Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
1741618096-102373-7694-5517-2.eml

Overview

General Information

Sample name:1741618096-102373-7694-5517-2.eml
Analysis ID:1634556
MD5:c852d3e2e617b0b768367453d1ef73ca
SHA1:c6d1f3fdb3591b2421ca0409658c41c66d87b7ff
SHA256:c552cdd740fe1e82fc8857d65b5876fbeacce228ad655f0cd5d55d92c2eb8e05
Infos:

Detection

Score:52
Range:0 - 100
Confidence:100%

Signatures

AI detected landing page (webpage, office document or email)
AI detected suspicious elements in Email content
AI detected suspicious elements in Email header
Queries the volume information (name, serial number etc) of a device
Sigma detected: Office Autorun Keys Modification

Classification

Process Tree

  • System is w10x64
  • OUTLOOK.EXE (PID: 7256 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\1741618096-102373-7694-5517-2.eml" MD5: 91A5292942864110ED734005B7E005C0)
    • ai.exe (PID: 7416 cmdline: "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "6D35BE1F-1498-460C-BA22-19C4ADEEBB4F" "F387F593-7BE8-459E-8B0F-48C950BFE587" "7256" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx" MD5: EC652BEDD90E089D9406AFED89A8A8BD)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

Sigma detected: Office Autorun Keys Modification
Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE, ProcessId: 7256, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Addins\OneNote.OutlookAddin\1

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Phishing

barindex
AI detected landing page (webpage, office document or email)
Source: EmailJoe Sandbox AI: Email contains prominent button: 'open'
AI detected suspicious elements in Email content
Source: EmailJoe Sandbox AI: Detected potential phishing email: The email contains excessive repetitive text which is a common phishing tactic to bypass spam filters. The sender email domain (eircom.net) doesn't match the claimed organization (Arrowheadep/Microsoft 365). The URL contains multiple redirects and suspicious domains (totalsecurityindexmemo.sharefile.com) that don't align with legitimate Microsoft services
AI detected suspicious elements in Email header
Source: EmailJoe Sandbox AI: Detected suspicious elements in Email header: Multiple IP addresses in received header that don't match ([196.251.73.130] and [86.45.97.252]) indicating potential IP spoofing. Suspicious message-id format with 'MISSINGID' string suggesting manipulation. IP addresses from different geographical regions in single received header is highly unusual. No authentication results (SPF, DKIM, DMARC) present in headers. Minimal headers present overall, suggesting possible header stripping or manipulation
Source: EmailClassification: Credential Stealer
Source: classification engineClassification label: mal52.winEML@3/3@0/0
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile created: C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmpJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile created: C:\Users\user~1\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20250310T1939000103-7256.etlJump to behavior
Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\1741618096-102373-7694-5517-2.eml"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "6D35BE1F-1498-460C-BA22-19C4ADEEBB4F" "F387F593-7BE8-459E-8B0F-48C950BFE587" "7256" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "6D35BE1F-1498-460C-BA22-19C4ADEEBB4F" "F387F593-7BE8-459E-8B0F-48C950BFE587" "7256" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: c2r64.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: userenv.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{F959DBBB-3867-41F2-8E5F-3B8BEFAA81B3}\InprocServer32Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEWindow found: window name: SysTabControl32Jump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\CommonJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information queried: ProcessInformationJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeQueries volume information: C:\Program Files (x86)\Microsoft Office\root\Office16\AI\WordCombinedFloatieLreOnline.onnx VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation21
Browser Extensions		1
Process Injection		1
Masquerading		OS Credential Dumping1
Process Discovery		Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/Job1
DLL Side-Loading		1
DLL Side-Loading		1
Process Injection		LSASS Memory12
System Information Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
DLL Side-Loading		Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
s-0005.dual-s-msedge.net
52.123.128.14
truefalse
    		high

    World Map of Contacted IPs

    No contacted IP infos

    General Information

    Joe Sandbox version:42.0.0 Malachite
    Analysis ID:1634556
    Start date and time:2025-03-11 00:37:53 +01:00
    Joe Sandbox product:CloudBasic
    Overall analysis duration:0h 4m 12s
    Hypervisor based Inspection enabled:false
    Report type:full
    Cookbook file name:default.jbs
    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
    Number of analysed new started processes analysed:12
    Number of new started drivers analysed:0
    Number of existing processes analysed:0
    Number of existing drivers analysed:0
    Number of injected processes analysed:0
    Technologies:
    • EGA enabled
    • AMSI enabled
    Analysis Mode:default
    Analysis stop reason:Timeout
    Sample name:1741618096-102373-7694-5517-2.eml
    Detection:MAL
    Classification:mal52.winEML@3/3@0/0
    Cookbook Comments:
    • Found application associated with file extension: .eml

    Warnings

    • Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, TextInputHost.exe, svchost.exe
    • Excluded IPs from analysis (whitelisted): 52.109.28.46, 104.208.16.91, 20.109.210.53, 52.123.128.14, 23.60.203.209
    • Excluded domains from analysis (whitelisted): ecs.office.com, fs.microsoft.com, slscr.update.microsoft.com, prod.configsvc1.live.com.akadns.net, mobile.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com, onedscolprdcus17.centralus.cloudapp.azure.com, dual-s-0005-office.config.skype.com, config.officeapps.live.com, officeclient.microsoft.com, ecs.office.trafficmanager.net, europe.configsvc1.live.com.akadns.net, mobile.events.data.trafficmanager.net, uks-azsc-config.officeapps.live.com
    • Not all processes where analyzed, report is missing behavior information
    • Report size getting too big, too many NtQueryAttributesFile calls found.
    • Report size getting too big, too many NtQueryValueKey calls found.

    Simulations

    Behavior and APIs

    No simulations

    Joe Sandbox View / Context

    IPs

    No context

    Domains

    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
    s-0005.dual-s-msedge.netCOTA#U00c7#U00c3O.xlsGet hashmaliciousUnknownBrowse
    • 52.123.129.14
    FW Sensitive - ADMINISTRATIVE LICENSE REVOCATION (ALR) HEARING REQUEST.msgGet hashmaliciousUnknownBrowse
    • 52.123.128.14
    Order_Mar25.xlsGet hashmaliciousUnknownBrowse
    • 52.123.129.14
    COTA#U00c7#U00c3O.xlsGet hashmaliciousUnknownBrowse
    • 52.123.129.14
    FW Sensitive - ADMINISTRATIVE LICENSE REVOCATION (ALR) HEARING REQUEST.msgGet hashmaliciousUnknownBrowse
    • 52.123.128.14
    Nouvelle_commande9353834.xlsGet hashmaliciousUnknownBrowse
    • 52.123.129.14
    Order_Mar25.xlsGet hashmaliciousUnknownBrowse
    • 52.123.128.14
    840.xlsGet hashmaliciousUnknownBrowse
    • 52.123.128.14
    COTA#U00c7#U00c3O.xlsGet hashmaliciousUnknownBrowse
    • 52.123.128.14
    Order_Mar25.xlsGet hashmaliciousUnknownBrowse
    • 52.123.128.14

    ASNs

    No context

    JA3 Fingerprints

    No context

    Dropped Files

    No context

    Created / dropped Files

    C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20250310T1939000103-7256.etl

    Download File
    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
    File Type:data
    Category:dropped
    Size (bytes):106496
    Entropy (8bit):4.4956927255175385
    Encrypted:false
    SSDEEP:768:fyUmQbyBZ+NB/bs4LUQ9YUsYCmeGXojdaVMlwqWzWICkACB:c4Lr9YUsY/Xy4Dr
    MD5:682176BF0750D0872892D96D4F1F609F
    SHA1:B8D3F4FABB5CBABE9BB52AB530EBC2F5F31C6525
    SHA-256:350100706B4ACEBCA0DDC2E49FAE6C4C1AD11BABC5D6A2F13EDF8945B11EB2D8
    SHA-512:3A5A6F588E4B29BF7C120ED5D693B90EFA2C4972CFD4AB17449959859DFE3EADEDE8A1F49B5487647E12045EF5B603E0D23D74BF037F5DB95285680C48856C1D
    Malicious:false
    Reputation:low
    Preview:............................................................................h...\...X.....F.....................eJ..............Zb..2...................................,...@.t.z.r.e.s...d.l.l.,.-.1.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.1.1.1.............................................................>.T.............F.............v.2._.O.U.T.L.O.O.K.:.1.c.5.8.:.9.7.d.e.d.1.7.0.e.5.4.4.4.b.7.6.8.8.a.0.d.d.1.4.e.b.6.e.9.6.0.2...C.:.\.U.s.e.r.s.\.F.R.O.N.T.D.~.1.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.O.u.t.l.o.o.k. .L.o.g.g.i.n.g.\.O.U.T.L.O.O.K._.1.6._.0._.1.6.8.2.7._.2.0.1.3.0.-.2.0.2.5.0.3.1.0.T.1.9.3.9.0.0.0.1.0.3.-.7.2.5.6...e.t.l.......P.P.\...X.....F.....................................................................................................................................................................................................................................................................................................

    C:\Users\user\Documents\Outlook Files\Outlook Data File - NoEmail.pst

    Download File
    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
    File Type:Microsoft Outlook email folder (>=2003)
    Category:dropped
    Size (bytes):271360
    Entropy (8bit):2.264306433216694
    Encrypted:false
    SSDEEP:1536:otMDTbI6Ssb/rK7W53jEpEHP4qQ10PAwrrDDhDO1W53jEpEHP4qQ10PAwr1:osSsb/4p92ADp9
    MD5:A8158F6D6A3F646021EB7D7DED622CCC
    SHA1:B22F933A6FD1B45C6DD84819FCC907B46DEFB6E3
    SHA-256:25791A4CCE554648FD5E9D063D3646D06AD67AC9907A092D216A0C1E72C9E37D
    SHA-512:67369AA8E99022DC021D718E887914C274750FCD39E00151B2E58EEB06BBAC24136B12BB7B081B0EA189EC169AD0C81B1BEBAD759C55CCEAA02822F1AAE27B0C
    Malicious:true
    Reputation:low
    Preview:!BDN..JFSM......\......................Z................@...........@...@...................................@...........................................................................$.......D..................................................................................................................................................................................................................................................................................................................................D...........s.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

    C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmp

    Download File
    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
    File Type:data
    Category:dropped
    Size (bytes):131072
    Entropy (8bit):2.508513526543834
    Encrypted:false
    SSDEEP:1536:EW53jEpEHP4qQ10PAwr1hDO04BYTStDD9:Gp9TYC9
    MD5:D2FB9FB3A42C57CDFC826F4101C03F37
    SHA1:E530CFA23097ADB3193ED147C1AB96A8F4BC9947
    SHA-256:C000A7D56486F599175E3F6F11A6F89E4C0CA7ED8151370757E8DE93279E2A88
    SHA-512:7B7F7BA94C01344AF5B549A1648C0F60F6F1A9350617A9C6B33EDBAE5972EFFBAB58563ED46CC5DA820A4D33E80228A1EE4B384FD918E3E33C262051F420CC7F
    Malicious:true
    Reputation:low
    Preview:...kC...f.......X.............................#.!BDN..JFSM......\......................Z................@...........@...@...................................@...........................................................................$.......D..................................................................................................................................................................................................................................................................................................................................D...........s..............B............#.........................................................................................................................................................................................................................................................................................................................................................................................................

    Static File Info

    General

    File type:RFC 822 mail, ASCII text, with very long lines (5592), with CRLF, CR line terminators
    Entropy (8bit):5.6974783018635895
    TrID:
    • E-Mail message (Var. 5) (54515/1) 100.00%
    File name:1741618096-102373-7694-5517-2.eml
    File size:9'189 bytes
    MD5:c852d3e2e617b0b768367453d1ef73ca
    SHA1:c6d1f3fdb3591b2421ca0409658c41c66d87b7ff
    SHA256:c552cdd740fe1e82fc8857d65b5876fbeacce228ad655f0cd5d55d92c2eb8e05
    SHA512:c17895109885e31f1dcfd4b36f2959c4f26734211c676ec015a58fb46624a896f5e4d90f542fbe5ab422ef5041aaabfadbf0a3deebe14b6c377c95522a219fca
    SSDEEP:96:RXCFNCh1mgkxnSjGbkkcXoJLYJvvdCM0w44AmQtl0QSerhDlptDZEYCDlJSCiRaD:YFNpvjcYXHuuxSS/pt+VQOtAf8uKvZ
    TLSH:DE12F962EB8026097175C269D560BECCD1D4843FCBA62C74FC1B2037D59C2BA496D77D
    File Content Preview:Received: from omta001.euwest3.a.cloudfilter.net (omta001.euwest3.a.cloudfilter.net [13.38.202.32]) by mx-inbound9-69.us-east-2a.ess.aws.cudaops.com (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Mon, 10 Mar 2025 14:48:32 +0000..

    Static Mail

    General

    Subject:Arrowheadep shared a file with you
    From:Monthly financial statemets <donot-reply@eircom.net>
    To:tkoopman@arrowheadep.com
    Cc:
    BCC:
    Date:
    Communications:
    • Arrowheadep Invited You To Edit a File. Here Is The Document That Was Shared With You. Financial Overview & Arrowheadep 2025 Salary Distribution memoThis invite will only work for you and people with existing access. Open .This email is generated through Arrowheadep 365Office's use of Microsoft 365 and may contain content that is controlled by the IT Arrowheadep Invited You To Edit a File. Here Is The Document That Was Shared With You. Financial Overview & Arrowheadep 2025 Salary Distribution memoThis invite will only work for you and people with existing access. Open .This email is generated through Arrowheadep 365Office's use of Microsoft 365 and may contain content that is controlled by the IT Arrowheadep Invited You To Edit a File. Here Is The Document That Was Shared With You. Financial Overview & Arrowheadep 2025 Salary Distribution memoThis invite will only work for you and people with existing access. Open .This email is generated through Arrowheadep 365Office's use of Microsoft 365 and may contain content that is controlled by the IT Arrowheadep Invited You To Edit a File. Arrowheadep Invited You To Edit a File. Arrowheadep Invited You To Edit a File. Arrowheadep Invited You To Edit a File. Arrowheadep Invited You To Edit a File. Arrowheadep Invited You To Edit a File. Arrowheadep Invited You To Edit a File. Arrowheadep Invited You To Edit a File. Arrowheadep Invited You To Edit a File. Arrowheadep Invited You To Edit a File. Arrowheadep Invited You To Edit a File. Arrowheadep Invited You To Edit a File. Here Is The Document That Was Shared With You. Financial Overview & Arrowheadep 2025 Salary Distribution memoThis invite will only work for you and people with existing access. Open .This email is generated through Arrowheadep 365Office's use of Microsoft 365 and may contain content that is controlled by the IT Here Is The Document That Was Shared With You. Financial Overview & Arrowheadep 2025 Salary Distribution memoThis invite will only work for you and people with existing access. Open . Here Is The Document That Was Shared With You. Financial Overview & Arrowheadep 2025 Salary Distribution memoThis invite will only work for you and people with existing access. Open . Here Is The Document That Was Shared With You. Financial Overview & Arrowheadep 2025 Salary Distribution memoThis invite will only work for you and people with existing access. Open . Here Is The Document That Was Shared With You. Here Is The Document That Was Shared With You. Here Is The Document That Was Shared With You. Financial Overview & Arrowheadep 2025 Salary Distribution memo Financial Overview & Arrowheadep 2025 Salary Distribution memo Financial Overview & Arrowheadep 2025 Salary Distribution memo Financial Overview & Arrowheadep 2025 Salary Distribution memo Financial Overview & Arrowheadep 2025 Salary Distribution memo Financial Overview & Arrowheadep 2025 Salary Distribution memo Financial Overview & Arrowheadep 2025 Salary Distribution memo This invite will only work for you and people with existing access. This invite will only work for you and people with existing access. This invite will only work for you and people with existing access. This invite will only work for you and people with existing access. This invite will only work for you and people with existing access. This invite will only work for you and people with existing access. This invite will only work for you and people with existing access. Open . Open . Open . Open . Open . Open Open https://linkprotect.cudasvc.com/url?a=https%3a%2f%2flink.edgepilot.com%2fs%2f31b31d49%2fi_JJwpf0NESlq43vs9p43w%3fu%3dhttps%3a%2f%2ftotalsecurityindexmemo.sharefile.com%2fpublic%2fshare%2fweb-s5e337270d9dd46ac8a2202957f78ac2a&c=E,1,wan6xDEUDlgOjtYJsHqIR4zP1TdirISA4Q5FTlt65xHdFbZKL10TAbh56b7SiMtebI1A3RPkSHxuSYOyicJtR1eUGozWTY8zRaTjMWlZh5P77A,,&typo=1 . . . . . . . . . . . . . . This email is generated through Arrowheadep 365Office's use of Microsoft 365 and may contain content that is controlled by the IT This email is generated through Arrowheadep 365Office's use of Microsoft 365 and may contain content that is controlled by the IT This email is generated through Arrowheadep 365Office's use of Microsoft 365 and may contain content that is controlled by the IT This email is generated through Arrowheadep 365Office's use of Microsoft 365 and may contain content that is controlled by the IT This email is generated through Arrowheadep 365Office's use of Microsoft 365 and may contain content that is controlled by the IT This email is generated through Arrowheadep 365Office's use of Microsoft 365 and may contain content that is controlled by the IT This email is generated through Arrowheadep 365Office's use of Microsoft 365 and may contain content that is controlled by the IT This email is generated through Arrowheadep 365Office's use of Microsoft 365 and may contain content that is controlled by the IT This email is generated through Arrowheadep 365Office's use of Microsoft 365 and may contain content that is controlled by the IT This email is generated through Arrowheadep 365Office's use of Microsoft 365 and may contain content that is controlled by the IT This email is generated through Arrowheadep 365Office's use of Microsoft 365 and may contain content that is controlled by the IT This email is generated through Arrowheadep 365Office's use of Microsoft 365 and may contain content that is controlled by the IT This email is generated through Arrowheadep 365Office's use of Microsoft 365 and may contain content that is controlled by the IT This email is generated through Arrowheadep 365Office's use of Microsoft 365 and may contain content that is controlled by the IT This email is generated through Arrowheadep 365Office's use of Microsoft 365 and may contain content that is controlled by the IT This email is generated through Arrowheadep 365Office's use of Microsoft 365 and may contain content that is controlled by the IT
    Attachments:

      Headers

      Key Value
      Receivedfrom [196.251.73.130] ([86.45.97.252]) by cmsmtp with ESMTP id reQhtf09kKIKvreQhtAGnh; Mon, 10 Mar 2025 14:48:32 +0000
      DKIM-Signaturev=1; a=rsa-sha256; c=relaxed/simple; d=eircom.net; s=pfpt; t=1741618112; bh=qOHgFddDqMkZayaJP8KP6ti+4EIq48HOwrnf1hgpEYk=; h=Message-ID:From:To:Subject; b=xyoH84Pt7tcAln+ixAN4lWaCf+ecP++X4RB93piXHh39A6sRRzvWBVUSv+aB+rykW nS4kJ6FCs0FqXe6KDgF/tQYEt2/mIJ+XvZHW6TYpI7NKk/b5RL2jYAoZWgWOD78qov vf5EEgUCbg948+CaCnDQ2vUDcaSeWYB7oP9ZimzENne4nc9jC1JNf0nlcgzCnJC3ux kScK0Aum3NXcTTm8+U1eJx/b3YYiaFCTsuqMAhDvTjLaN69CUvykPwOnQocef+J08S N7rOzEtmTB+wsg7AJrsR87NFEYPcuzrUebnFUJ0/sAD/XzKFpvJaOGXOxz0zcjW2Mn PN5XJkUJhc+JA==
      Message-ID<reQhtf09kKIKvreQhtAGnh.1741618112.98a95c50498e6a262ee5f0e87c775e08.MISSINGID@eircom.net>
      X-Authority-Analysisv=2.4 cv=VcdUP0p9 c=1 sm=1 tr=0 ts=67cefbc0 a=GGZfKLB3cbnjRodTGnxDog==:117 a=GGZfKLB3cbnjRodTGnxDog==:17 a=HpEJnUlJZJkA:10 a=DBwwDor5xuMA:10 a=A2RLBPx3AAAA:8 a=K4JzbnAVAAAA:8 a=GvjEoarn0Pq6R93OlygA:9 a=PNWjX2GbIcW0Z01r:21 a=CjuIK1q_8ugA:10 a=Tvw6_0SZ_1tDLoUewa5I:22
      Content-Typemultipart/mixed; boundary="===============6976510483302879701=="
      MIME-Version1.0
      FromMonthly financial statemets <donot-reply@eircom.net>
      Totkoopman@arrowheadep.com
      SubjectArrowheadep shared a file with you
      Reply-Tonoreply@eircom.net
      X-CMAE-EnvelopeMS4xfHap/GPZ3suBGfFPKdGxuToyGOFUG4uw4Abx7oz5HPmvYWDKg2zTS7Ba30x7klv2yh7tsiixfdGmmWu9LHg4DDX61fNG9W6GpH43xoJIitzQg6MpUcmg uDCGpyzA3nxp1aQQTr3nnRHfln/xudQsUx+vojaa13HN7sKbNnG+WVgZn9BS17f+WzSxZuPMzL7g6J7S0KKcjU7rZ9EDHHcjjIc=
      X-BESS-ID1741618096-102373-7694-5517-2
      X-BESS-VER2019.1_20250304.2151
      X-BESS-Apparent-Source-IP13.38.202.32
      X-BESS-PartsH4sIAAAAAAACA4uuVkqtKFGyUsooyVXSUcovVrIyNTEwBLIygIIGJsmJRkaGBk ZJxuYWqZapJmZGyUYmFiYmSWaJZmbJyUq1sQDbULAMQQAAAA==
      X-BESS-Spam-StatusSCORE=2.44 using account:ESS183182 scores of QUARANTINE_LEVEL=5.0 KILL_LEVEL=6.0 tests=HTML_MESSAGE, MISSING_DATE, BSF_SC0_SA074, MIME_HTML_ONLY, HTML_FONT_LOW_CONTRAST
      Received-SPFpass (mx-inbound9-69.us-east-2a.ess.aws.cudaops.com: domain of donot-reply@eircom.net designates 13.38.202.32 as permitted sender)
      X-BESS-Spam-Score2.44
      Authentication-Resultsmx-inbound9-69.us-east-2a.ess.aws.cudaops.com; spf=pass (sender IP is 13.38.202.32) smtp.mailfrom=donot-reply@eircom.net; dkim=none header.d=; dmarc=none header.from=donot-reply@eircom.net
      X-BESS-Spam-ReportCode version 3.2, rules version 3.2.2.263054 [from cloudscan10- 91.us-east-2a.ess.aws.cudaops.com] Rule breakdown below pts rule name description ---- ---------------------- -------------------------------- 0.00 HTML_MESSAGE BODY: HTML included in message 1.40 MISSING_DATE META: Missing Date: header 0.50 BSF_SC0_SA074 META: Custom Rule SA074 0.00 MIME_HTML_ONLY BODY: Message only has text/html MIME parts 0.54 HTML_FONT_LOW_CONTRAST BODY: HTML font color similar to background
      X-BESS-BRTS-Status1

      File Icon

      Icon Hash:46070c0a8e0c67d6

      Network Behavior

      DNS Answers

      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
      Mar 11, 2025 00:39:05.078619003 CET1.1.1.1192.168.2.70x1a39No error (0)ecs-office.s-0005.dual-s-msedge.nets-0005.dual-s-msedge.netCNAME (Canonical name)IN (0x0001)false
      Mar 11, 2025 00:39:05.078619003 CET1.1.1.1192.168.2.70x1a39No error (0)s-0005.dual-s-msedge.net52.123.128.14A (IP address)IN (0x0001)false
      Mar 11, 2025 00:39:05.078619003 CET1.1.1.1192.168.2.70x1a39No error (0)s-0005.dual-s-msedge.net52.123.129.14A (IP address)IN (0x0001)false

      Statistics

      CPU Usage

      Click to jump to process

      Memory Usage

      Click to jump to process

      High Level Behavior Distribution

      Click to dive into process behavior distribution

      Behavior

      Click to jump to process

      System Behavior

      General

      Target ID:0
      Start time:19:38:59
      Start date:10/03/2025
      Path:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
      Wow64 process (32bit):true
      Commandline:"C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\1741618096-102373-7694-5517-2.eml"
      Imagebase:0x850000
      File size:34'446'744 bytes
      MD5 hash:91A5292942864110ED734005B7E005C0
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high
      Has exited:false

      General

      Target ID:2
      Start time:19:39:01
      Start date:10/03/2025
      Path:C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe
      Wow64 process (32bit):false
      Commandline:"C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "6D35BE1F-1498-460C-BA22-19C4ADEEBB4F" "F387F593-7BE8-459E-8B0F-48C950BFE587" "7256" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
      Imagebase:0x7ff641930000
      File size:710'048 bytes
      MD5 hash:EC652BEDD90E089D9406AFED89A8A8BD
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high
      Has exited:false

      Disassembly

      No disassembly