Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Unconfirmed 287374.eml

Overview

General Information

Sample name:	Unconfirmed 287374.eml (renamed file extension from crdownload to eml)
Original sample name:	Unconfirmed 287374.crdownload
Analysis ID:	1587902
MD5:	9e736762a0a740c8a40d59fe49fdee9a
SHA1:	461802dffaba1f70ee24a3b72a8766f23021f65c
SHA256:	4db97d85074440b29209d8dc72afad1f361063c0aacf0ea32ff36c8b4f03dbae
Infos:

Detection

Score:	48
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

AI detected potential phishing Email

Email DMARC failed

Queries the volume information (name, serial number etc) of a device

Sigma detected: Office Autorun Keys Modification

Classification

×

Process Tree

System is w10x64

OUTLOOK.EXE (PID: 3620 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\Unconfirmed 287374.eml" MD5: 91A5292942864110ED734005B7E005C0)

ai.exe (PID: 572 cmdline: "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "BC8A1BD2-9AFB-4BF5-9967-4DCCB031017C" "02C8B511-23E0-4604-BBC2-C180806C32D3" "3620" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx" MD5: EC652BEDD90E089D9406AFED89A8A8BD)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

Sigma detected: Office Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE, ProcessId: 3620, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Addins\OneNote.OutlookAddin\1

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Phishing

AI detected potential phishing Email

Source: Email

Joe Sandbox AI: Detected potential phishing email: The sender's email domain 'tampabay.rr.com' doesn't match the claimed identity of a company employee. The request involves changing payroll banking details, a common phishing tactic. The email chain shows suspicious forwarding patterns and inconsistent sender identities

Email DMARC failed

Source: Unconfirmed 287374.eml

Email attachement header: X-MS-Exchange-Authentication-Results: fail action=none header.from=motorcarsacura.com

Source: Email

Classification: Payroll Fraud

Source: classification engine

Classification label: mal48.winEML@3/3@0/0

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

File created: C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmp

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

File created: C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20250110T1226080191-3620.etl

Jump to behavior

Source: unknown	Process created: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\Unconfirmed 287374.eml"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "BC8A1BD2-9AFB-4BF5-9967-4DCCB031017C" "02C8B511-23E0-4604-BBC2-C180806C32D3" "3620" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "BC8A1BD2-9AFB-4BF5-9967-4DCCB031017C" "02C8B511-23E0-4604-BBC2-C180806C32D3" "3620" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"			Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: apphelp.dll			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: c2r64.dll			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: userenv.dll			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: msasn1.dll			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: cryptsp.dll			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: rsaenh.dll			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: cryptbase.dll			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: gpapi.dll			Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{F959DBBB-3867-41F2-8E5F-3B8BEFAA81B3}\InprocServer32

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

Window found: window name: SysTabControl32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX			Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe

Queries volume information: C:\Program Files (x86)\Microsoft Office\root\Office16\AI\WordCombinedFloatieLreOnline.onnx VolumeInformation

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	11 Browser Extensions	1 Process Injection	1 Masquerading	OS Credential Dumping	1 Process Discovery	Remote Services	Data from Local System	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 DLL Side-Loading	1 Process Injection	LSASS Memory	12 System Information Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 DLL Side-Loading	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

⊘No Antivirus matches

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
s-part-0017.t-0009.t-msedge.net	13.107.246.45	true	false		high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1587902
Start date and time:	2025-01-10 18:25:05 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 18s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Unconfirmed 287374.eml (renamed file extension from crdownload to eml)
Original Sample Name:	Unconfirmed 287374.crdownload
Detection:	MAL
Classification:	mal48.winEML@3/3@0/0

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.109.76.240, 52.113.194.132, 52.111.243.43, 52.111.243.41, 52.111.243.42, 52.111.243.40, 104.208.16.89, 13.107.246.45, 4.175.87.197, 184.28.90.29
Excluded domains from analysis (whitelisted): ecs.office.com, slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, prod.configsvc1.live.com.akadns.net, ctldl.windowsupdate.com, s-0005-office.config.skype.com, mobile.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com, ecs-office.s-0005.s-msedge.net, prod1.naturallanguageeditorservice.osi.office.net.akadns.net, neu-azsc-config.officeapps.live.com, nleditor.osi.office.net, prod-eu-resolver.naturallanguageeditorservice.osi.office.net.akadns.net, s-0005.s-msedge.net, onedscolprdcus11.centralus.cloudapp.azure.com, config.officeapps.live.com, azureedge-t-prod.trafficmanager.net, officeclient.microsoft.com, ecs.office.trafficmanager.net, europe.configsvc1.live.com.akadns.net, mobile.events.data.trafficmanager.net, storeedgefd.dsx.mp.microsoft.com
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

⊘No simulations

LLM Input / Output

Input	Output
URL: email Model: Joe Sandbox AI	{ "explanation": [ "The sender's email domain 'tampabay.rr.com' doesn't match the claimed identity of a company employee", "The request involves changing payroll banking details, a common phishing tactic", "The email chain shows suspicious forwarding patterns and inconsistent sender identities" ], "phishing": true, "confidence": 9, "generated_by_ai": false }
{ "date": "Fri, 10 Jan 2025 16:35:28 +0000", "subject": "FW: RESET DD", "communications": [ "Hello Team,\n\nNot sent from Dawn sending your way\n\n\nMichael Marcellino\nVice President\nMotorcars Acura / Volvo\nmmarcellino@motorcarsacura.com<mailto:mmarcellino@motorcarsacura.com>\nmmarcellino@motorcarsvolvo.com<mailto:mmarcellino@motorcarsvolvo.com>\n440-439-8400\n\n\n\n", "From: Dawn Smith <bmartin1041@tampabay.rr.com>\nSent: Friday, January 10, 2025 10:57 AM\nTo: Michael Marcellino <mmarcellino@motorcarsacura.com>\nSubject: RESET DD\n\nHi Michael,\n\nI would like to request a change to my checking account for the upcoming payroll, Please let me know what information you need from me to facilitate this change.\n\n\nThank you for your assistance!\"\n\n\n\nBest Regards\nDawn Smith\n..\n\n\n\n" ], "from": "Michael Marcellino <mmarcellino@motorcarsacura.com>", "to": "CTMS Service Team <help@ctmsohio.com>", "attachements": [] }
URL: Email Model: Joe Sandbox AI	{ "contains_trigger_text": false, "trigger_text": "unknown", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_fake_security_alerts": false }

URL: Email Model: Joe Sandbox AI	{ "brands": [ "Acura", "Volvo" ] }
	{ "brands": [ "Acura", "Volvo" ] }
URL: Email Model: Joe Sandbox AI	{"classification":"Payroll Fraud"}
Email: Detected potential phishing email: The sender's email domain 'tampabay.rr.com' doesn't match the claimed identity of a company employee. The request involves changing payroll banking details, a common phishing tactic. The email chain shows suspicious forwarding patterns and inconsistent sender identities	{"classification":"Payroll Fraud"}

Joe Sandbox View / Context

IPs

⊘No context

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
s-part-0017.t-0009.t-msedge.net	https://www.depoqq.win/geno	Get hash	malicious	Unknown	Browse	13.107.246.45
	17048156412338914445.js	Get hash	malicious	Strela Downloader	Browse	13.107.246.45
	251443863021115246.js	Get hash	malicious	Strela Downloader	Browse	13.107.246.45
	12662108703247616042.js	Get hash	malicious	Strela Downloader	Browse	13.107.246.45
	wN7EPNiHSM.exe	Get hash	malicious	FormBook	Browse	13.107.246.45
	334130052300215064.js	Get hash	malicious	Strela Downloader	Browse	13.107.246.45
	http://infarmbureau.com	Get hash	malicious	Unknown	Browse	13.107.246.45
	489131343024428850.js	Get hash	malicious	Strela Downloader	Browse	13.107.246.45
	zAK7HHniGW.exe	Get hash	malicious	Snake Keylogger	Browse	13.107.246.45
	8nkdC8daWi.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	13.107.246.45

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20250110T1226080191-3620.etl

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	data
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	4.4831494787922
Encrypted:	false
SSDEEP:	768:7phh1hqd56eZ7O6hvLn4WdT9ovBUDgxQuuUFIWdeWY0MmEKX9AEy:7vWhr4ST9ovBUDgxQuuUFBi0MmRX9ny
MD5:	3BF68FA778FFB8504D21E87524F2A6C0
SHA1:	6D3FF18BEC2B1DAD13B4698384FBE54C0ADCFC62
SHA-256:	A9F36F3844A6B2C8A7206CE6BB4EBE43DD5D3269D71254C186B3CDDF2A0EDB9C
SHA-512:	6E8B488F19631203CEF552EA416900749EC69AD9219259462DC0677553667072E2626FB9A5BDB19E467E27409F7C434D377D0DF644806C7E8B153509698B25F5
Malicious:	false
Reputation:	low
Preview:	............................................................................f.......$...!.3..c..................eJ..............Zb..2...................................,...@.t.z.r.e.s...d.l.l.,.-.1.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.1.1.1...........................................................@h.HK...........!.3..c..........v.2._.O.U.T.L.O.O.K.:.e.2.4.:.f.7.d.f.c.5.7.6.6.f.d.1.4.6.3.f.a.3.5.0.8.f.e.f.4.d.a.2.b.1.8.4...C.:.\.U.s.e.r.s.\.e.n.g.i.n.e.e.r.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.O.u.t.l.o.o.k. .L.o.g.g.i.n.g.\.O.U.T.L.O.O.K._.1.6._.0._.1.6.8.2.7._.2.0.1.3.0.-.2.0.2.5.0.1.1.0.T.1.2.2.6.0.8.0.1.9.1.-.3.6.2.0...e.t.l.........P.P.....$....E6..c..................................................................................................................................................................................................................................................................................................

C:\Users\user\Documents\Outlook Files\Outlook Data File - NoEmail.pst

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	Microsoft Outlook email folder (>=2003)
Category:	dropped
Size (bytes):	271360
Entropy (8bit):	3.104914856127757
Encrypted:	false
SSDEEP:	1536:GfTA5O0a6KFxkbR4732lsutbt1Wy4xyscEI+QcM7cG0RPW53jEpEHP4qQ10PAwrR:GbAKlxgnelp9pp4
MD5:	59196F8429FC46D2683E1B74EAFC2767
SHA1:	494F84CD2C90E22763B4358308F793ACD6EA2C5F
SHA-256:	3D0AF8E7C3F3F3FBCAD958938FE07F31F6BEFFD12414C38B0A9C812E13E6B586
SHA-512:	6B160857A805EFF9E44C19835A75D4BB23B95C422DC2583E8ED40B4ED82AC0CF6EBD9C88F8563D9527AF36D0A45429225A49F6D9D86E77C7C2A0754779F09DAE
Malicious:	true
Reputation:	low
Preview:	!BDN....SM......\...Sr..........3.......U................@...........@...@...................................@...........................................................................$.......D....................../...............2....................................................................................................................................................................................................................................................................................................0..W.K.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmp

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	data
Category:	dropped
Size (bytes):	131072
Entropy (8bit):	4.099326915265922
Encrypted:	false
SSDEEP:	1536:/TZwHBQ4MWcFAW53jEpEHP4qQ10PAwr8TsiDDCHd:/lipXp9z7C
MD5:	F151E67CE3464A07CB730C38CC117D8A
SHA1:	1F4E5AE68E817D535AC8C12F5A944CA8AD64B57C
SHA-256:	125B0C5EBA5D690E01801B4610A0E59C4B3A02EC7DA68FADCF348846B0C2C6FD
SHA-512:	3FB18BABB1A55C362A4928A8A7A24463C05CD0A419C5AD585218FB18FD2248AAAE24FF23B9F8750E13BBB395F348A89C49032DF9C02D281B39F307265AD1E83F
Malicious:	true
Reputation:	low
Preview:	5E;.C...[.......$...~!...c....................#.!BDN....SM......\...Sr..........3.......U................@...........@...@...................................@...........................................................................$.......D....................../...............2....................................................................................................................................................................................................................................................................................................0..W.K.~!...c.......B............#.........................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	RFC 822 mail, ASCII text, with very long lines (347), with CRLF line terminators
Entropy (8bit):	6.067330877410268
TrID:	E-Mail message (Var. 5) (54515/1) 100.00%
File name:	Unconfirmed 287374.eml
File size:	42'825 bytes
MD5:	9e736762a0a740c8a40d59fe49fdee9a
SHA1:	461802dffaba1f70ee24a3b72a8766f23021f65c
SHA256:	4db97d85074440b29209d8dc72afad1f361063c0aacf0ea32ff36c8b4f03dbae
SHA512:	facfc636ca79f16f78192941ea0ddb3a434ff35c93f3a27625f1fa9ef23eccecea5873da2903f2011a0001f1cc548dd6aafe6a5bf316e4c5d107763d01c118bd
SSDEEP:	768:vs+yGZYfp4PrsXkjDG//wmyOsknpkukjbuIxrYtXAnrYOVYuVPVYhnY:vs+yGSferZt4ir0y
TLSH:	6A132BC10D561432FB8A2ECC4B487C4E61157B8FACFADCC136E6A566EC8B07B4A4179D
File Content Preview:	Received: from LV8PR17MB7111.namprd17.prod.outlook.com (2603:10b6:408:189::20).. by IA1PR17MB6647.namprd17.prod.outlook.com with HTTPS; Fri, 10 Jan 2025.. 16:36:01 +0000..Received: from BY3PR10CA0011.namprd10.prod.outlook.com (2603:10b6:a03:255::16).. by

Static Mail

General

Subject:	FW: RESET DD
From:	Michael Marcellino <mmarcellino@motorcarsacura.com>
To:	CTMS Service Team <help@ctmsohio.com>
Cc:
BCC:
Date:	Fri, 10 Jan 2025 16:35:28 +0000
Communications:	Hello Team, Not sent from Dawn sending your way Michael Marcellino Vice President Motorcars Acura / Volvo mmarcellino@motorcarsacura.com<mailto:mmarcellino@motorcarsacura.com> mmarcellino@motorcarsvolvo.com<mailto:mmarcellino@motorcarsvolvo.com> 440-439-8400 From: Dawn Smith <bmartin1041@tampabay.rr.com> Sent: Friday, January 10, 2025 10:57 AM To: Michael Marcellino <mmarcellino@motorcarsacura.com> Subject: RESET DD Hi Michael, I would like to request a change to my checking account for the upcoming payroll, Please let me know what information you need from me to facilitate this change. Thank you for your assistance!" Best Regards Dawn Smith ..
Attachments:

Headers

Key	Value
Received	from BN8PR15MB2978.namprd15.prod.outlook.com ([fe80::92bc:872e:5fb4:7da8]) by BN8PR15MB2978.namprd15.prod.outlook.com ([fe80::92bc:872e:5fb4:7da8%4]) with mapi id 15.20.8293.020; Fri, 10 Jan 2025 16:35:29 +0000
Authentication-Results	spf=pass (sender IP is 104.47.55.42) smtp.mailfrom=motorcarsacura.com; dkim=pass (signature was verified) header.d=motorcarsacura.com;dmarc=pass action=none header.from=motorcarsacura.com;compauth=pass reason=100
Received-SPF	Fail (protection.outlook.com: domain of motorcarsacura.com does not designate 103.246.251.224 as permitted sender) receiver=protection.outlook.com; client-ip=103.246.251.224; helo=mfod-use2.prod.hydra.sophos.com;
X-Sophos-Product-Type	Mailflow
X-Sophos-Email-ID	080d4276f49f4dcea2b9640f0c735308
Authentication-Results-Original	dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=motorcarsacura.com;
ARC-Seal	i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=DCKeEiEpeWNgIF9s30uAPMlc7gqCHrxeoniEbRAwRch24MDX0M/tOXqoqR+tonkMTXHJ1syXGstNVLj823QS3JLILKU1A10AZ+IvmD6pI/0nYgLCzsBklpzn4s2v58Ko1RJkIEJu0LsCYsZ4AYHFTJHtKqiC3y7WXMgiOMDs2xFAqsKyAZ0R4rWZKTUEczl+JxBz1lpHqNoDQm8jlyy9I39W3zdKophAbS76IOq/YTxcwdWlccftKb47WDYsOUy4yjO7SIphwhwqzK6mQg4kJqvWQxZTy++Fl3B+P+MUFBA7GxQOM+sqg2lzRX+XHeWJaZPxovcBHwugHGAP3/EjMg==
ARC-Message-Signature	i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=L5h40bLKCDRS8Q2rS+EEMWKj81hGcB0DVPitpJVyApA=; b=TEj+wetuJrdGzBhdxU+XLPi5q9H3wfzIVmvcugmzK83NvRawZUvYila56Z9sJW8dX3ejn0YTYH8F6Y4tnpQgmChXc52Le1UH/gQm0wMMomzFEUM2oQu2gmjWMtltaN+O6GTtriPlheyLBzcQEAt5b5qX3R+9MgIFjvVVmKMwwi8Izw9Lb16T/sx1Uxja+2oSR6M451wWa/0EJzqRw9xkR1tBkLaeLwtz8ardlkXzg9JvzAmHDHYGs74H7Tvne5P7Tu/aNqrLN0YJN9nNlxw2QfLJH0ZzS4XMavjHgt+BTx5zPytT0pwhjTvpZsQZNQur8UFFLlwIVoQd5uMFWL2cxA==
ARC-Authentication-Results	i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=motorcarsacura.com; dmarc=pass action=none header.from=motorcarsacura.com; dkim=pass header.d=motorcarsacura.com; arc=none
DKIM-Signature	v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; t=1736526928; s=v1; d=mail-dkim-us-east-2.prod.hydra.sophos.com; h=Content-Type:Date:Subject:To:From; bh=siKUna9H3G7uAUOL9oDcSSLR+EUPZQBo7zPi0BnptRQ=; b=uMccmwgAvOsHLtUB7taWPWKAA7Ls3OWSnNaQqSJZq5Cc4wdt7yv2PXmZuWKrvUF1 p+OZG8vE/PiJvBw2t/e/UsXsPxpycmCsp14iLgvf3bYTVQMO2mB5vih24xMnyYq/kgM OtW0tmIKrPxrrD4L48LSu5zp4i/UTdgAIAbc8hoja5HEt17jNZU2d7EOIZOQDdssjVc 0n43slEjE8gzomgKpJhEEfatLzRNWtizw9YCNRoUVHsBNbUKh4rUc7AU7WuESVAvt8p RJ/C8P5MnYTtH386sny9dB7ck3403BgcrnPRTxVUiFoHSG8Z9oe68+bwiv1kZ10vOD6 omczshQ2Aw==
X-MS-Exchange-Authentication-Results	spf=fail (sender IP is 103.246.251.224) smtp.mailfrom=motorcarsacura.com; dkim=pass (signature was verified) header.d=mail-dkim-us-east-2.prod.hydra.sophos.com;dmarc=fail action=none header.from=motorcarsacura.com;
From	Michael Marcellino <mmarcellino@motorcarsacura.com>
To	CTMS Service Team <help@ctmsohio.com>
Subject	FW: RESET DD
Thread-Topic	RESET DD
Thread-Index	AQHbY3hd2mhT00cfg06GEXr2/0rUw7MQM+dA
Date	Fri, 10 Jan 2025 16:35:28 +0000
Message-ID	<BN8PR15MB2978CEA44465C0526D77CBBDC41C2@BN8PR15MB2978.namprd15.prod.outlook.com>
References	<7bd2595dbd734b9acc6c0c8f5ca8a5d8447c07ba@webmail>
In-Reply-To	<7bd2595dbd734b9acc6c0c8f5ca8a5d8447c07ba@webmail>
Accept-Language	en-US
Content-Language	en-US
X-MS-Has-Attach
X-MS-TNEF-Correlator
x-ms-traffictypediagnostic	BN8PR15MB2978:EE_\|SA6PR15MB6692:EE_\|SJ5PEPF000001F0:EE_\|DS1PR15MB6592:EE_\|CY4PEPF0000EE3E:EE_\|DS0PR17MB6231:EE_\|CO1PEPF000042A7:EE_\|LV8PR17MB7111:EE_\|IA1PR17MB6647:EE_
X-MS-Office365-Filtering-Correlation-Id	8139f1d2-9bbc-45dc-d575-08dd3194da9a
X-MS-Exchange-SenderADCheck	1
X-MS-Exchange-AntiSpam-Relay	0
X-Microsoft-Antispam-Untrusted	BCL:0;ARA:13230040\|35042699022\|8096899003;
X-Microsoft-Antispam-Message-Info-Original	xzkxkJ55LL6nkCBFvuTtGOiz5kfyfJrogTJXONMaEC1R0JYbThIK7Iv8fwRJxAIWMUeyPy6mOACKdzm/iztljgrZSWQcZrDcrvEQ4GK59ClvZQXc8gNtI0p//P3LS1pA2x181ihxlsmtbT5omvTFweadAKFbOUSRdmYPSaL+58PLPvTYXuuzF51/u7x0bKJkS035SAjQ+rVDmGl/gOhdFjQeR2Kceh+V7vamYZKvlXZ+HCCXWFC/IYRcyFYEU9ExZt17dlz4IxIxmoLa6QjmhFLGZ6AtRnu9K5eQNkR5Njc1eNZGdNwJPREfVfLP0ZjqZHxxC0bstMhufHv+xdFOqnzSVhlHHvliK3kXTo4P5kr/D++yHYY1MMN7SrvM6UszR/ATBK9OX48OyWtixCWdjSoWDyLLoOukt+540lExIau3cG++4CgAXXwMHtKnaIQjsnY4nssdSQHcRuCqP04JF2uiBybagNFSwH9cmixO52n8qr7zY3Bus5yAgxhGTkUwjqMEt6lL7ro/BsrfQJ6gPW4afvIW3AVQCWOhIZmcLB0x78W+/TEfaibXYDPhYymkveAoTW8Xt6aWzoI+JLcwuvYvMMO4saPRD3tIga/7b6Hup6SkH7ayXg8BZ3m0ci+waPPi6uDhNIipUsjDBoveUJjVXpb+/KVctPTUdJB+0DO7P9PzCWxRHY0Ba1zWtoRa1OWHfeJ8PKjSjmpCNKJebOkxisJohqZ93IRiQmyMHjptqeXxU/P8M3kM+FJDwPJjNWWm9nCxC+CafC0J4bq0+gMxWnhKkId/2vCO1YFHLd4B1s4u7oIoaW4Sjf/xElkTARP6Yv5QG51fU/Dltdo7JmHS6kaqZ1MHCcvt+60cyQR3i5naP5Iuz1s3duH9ATnga6gP0v619ltun1VUG/rGSZmn+SWydSA+I8Dc04WXjGh0OTf8CcdEvXSFt39Uw9ehBEcf6LvXPo4LHiAqA2A5dQckc2OXp6tM8qLwesHdLDYP5OONCc1R0bQX1vQX7xOnuRvn3LDHh/iUKPbza7/TmrRPiZ175upCQlLUjzTc2DNpeT0b34EvAZOecxjLlupFjREaEgcB8+ysPnNFeDJ1wgud/DEBEmOttP9fPucqIKs1qjD2OOEQCPiatyvoq7RmZtVFTzcf/68LdeZQwg9iqO4iSTAQ8PIbFkJ1kYNm2K1B8/3+oBL06HbNJHsC6WaRo7zND8ve2/UfIkRXoHLF2UpUCnvMKVk/DmVUGyGB1HHppW9TAYmElLZ7IOhjauJ6rVEZRcuXkHMvrpO3AaHdrSDoBTdDjyz5jPvC7kFwivrP7KDk8htbVRvGuckoNvrruz3/kPMB72YygJxl1umwl6bry56FWTDGd8tQPZ+X3FLbDDL9J7Y3dq1RbNPNUE+GhZHr/s8fWf1dwJjbF4m5TSbnGrHpI5KmkJlGt7sRckKk3KuwL/AgcEGvsCW6xacmluyw1f0ezZmHEL+GJBV4FXctv0ED8xXvn2jVUUEMG5+yQ1/IGs4neWDfZZzQLQkNRbLELzSQmKQTP/2iKIZ4qu405dgiXIf/njIXUSksnnerAtr/c6bCY7Kx/5tGJ5FAPnr9NFuW7XB5gYOr/+aLzeXVfsUg++p3dE99jkQdeI3l9CrI3H1Dy33ilW6R66x7Kjfyz6n2vBoYl9cMBGQm1YwZWxzwwmmhtNEUyCiY9qSpggbiKa1Y56djdXvqwBWi+j9TkT3A0RiFbNfn5FU2la9FP37TM7pqvNgouIF5JxB9JKfNFlf04R/bAUFIP0y8468Q476D/gN/pHoaq6XdhJZQ9ZA1vzUpJfPGohLiIN8ugLdoLMOspQjq8AHyXTF2ClTgb6Qqqfd+xas9ILAx+xG7DCXD2fKbFL+brzghyDtr4HEF1tNn4AB/msuz7E6O91Z+X7/MfT0LYj54S6zjTmyl7StY7xAhcl2N0xJgVWCBVhpQSMthHnEEQ1aivZM9f5yrh7vhQIcNeML1osTvRvLN7DUjwtsb9ToK51IZSbHuG9q1ryFPxo6Vuk7/TCvJd6mLVq0auQxrQqJEVT+QK93APRwjfqXh+Q2XRfhRIjs=
X-Forefront-Antispam-Report-Untrusted	CIP:40.107.93.96; CTRY:US; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:NAM10-DM6-obe.outbound.protection.outlook.com; PTR:mail-dm6nam10on2096.outbound.protection.outlook.com; CAT:NONE; SFS:(13230040)(35042699022)(8096899003); DIR:INB;
Content-Type	multipart/alternative; boundary="_000_BN8PR15MB2978CEA44465C0526D77CBBDC41C2BN8PR15MB2978namp_"
X-MS-Exchange-Transport-CrossTenantHeadersStamped	LV8PR17MB7111
X-Sophos-Email	[us-west-2] Antispam-Engine: 6.0.1, AntispamData: 2025.1.10.161246
X-LASED-From-ReplyTo-Diff	From:<ctmsit.com>:12,From:<ctmsohio.com>:12
X-LASED-SpamProbability	0.099750
X-LASED-Hits	ARCAUTH_PASSED 0.000000, AUTH_RES_PASS 0.000000, BODYTEXTH_SIZE_10000_LESS 0.000000, BODYTEXTH_SIZE_3000_MORE 0.000000, BODYTEXTP_SIZE_3000_LESS 0.000000, BODY_SIZE_8000_8999 0.000000, DKIM_ALIGNS 0.000000, DKIM_SIGNATURE 0.000000, DMARC_FAIL 0.000000, DQ_S_H 0.000000, FRAUD_HIGH_X3 0.000000, HREF_LABEL_TEXT_NO_URI 0.000000, HREF_LABEL_TEXT_ONLY 0.000000, HTML_70_90 0.100000, IMP_FROM_NOTSELF 0.000000, INBOUND_SOPHOS 0.000000, INBOUND_SOPHOS_TOP_REGIONS 0.000000, IN_REP_TO 0.000000, KNOWN_MTA_TFX 0.000000, LEGITIMATE_SIGNS 0.000000, MSG_THREAD 0.000000, NO_CTA_URI_FOUND 0.000000, NO_FUR_HEADER 0.000000, NO_URI_HTTPS 0.000000, OBFU_SHORT_10CHARS 0.500000, OUTBOUND_SOPHOS 0.000000, REFERENCES 0.000000, SUSP_DH_NEG 0.000000, SXL_IP_TFX_WM 0.000000, __ANY_URI 0.000000, __ARCAUTH_DKIM_PASSED 0.000000, __ARCAUTH_DMARC_FAIL 0.000000, __ARCAUTH_DMARC_PASSED 0.000000, __ARCAUTH_FAIL 0.000000, __ARCAUTH_PASSED 0.000000, __ARC_SEAL_CV_FAIL 0.000000, __ARC_SEAL_MICROSOFT 0.000000, __ARC_SIGNATURE_MICROSOFT 0.000000, __ATTACH_CTE_BASE64 0.000000, __AUTH_RES_DKIM_PASS 0.000000, __AUTH_RES_DMARC_PASS 0.000000, __AUTH_RES_ORIG_DKIM_NONE 0.000000, __AUTH_RES_ORIG_DMARC_NONE 0.000000, __AUTH_RES_PASS 0.000000, __BEC_PHRASE 0.000000, __BODY_TEXT_X4 0.000000, __BOUNCE_NDR_SUBJ_EXEMPT 0.000000, __BULK_NEGATE 0.000000, __CT 0.000000, __CTYPE_HAS_BOUNDARY 0.000000, __CTYPE_MULTIPART 0.000000, __CTYPE_MULTIPART_ALT 0.000000, __DKIM_ALIGNS_1 0.000000, __DKIM_ALIGNS_2 0.000000, __DQ_D_H 0.000000, __DQ_IP_FSO_LARGE 0.000000, __DQ_NEG_DOMAIN 0.000000, __DQ_NEG_HEUR 0.000000, __DQ_NEG_IP 0.000000, __DQ_S_DOMAIN_100K 0.000000, __DQ_S_DOMAIN_10K 0.000000, __DQ_S_DOMAIN_1K 0.000000, __DQ_S_DOMAIN_HD_1_P 0.000000, __DQ_S_DOMAIN_HIST_1 0.000000, __DQ_S_DOMAIN_RE_100_P 0.000000, __DQ_S_DOMAIN_SP_0_P 0.000000, __DQ_S_HIST_1 0.000000, __DQ_S_HIST_2 0.000000, __DQ_S_IP_HD_10_P 0.000000, __DQ_S_IP_MC_100_P 0.000000, __DQ_S_IP_MC_10_P 0.000000, __DQ_S_IP_MC_1K_P 0.000000, __DQ_S_IP_MC_1_P 0.000000, __DQ_S_IP_MC_5_P 0.000000, __DQ_S_IP_RE_49_L 0.000000, __DQ_S_IP_RE_99_L 0.000000, __DQ_S_IP_SC_10_P 0.000000, __DQ_S_IP_SC_1_P 0.000000, __DQ_S_IP_SC_5_P 0.000000, __DQ_S_IP_SP_0_P 0.000000, __FRAUD_BEC 0.000000, __FRAUD_COMMON 0.000000, __FRAUD_MONEY 0.000000, __FRAUD_MONEY_GENERIC 0.000000, __FRAUD_REPLY 0.000000, __FRAUD_SUBJ_ALLCAPS 0.000000, __FROM_DOMAIN_NOT_IN_BODY 0.000000, __FUR_RDNS_SOPHOS 0.000000, __HAS_FROM 0.000000, __HAS_HTML 0.000000, __HAS_MSGID 0.000000, __HAS_REFERENCES 0.000000, __HAS_X_FF_ASR 0.000000, __HAS_X_FF_ASR_CAT 0.000000, __HAS_X_FF_ASR_SFV 0.000000, __HIGHBIT_ASCII_MIX 0.000000, __HREF_LABEL_TEXT 0.000000, __HTML_AHREF_TAG 0.000000, __HTML_BOLD 0.000000, __HTML_HREF_TAG_X2 0.000000, __HTML_TAG_DIV 0.000000, __IMP_FROM_NOTSELF 0.000000, __INBOUND_SOPHOS_US_WEST_2 0.000000, __INTERNAL_SOPHOS 0.000000, __IN_REP_TO 0.000000, __JSON_HAS_MODELS 0.000000, __JSON_HAS_SCHEMA_VERSION 0.000000, __JSON_HAS_SENDER_AUTH 0.000000, __JSON_HAS_TENANT_DOMAINS 0.000000, __JSON_HAS_TENANT_ID 0.000000, __JSON_HAS_TENANT_SCHEMA_VERSION 0.000000, __JSON_HAS_TENANT_VIPS 0.000000, __JSON_HAS_TRACKING_ID 0.000000, __MAIL_CHAIN 0.000000, __MIME_HTML 0.000000, __MIME_TEXT_H 0.000000, __MIME_TEXT_H1 0.000000, __MIME_TEXT_H2 0.000000, __MIME_TEXT_P 0.000000, __MIME_TEXT_P1 0.000000, __MIME_TEXT_P2 0.000000, __MIME_VERSION 0.000000, __MSGID_32_64_CAPS 0.000000, __MTHREAT_15 0.000000, __MTL_15 0.000000, __OUTBOUND_SOPHOS_FUR 0.000000, __OUTBOUND_SOPHOS_FUR_RDNS 0.000000, __RCVD_FAIL 0.000000, __RCVD_PASS 0.000000, __REFERENCES 0.000000, __SANE_MSGID 0.000000, __SCAN_DETAILS 0.000000, __SCAN_DETAILS_SANE 0.000000, __SCAN_DETAILS_TL_0 0.000000, __SCAN_D_NEG 0.000000, __SCAN_D_NEG2 0.000000, __SCAN_D_NEG_HEUR 0.000000, __SCAN_D_NEG_HEUR2 0.000000, __STYLE_RATWARE_NEG 0.000000, __STYLE_TAG 0.000000, __SUBJECT_ALLCAPS 0.000000, __SUBJECT_NOLC 0.000000, __SUBJ_FORWARD 0.000000, __SUBJ_SHORT 0.000000, __TAG_EXISTS_BODY 0.000000, __TAG_EXISTS_HEAD 0.000000, __TAG_EXISTS_HTML 0.000000, __TAG_EXISTS_META 0.000000, __TO_MALFORMED_2 0.000000, __TO_NAME 0.000000, __TO_NAME_DIFF_FROM_ACC 0.000000, __TO_REAL_NAMES 0.000000, __URI_MAILTO 0.000000, __URI_NO_WWW 0.000000, __URI_NS 0.000000, __X_FF_ASR_SCL_NSP 0.000000, __X_FF_ASR_SFV_NSPM 0.000000
X-LASED-Impersonation	False
X-LASED-Spam	NonSpam
X-Sophos-Mailflow-Processing-Id	d6c0b2389e8244b58f5058a406e7a94d
X-EOPAttributedMessage	2
X-MS-Exchange-Transport-CrossTenantHeadersStripped	CO1PEPF000042A7.namprd03.prod.outlook.com
X-MS-Office365-Filtering-Correlation-Id-Prvs	fa5184f1-7a32-495a-b5e9-08dd3194d1ea
X-EOPTenantAttributedMessage	777b3e9b-be31-4bde-a515-52b092454f4e:1
X-MS-Exchange-Transport-CrossTenantHeadersPromoted	CY4PEPF0000EE3E.namprd03.prod.outlook.com
X-MS-Exchange-AtpMessageProperties	SA\|SL
X-Sophos-Email-Scan-Details	27140d1e1540510e7e771140550e7d75
X-Sophos-SenderHistory	ip=103.246.251.224, fs=70216500, fso=97633953, da=229985559, mc=642440, sc=99, hc=642341, sp=0, re=20, sd=0, hd=30
X-Sophos-DomainHistory	d=motorcarsacura.com, fs=0, fso=84754762, da=90728383, mc=0, sc=0, hc=0, sp=0, re=228, sd=0, hd=1
X-Sophos-MH-Mail-Info-Key	NFlWNmo2M1AwV3ozd1pCLTE3Mi4xNy4xLjY5
Return-Path	mmarcellino@motorcarsacura.com
X-MS-Exchange-Organization-ExpirationStartTime	10 Jan 2025 16:35:54.8979 (UTC)
X-MS-Exchange-Organization-ExpirationStartTimeReason	OriginalSubmit
X-MS-Exchange-Organization-ExpirationInterval	1:00:00:00.0000000
X-MS-Exchange-Organization-ExpirationIntervalReason	OriginalSubmit
X-MS-Exchange-Organization-Network-Message-Id	8139f1d2-9bbc-45dc-d575-08dd3194da9a
X-MS-Exchange-Organization-MessageDirectionality	Incoming
X-MS-Exchange-SkipListedInternetSender	ip=[104.47.55.42];domain=NAM10-MW2-obe.outbound.protection.outlook.com
X-MS-Exchange-ExternalOriginalInternetSender	ip=[104.47.55.42];domain=NAM10-MW2-obe.outbound.protection.outlook.com
X-MS-PublicTrafficType	Email
X-MS-Exchange-Organization-AuthSource	CO1PEPF000042A7.namprd03.prod.outlook.com
X-MS-Exchange-Organization-AuthAs	Anonymous
X-MS-Exchange-Organization-SCL	-1
X-Microsoft-Antispam	BCL:0;ARA:13230040\|35042699022\|82310400026\|2040899013\|8096899003;
X-Forefront-Antispam-Report	CIP:198.154.181.192;CTRY:US;LANG:en;SCL:-1;SRV:;IPV:NLI;SFV:SKN;H:NAM10-MW2-obe.outbound.protection.outlook.com;PTR:mail-mw2nam10lp2042.outbound.protection.outlook.com;CAT:NONE;SFS:(13230040)(35042699022)(82310400026)(2040899013)(8096899003);DIR:INB;
X-MS-Exchange-CrossTenant-OriginalArrivalTime	10 Jan 2025 16:35:54.8198 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id	8139f1d2-9bbc-45dc-d575-08dd3194da9a
X-MS-Exchange-CrossTenant-Id	777b3e9b-be31-4bde-a515-52b092454f4e
X-MS-Exchange-CrossTenant-AuthSource	CO1PEPF000042A7.namprd03.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs	Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader	Internet
X-MS-Exchange-Transport-EndToEndLatency	00:00:07.0509599
X-MS-Exchange-Processed-By-BccFoldering	15.20.8335.010
X-Microsoft-Antispam-Mailbox-Delivery	ucf:0;jmr:0;auth:0;dest:I;ENG:(910001)(944506478)(944626604)(920097)(930097)(140003);
X-Microsoft-Antispam-Message-Info	jVfMLxJB5wTzxtyW/ulNOmS1UTusdqRq+SVWnXDRONhEMvdyjpvGXfG9R4gpFnrspsXioCVVrVB8XqIMpZxugThVzGj1+tP6W3lYHTftDNHrfogfstDbelDGqJL8t5zqGi8DCnIjXkwabo5hAvAIxuB0IWV52tHmCppi9vNp9OtI/+gK76KjjMxbU5kGOWV1RtyrWM3hTEXCJb4A8O464cb5QtXNT9iqQiBoM5F8/A8CBiOfmZEjx9QXA4ZS6LVzeQP1W+me0DKX/CGsNm8trpW9h2BQiZIRrR9+/68jiobSxPRYcz78ffE0/nACf0bMnA9gihBFqZjvTuJCi5jq74HyWGDVeEddyf76KqRFNx7R9qx7Yy7mjFhlexS7sjlgDXkhNiXvScoXLoju5+aO400CZaKhbBXNldLQjwWOmAfzuBb7OhbQtSJuj2nZezTSkbacQnOwJVBT/CPOj37ppnA+dNLkFjdULB4rT1dSMJf5E8y6qrR2iIaJoZtTLYcew+LovD5ou1Pio2SYpY5yOaQ0T5D8+cGmRoP61bT8hDvKVIBv00KSQ6uu7iS80slC2hETQIo56eINxkj12N3AttoHVKau2lskT23SUdv3LJScBO45kOPOklnmbhwyur1q20W1xwd0OOYVV/iXsYdecJcxxlmiU3k/PeOr3ymQxxwkkACfYDnJdRIrBINRoBUGE3MShvbdQTvGPVOF6+ggVzLteXelAw+E6cSPkAVskCGrbFbmfIBufqOPZvfVADuACQA66KafZjSPwZZpDZdlriizSQqvqPSDvzmyqi/Lebiz2LNyJpRFSalmeMvsJddlK0lbS1a3Fum+eRXtIxUHGLCeiaQnx/rl/cpWtWq7TBiDBAA6cfcr4cGuaF/DshlWvU+uoZ2Ek3DKEacH6rZLOcH/R2mZ5rHoF0Xg68779w8G2cumBm9x0pcOROgqIRuiq1RK0bW+dYZN+x2gX8qeZLSQD2m75DU6vkKrCT7vVwWZeRodFGLvlhlc+t3q13G7HOF1yEm2ubXQYD3gbmrrBJv8agHYkWOk04VU7EOCse4DmDqaVYICTUj3QRHnibshU5sW9+vUzZmZJZCpkWXh8UrqCGy/7CWJYbde8VwOf/XZ36H5m3SsaOeMUZSXyol89HRwBD1GTApJ/1jF55xsmmcS9TlryEZr2bwVne5uiJJ+1A3FdH/66eTwWbZmMRNFzW1i1CBchL8lzk2twPpHLWOflYst9LJkLecSmuUqTPjmkx1h2hLN3nuU/9JmkvBKlUb0mwGX3L+zFUoelbULZwUXWDFLtFSyFJ739aN43lBrNdaOpHFp9eFOW7Z1CsBzxDiJzhohrM9qf1X68TqkPuL1Gx02dwCrZq02cy69swgttMNsM/oenexf0zSzEnejZp0DYL8KYg3b7c8WQ/MAwEBrImmGOpjOQHrpF9r0ng9a2dA1sro7c8YUAkt6XMh2P3PcRr+G1PZMN+VZSdplkOg8ox/5e1SU1oVnaxVk5q2Wf0NhFlUhlOwHk025GHAGNf6qwkZLELsbdlhM8kN5FxMQJ06moJF2WVuHso6uHjKJeGLdvS44sgVvPfodA6wE4HivZ1M3E+YMtdAh397PRMUfIJY+q1fc0hGeCATsLdSYysJKZrUwEZgydZuyxNY61im9R7iSZ2AKEhXyErd+bJMUbWxheCGYPt5/A/J00mkuHogne2cz/8i4dCTe2LsCSot2nUS59Wp/86Gs44QjzBLPuGKOigRST4Lgk1HJQIUwEo6T1TDtO9tJds+3TWhNyF4lZ3exo3e2gGXVCXTIZfKv800UZWnsCEJSYhZL9No2eqD0MdrYCHpd0Q/4bk84+X37s+n+06s10lfCxREX+PDGIWYR/R8HIJ8qhoL6/1VdFRBQdzPchAELRcjuC8b7Xc572bK1b3Bn47mQ50JAPAUkZA01OEpnDfSprUofswXK66W+4vZvAmt0Fdi88wz8tBh9kCiYuWpkLRpavn9lO87Nc7wTjE98t6ggvbG1THxiB6Kd8kZQx3lhiXxaOgtr7Q22f0NaiSUMrDwvNdvSHnfYIlfrOFPyP9O9xEn/lkffKQXMtAW7tcs8GbsDw4LuM6nsbiXbvZ30p87uMeI1XOPmZNN0N3qDcawkk8vuEEvXiLjylV/0jFDpclPHquP7og08ClAvH7MTUXipoHOFOzvxeOyaDHUODWqBdtDz8E/904B6nW+Lithvu5KRI/afaOgockueerM0zi1BTrO81KY4uFFKw9IW3+TIhDZTwbjCC3Vd5++SMW8roTB0UljGTgzqQiSOO6hTsQHYlfvGu4EKHjHXkyHITnkE5xAJZv/2w3s/faiLZPlIFpATES8AKTVU5qbafYabiQoWtqp+Zg==
MIME-Version	1.0

File Icon


Icon Hash:	46070c0a8e0c67d6

Network Behavior

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 10, 2025 18:26:03.133014917 CET	1.1.1.1	192.168.2.6	0x9984	No error (0)	shed.dual-low.s-part-0017.t-0009.t-msedge.net	s-part-0017.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 10, 2025 18:26:03.133014917 CET	1.1.1.1	192.168.2.6	0x9984	No error (0)	s-part-0017.t-0009.t-msedge.net		13.107.246.45	A (IP address)	IN (0x0001)	false

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: OUTLOOK.EXEPID: 3620, Parent PID: 4004

General

Target ID:	1
Start time:	12:26:07
Start date:	10/01/2025
Path:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\Unconfirmed 287374.eml"
Imagebase:	0xa40000
File size:	34'446'744 bytes
MD5 hash:	91A5292942864110ED734005B7E005C0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Chronological Activities

Analysis Process: ai.exePID: 572, Parent PID: 3620

General

Target ID:	3
Start time:	12:26:11
Start date:	10/01/2025
Path:	C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "BC8A1BD2-9AFB-4BF5-9967-4DCCB031017C" "02C8B511-23E0-4604-BBC2-C180806C32D3" "3620" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
Imagebase:	0x7ff6e23c0000
File size:	710'048 bytes
MD5 hash:	EC652BEDD90E089D9406AFED89A8A8BD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly