVx9SxxeCE24XlDn9B7pC1khjmusoP+auqwWuk9ZAqpsAtSCCpkXQiq3EBPYkLmCz7TMST5t0iZcBTG5POKowB9ur+g71znn6IHB2fTnTMOxdKDDgWFT8WqtJGJGSZPq7TQCxLtHx11uzLhJFT0HDbtBiheMw2/AIs5L2plpfaqBwF9uDEtBKjjOulG7g00YgEcPr96vAwjeeGqYrNii9lC51ym0KGE0C/nJS/EUaV7tTAd2GB8LTBFyDLROc+uxGwKI/Twh5mEkwbSSkr09bVfWYZMJ7Cl0NkBYr733wbg1voGQc7dU8AhUajzpVPMjYF6zzwCzVTqioqBN68BYHejKRe7JKDQOkubGNW7YjGv4my79fPYX/kUafNn5be7r3GJl+qXHs+go6ZMi11NpSxHLyUpVlqsktgKyuvEloFAtm+9zCP5h12wIMCUVKYOUO+XgZTbUOnoJo4TM/GU5iReQJt
                  MIME-Version1.0

                  File Icon

                  Icon Hash:46070c0a8e0c67d6

                  Network Behavior

                  Download Network PCAP: filteredfull

                  TimestampSource PortDest PortSource IPDest IP
                  Apr 10, 2025 17:11:02.216063976 CEST5355758162.159.36.2192.168.2.8

                  DNS Answers

                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                  Apr 10, 2025 17:10:29.172341108 CEST1.1.1.1192.168.2.80xb1d1No error (0)ecs-office.s-0005.dual-s-msedge.netshed.s-0005.dual-s-dc-msedge.netCNAME (Canonical name)IN (0x0001)false
                  Apr 10, 2025 17:10:29.172341108 CEST1.1.1.1192.168.2.80xb1d1No error (0)shed.s-0005.dual-s-dc-msedge.nets-0005.dual-s-dc-msedge.netCNAME (Canonical name)IN (0x0001)false
                  Apr 10, 2025 17:10:29.172341108 CEST1.1.1.1192.168.2.80xb1d1No error (0)s-0005.dual-s-dc-msedge.net52.123.131.14A (IP address)IN (0x0001)false
                  Apr 10, 2025 17:10:29.172341108 CEST1.1.1.1192.168.2.80xb1d1No error (0)s-0005.dual-s-dc-msedge.net52.123.130.14A (IP address)IN (0x0001)false

                  Statistics

                  CPU Usage

                  050100s020406080100

                  Click to jump to process

                  Memory Usage

                  050100s0.0050100MB

                  Click to jump to process

                  High Level Behavior Distribution

                  • File
                  • Registry

                  Click to dive into process behavior distribution

                  Behavior

                  Click to jump to process

                  System Behavior

                  General

                  Target ID:0
                  Start time:11:10:26
                  Start date:10/04/2025
                  Path:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                  Wow64 process (32bit):true
                  Commandline:"C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\Fw Microsoft account security alert.eml"
                  Imagebase:0x310000
                  File size:34'446'744 bytes
                  MD5 hash:91A5292942864110ED734005B7E005C0
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:false
                  Show Windows behavior

                  File Activities

                  Show Windows behavior

                  Section Activities

                  Show Windows behavior

                  Registry Activities

                  Show Windows behavior

                  COM Activities

                  Show Windows behavior

                  Mutex Activities

                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                  Show Windows behavior

                  Thread Activities

                  Show Windows behavior

                  Memory Activities

                  Show Windows behavior

                  System Activities

                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                  Show Windows behavior

                  Windows UI Activities

                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                  General

                  Target ID:2
                  Start time:11:10:27
                  Start date:10/04/2025
                  Path:C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe
                  Wow64 process (32bit):false
                  Commandline:"C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "C4D1528C-5EE1-4BA2-8C7D-CA8BCC23755A" "26EB5C07-BFA4-42B0-A714-3998933FECAF" "6296" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
                  Imagebase:0x7ff6fdd80000
                  File size:710'048 bytes
                  MD5 hash:EC652BEDD90E089D9406AFED89A8A8BD
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:false
                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                  Show Windows behavior

                  Section Activities

                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                  Show Windows behavior

                  Mutex Activities

                  Show Windows behavior

                  Process Activities

                  Show Windows behavior

                  Thread Activities

                  Show Windows behavior

                  Memory Activities

                  Show Windows behavior

                  System Activities

                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                  Disassembly

                  No disassembly