Joe Sandbox Cloud Basic Analysis Report
Edit tour

Windows Analysis Report
1744369489-110890-7728-239-1.eml

Overview

General Information

Sample name:1744369489-110890-7728-239-1.eml
Analysis ID:1670350
MD5:02277b69016bf5000464a9e021022751
SHA1:4e8d50407baf1b0a58b73bf2e9446a6c1bbb1dca
SHA256:b20a8ea73936ebe7dec339e18906ae0f1eed6216e622e749b42a77f6cc6a7f1d
Infos:

Detection

Score:48
Range:0 - 100
Confidence:100%

Signatures

AI detected suspicious elements in Email content
AI detected suspicious elements in Email header
Queries the volume information (name, serial number etc) of a device
Stores large binary data to the registry

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

Process Tree

  • System is w10x64
  • OUTLOOK.EXE (PID: 7688 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\1744369489-110890-7728-239-1.eml" MD5: 91A5292942864110ED734005B7E005C0)
    • ai.exe (PID: 7372 cmdline: "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "1D647402-0F36-4A5D-A6F7-EE43391C8AD9" "958B232E-A099-47FA-B478-313DE96CFB0B" "7688" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx" MD5: EC652BEDD90E089D9406AFED89A8A8BD)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE, ProcessId: 7688, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Addins\OneNote.OutlookAddin\1

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

  • Phishing
  • Networking
  • System Summary
  • Hooking and other Techniques for Hiding and Protection
  • Malware Analysis System Evasion
  • Language, Device and Operating System Detection

Click to jump to signature section

Show All Signature Results

Phishing

barindex
Source: 1744369489-110890-7728-239-1.emlJoe Sandbox AI: Detected potential phishing email: The email contains a suspicious Discord CDN link to a .js (JavaScript) file, which is highly unusual for a business inquiry. The sender's display name and email domain don't match - claims to be from a Spanish company but uses a Hungarian domain. The email content is suspiciously repetitive with multiple identical copies of the same message
Source: 1744369489-110890-7728-239-1.emlJoe Sandbox AI: Detected suspicious elements in Email header: IP address 223.24.156.241 is from an Asian region, sending to a Western business domain. Message-ID domain (babaszepsegverseny.hu) doesn't match the sending infrastructure (ks0486.com). Suspicious boundary string pattern typical in malware campaigns. Direct connection from IP address without proper email server infrastructure. No authentication results (SPF, DKIM, DMARC) present in headers. Multiple mismatched domains across different headers suggesting potential spoofing
Source: EmailClassification: Credential Stealer
Source: 1744369489-110890-7728-239-1.emlString found in binary or memory: https://cdn.discordapp.com/attachments/1359829020736360572/13601=
Source: classification engineClassification label: mal48.winEML@3/3@0/0
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile created: C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmpJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile created: C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20250421T1021050405-7688.etlJump to behavior
Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\1744369489-110890-7728-239-1.eml"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "1D647402-0F36-4A5D-A6F7-EE43391C8AD9" "958B232E-A099-47FA-B478-313DE96CFB0B" "7688" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "1D647402-0F36-4A5D-A6F7-EE43391C8AD9" "958B232E-A099-47FA-B478-313DE96CFB0B" "7688" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: c2r64.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: userenv.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{F959DBBB-3867-41F2-8E5F-3B8BEFAA81B3}\InprocServer32Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEWindow found: window name: SysTabControl32Jump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\CommonJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{2B379600-B42B-4FE9-A59C-A312FB934935} DeviceTicketJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information queried: ProcessInformationJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeQueries volume information: C:\Program Files (x86)\Microsoft Office\root\Office16\AI\WordCombinedFloatieLreOnline.onnx VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation11
Browser Extensions		1
Process Injection		1
Masquerading		OS Credential Dumping1
Process Discovery		Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/Job1
DLL Side-Loading		1
DLL Side-Loading		1
Modify Registry		LSASS Memory12
System Information Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Process Injection		Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
DLL Side-Loading		NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1670350 Sample: 1744369489-110890-7728-239-1.eml Startdate: 21/04/2025 Architecture: WINDOWS Score: 48 10 AI detected suspicious elements in Email header 2->10 12 AI detected suspicious elements in Email content 2->12 6 OUTLOOK.EXE 68 87 2->6         started        process3 process4 8 ai.exe 6->8         started       

Screenshots

Download Video

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
s-0005.dual-s-msedge.net
52.123.128.14
truefalse
    		high
    NameSourceMaliciousAntivirus DetectionReputation
    https://cdn.discordapp.com/attachments/1359829020736360572/13601=1744369489-110890-7728-239-1.emlfalse
      		high

      World Map of Contacted IPs

      No contacted IP infos

      General Information

      Joe Sandbox version:42.0.0 Malachite
      Analysis ID:1670350
      Start date and time:2025-04-21 16:20:01 +02:00
      Joe Sandbox product:CloudBasic
      Overall analysis duration:0h 4m 13s
      Hypervisor based Inspection enabled:false
      Report type:full
      Cookbook file name:default.jbs
      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
      Number of analysed new started processes analysed:14
      Number of new started drivers analysed:0
      Number of existing processes analysed:0
      Number of existing drivers analysed:0
      Number of injected processes analysed:0
      Technologies:
      • EGA enabled
      • AMSI enabled
      Analysis Mode:default
      Analysis stop reason:Timeout
      Sample name:1744369489-110890-7728-239-1.eml
      Detection:MAL
      Classification:mal48.winEML@3/3@0/0
      Cookbook Comments:
      • Found application associated with file extension: .eml
      • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
      • Excluded IPs from analysis (whitelisted): 52.109.6.53, 52.109.0.140, 23.209.84.26, 23.209.84.39, 52.109.2.117, 52.109.2.121, 52.109.2.127, 52.109.0.152, 52.168.117.171, 184.29.183.29, 52.123.128.14, 20.190.190.129, 4.175.87.197
      • Excluded domains from analysis (whitelisted): omex.cdn.office.net, slscr.update.microsoft.com, prod-wus-resolver.naturallanguageeditorservice.osi.office.net.akadns.net, osiprod-wus-buff-azsc-000.westus.cloudapp.azure.com, mobile.events.data.microsoft.com, roaming.officeapps.live.com, wus-azsc-000.roaming.officeapps.live.com, dual-s-0005-office.config.skype.com, login.live.com, onedscolprdeus16.eastus.cloudapp.azure.com, eus2-azsc-config.officeapps.live.com, officeclient.microsoft.com, a1864.dscd.akamai.net, ecs.office.com, fs.microsoft.com, prod.configsvc1.live.com.akadns.net, us2.roaming1.live.com.akadns.net, prod-na.naturallanguageeditorservice.osi.office.net.akadns.net, prod.roaming1.live.com.akadns.net, fe3cr.delivery.mp.microsoft.com, prod1.naturallanguageeditorservice.osi.office.net.akadns.net, nleditor.osi.office.net, config.officeapps.live.com, us.configsvc1.live.com.akadns.net, ecs.office.trafficmanager.net, omex.cdn.office.net.akamaized.net, mobile.events.data.trafficmanager.net
      • Not all processes where analyzed, report is missing behavior information
      • Report size getting too big, too many NtQueryAttributesFile calls found.
      • Report size getting too big, too many NtQueryValueKey calls found.
      • Report size getting too big, too many NtReadVirtualMemory calls found.

      Simulations

      Behavior and APIs

      No simulations

      Joe Sandbox View / Context

      IPs

      No context

      Domains

      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
      s-0005.dual-s-msedge.netFW Deal Sheet & Commitment-New Deal.emlGet hashmaliciousHTMLPhisher, Invisible JS, Tycoon2FABrowse
      • 52.123.129.14
      OneLogin.docGet hashmaliciousMeterpreterBrowse
      • 52.123.128.14
      MLO Ltr (AF-02)04152025_0015.docx.docGet hashmaliciousUnknownBrowse
      • 52.123.129.14
      MLO Ltr (AF-02)04152025_0015.docx.docGet hashmaliciousUnknownBrowse
      • 52.123.129.14
      nested-Ready for Your Review & Sign-Off Before Submission #U2014 FY Financials Forecast.emlGet hashmaliciousUnknownBrowse
      • 52.123.129.14
      PI-003-2024-AWG-BK.docx.docGet hashmaliciousUnknownBrowse
      • 52.123.128.14
      PI-003-2024-AWG-BK.docx.docGet hashmaliciousUnknownBrowse
      • 52.123.129.14
      _________19.03.docxGet hashmaliciousUnknownBrowse
      • 52.123.128.14
      _________19.03.docxGet hashmaliciousUnknownBrowse
      • 52.123.129.14
      Your Shipment Is On Its Way.emlGet hashmaliciousUnknownBrowse
      • 52.123.129.14

      ASNs

      No context

      JA3 Fingerprints

      No context

      Dropped Files

      No context

      Created / dropped Files

      C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20250421T1021050405-7688.etl

      Download File
      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
      File Type:data
      Category:dropped
      Size (bytes):110592
      Entropy (8bit):4.518043759178077
      Encrypted:false
      SSDEEP:768:TuRPdaXIw/i3Yxqe94x4NB9BXq4CBqgT8XGieW/WhQ0WJWI4T4wCj:Cpwh4xO9BXqhBqrXei1
      MD5:BF47F7549C09125A9864174219290441
      SHA1:A8C52BAF441BCD08D0A1B6B02BEBF9550E953E71
      SHA-256:03A32D58CB86FB85B5E9D546C8968DC85133AD8F29CF7C6483ECBC5C9FEBA94A
      SHA-512:F0A3003E03E3A6B4BAE066394E3694D6CA00F4B0B30A1C188CF0D6166E9145731A81A90BB710F9A46C56EAA47ADAB0F6D28847624E3F1B05930E44DC175970EB
      Malicious:false
      Reputation:low
      Preview:............................................................................h...........,.&....................eJ..............Zb..2...................................,...@.t.z.r.e.s...d.l.l.,.-.1.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.1.1.1...........................................................0C.oZ...........,.&............v.2._.O.U.T.L.O.O.K.:.1.e.0.8.:.8.a.2.9.2.4.b.b.0.f.1.1.4.0.5.3.b.4.b.7.e.c.4.6.c.1.b.3.0.a.9.4...C.:.\.U.s.e.r.s.\.e.n.g.i.n.e.e.r.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.O.u.t.l.o.o.k. .L.o.g.g.i.n.g.\.O.U.T.L.O.O.K._.1.6._.0._.1.6.8.2.7._.2.0.1.3.0.-.2.0.2.5.0.4.2.1.T.1.0.2.1.0.5.0.4.0.5.-.7.6.8.8...e.t.l.......P.P.........,.&....................................................................................................................................................................................................................................................................................................

      C:\Users\user\Documents\Outlook Files\Outlook Data File - NoEmail.pst

      Download File
      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
      File Type:Microsoft Outlook email folder (>=2003)
      Category:dropped
      Size (bytes):271360
      Entropy (8bit):2.6716402897479505
      Encrypted:false
      SSDEEP:1536:IUVtTBciSHae84WKHIlq3y/DNDW53jEpEHP4qQ10PAwr2ugrW53jEpEHP4qQ10P1:IUjLDKHIlq3yp1p9L9p9
      MD5:0FF372100827BC56F149F7E43F35F4B7
      SHA1:B0D608B3EC73F532C3F701D3234EA567DCACC02C
      SHA-256:10D94BD2E6D0C8C9B1E1635EFD40C387BF1A88552FB452287A13CCAD25E6D703
      SHA-512:0A7972B014413A3226F923769D0CB85B8B02A3CDC9933C6674A47B23F64BC2AEA299995F12C0BBB7125C06C7EDA89DC5A683F3727C5437E91301B7CEA9EB064A
      Malicious:false
      Reputation:low
      Preview:!BDN..&2SM......\...............A.......b................@...........@...@...................................@...........................................................................$.......D......................@........b......=...........................................................................................................................................................................................................................................................................................L.........I..7......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

      C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmp

      Download File
      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
      File Type:data
      Category:dropped
      Size (bytes):131072
      Entropy (8bit):2.7612017198097196
      Encrypted:false
      SSDEEP:1536:kW53jEpEHP4qQ10PAwr1Vg3a53jEpEHP4qQ10PAwr83QEDtE1T:mp9Ftp9/pEV
      MD5:E11A996591DF2846E60429893E7CC297
      SHA1:64BF0DD687FB02B71E3930B342FDBF2AD06C3683
      SHA-256:C3132F37B20BCF9728597069CAD4E7DA8BBDA92A57CECB19AEA77D3A17944DB8
      SHA-512:46C110D12B1282AE4F992FB39C42E0C160D3C5EFEEE176D3B8EF9AECA97212806941EE2B8FDAB3B2651B20A22D633DDE4DE7FCEA24BB5A56D8B0FAB8C82CD1C8
      Malicious:false
      Reputation:low
      Preview:.|.JC...c.............s......................#.!BDN..&2SM......\...............A.......b................@...........@...@...................................@...........................................................................$.......D......................@........b......=...........................................................................................................................................................................................................................................................................................L.........I..7....s.........B............#.........................................................................................................................................................................................................................................................................................................................................................................................................

      Static File Info

      General

      File type:HTML document, ASCII text, with CRLF, CR line terminators
      Entropy (8bit):5.852475071090553
      TrID:
        File name:1744369489-110890-7728-239-1.eml
        File size:20'754 bytes
        MD5:02277b69016bf5000464a9e021022751
        SHA1:4e8d50407baf1b0a58b73bf2e9446a6c1bbb1dca
        SHA256:b20a8ea73936ebe7dec339e18906ae0f1eed6216e622e749b42a77f6cc6a7f1d
        SHA512:0bc88a3259f0ad9002ee6c6cc74e09dfb8530b9c386d6da077cea2788f4bbc98be8b896e818d42d84bf35ecc650a7ca7ba7efa276228f326f51464a017ec6d36
        SSDEEP:384:aqEmuymg/mqKeeevVmBmnfHWLwee9eeUmHmf1eeIxzyVmVm4mVm5CJTlteeepmmZ:aqEmuymdqKeeevQ8fHW8ee9eezGf1eeE
        TLSH:8892C90AD25609C6D1770CA4B0AF7B4863750E8F9F5385353A9F6AA6CF8F8B53385348
        File Content Preview:X-BESS-REASON: spf..X-BESS-REASON-EXTRA: SoftFail..Received: from gw.ks0486.com (gw.ks0486.com [34.64.235.254]) by mx-inbound42-138.us-east-2c.ess.aws.cudaops.com; Fri, 11 Apr 2025 11:04:49 +0000..Received: from [223.24.156.241] ([223.24.156.241]) ..

        Static Mail

        General

        Subject:Order Inquiry - RFQ1190017594
        From:Andoni Martin <purchase_order@babaszepsegverseny.hu>
        To:casmith@arrowheadep.com
        Cc:
        BCC:
        Date:Fri, 11 Apr 2025 18:04:45 +0700
        Communications:
        • Dear Sir/Ma, Could you please send me a price quotation (with delivery time and delivery cost) for your product(s) in the below products. After review of your quotation if we are interested we will contact you to prepare PI Thank you. Best regards, Andoni Martin Purchase/Foreign Procurement Manager LINK SOLUCIONES INDUSTRIALES Spain Zahony str. 7. - H-1031 - Madrid Spain+34 22 678 220andoni.martin@bizkaia.eu Dear Sir/Ma, Could you please send me a price quotation (with delivery time and delivery cost) for your product(s) in the below products. After review of your quotation if we are interested we will contact you to prepare PI Thank you. Best regards, Andoni Martin Purchase/Foreign Procurement Manager LINK SOLUCIONES INDUSTRIALES Spain Zahony str. 7. - H-1031 - Madrid Spain+34 22 678 220andoni.martin@bizkaia.eu Dear Sir/Ma, Could you please send me a price quotation (with delivery time and delivery cost) for your product(s) in the below products. After review of your quotation if we are interested we will contact you to prepare PI Thank you. Best regards, Andoni Martin Purchase/Foreign Procurement Manager LINK SOLUCIONES INDUSTRIALES Spain Zahony str. 7. - H-1031 - Madrid Spain+34 22 678 220andoni.martin@bizkaia.eu Dear Sir/Ma, Dear Sir/Ma, Dear Sir/Ma, Dear Sir/Ma, Dear Sir/Ma, Dear Sir/Ma, Dear Sir/Ma, Dear Sir/Ma, Dear Sir/Ma, Could you please send me a price quotation (with delivery time and delivery cost) for your product(s) in the below products. After review of your quotation if we are interested we will contact you to prepare PI Thank you. Best regards, Andoni Martin Purchase/Foreign Procurement Manager LINK SOLUCIONES INDUSTRIALES Spain Zahony str. 7. - H-1031 - Madrid Spain+34 22 678 220andoni.martin@bizkaia.eu Could you please send me a price quotation (with delivery time and delivery cost) for your product(s) in the below products. Could you please send me a price quotation (with delivery time and delivery cost) for your product(s) in the below products. https://cdn.discordapp.com/attachments/1359829020736360572/1360105247212568607/RFQ1190017594.js?ex=67f9e838&is=67f896b8&hm=632996edb84d3b590ddffa853bf43b9c3bc0e321c37f5bc842a4c7621ae73d8a& After review of your quotation if we are interested we will contact you to prepare PI Thank you. Best regards, Andoni Martin Purchase/Foreign Procurement Manager LINK SOLUCIONES INDUSTRIALES Spain Zahony str. 7. - H-1031 - Madrid Spain+34 22 678 220andoni.martin@bizkaia.eu After review of your quotation if we are interested we will contact you to prepare PI Thank you. Best regards, Andoni Martin Purchase/Foreign Procurement Manager LINK SOLUCIONES INDUSTRIALES Spain Zahony str. 7. - H-1031 - Madrid Spain+34 22 678 220andoni.martin@bizkaia.eu After review of your quotation if we are interested we will contact you to prepare PI Thank you. Best regards, Andoni Martin Purchase/Foreign Procurement Manager LINK SOLUCIONES INDUSTRIALES Spain Zahony str. 7. - H-1031 - Madrid Spain+34 22 678 220andoni.martin@bizkaia.eu After review of your quotation if we are interested we will contact you to prepare PI Thank you. Best regards, Andoni Martin Purchase/Foreign Procurement Manager LINK SOLUCIONES INDUSTRIALES Spain Zahony str. 7. - H-1031 - Madrid Spain+34 22 678 220andoni.martin@bizkaia.eu After review of your quotation if we are interested we will contact you to prepare PI Thank you. Best regards, Andoni Martin Purchase/Foreign Procurement Manager LINK SOLUCIONES INDUSTRIALES Spain Zahony str. 7. - H-1031 - Madrid Spain+34 22 678 220andoni.martin@bizkaia.eu After review of your quotation if we are interested we will contact you to prepare PI Thank you. Best regards, Andoni Martin Purchase/Foreign Procurement Manager LINK SOLUCIONES INDUSTRIALES Spain Zahony str. 7. - H-1031 - Madrid Spain+34 22 678 220andoni.martin@bizkaia.eu After review of your quotation if we are interested we will contact you to prepare PI Thank you. Best regards, Andoni Martin Purchase/Foreign Procurement Manager LINK SOLUCIONES INDUSTRIALES Spain Zahony str. 7. - H-1031 - Madrid Spain+34 22 678 220andoni.martin@bizkaia.eu After review of your quotation if we are interested we will contact you to prepare PI Thank you. Best regards, Andoni Martin Purchase/Foreign Procurement Manager LINK SOLUCIONES INDUSTRIALES Spain Zahony str. 7. - H-1031 - Madrid Spain+34 22 678 220andoni.martin@bizkaia.eu After review of your quotation if we are interested we will contact you to prepare PI Thank you. Best regards, Andoni Martin Purchase/Foreign Procurement Manager LINK SOLUCIONES INDUSTRIALES Spain Zahony str. 7. - H-1031 - Madrid Spain+34 22 678 220andoni.martin@bizkaia.eu After review of your quotation if we are interested we will contact you to prepare PI Thank you. Best regards, Andoni Martin Purchase/Foreign Procurement Manager LINK SOLUCIONES INDUSTRIALES Spain Zahony str. 7. - H-1031 - Madrid Spain+34 22 678 220andoni.martin@bizkaia.eu Best regards, Best regards, Andoni Martin Andoni Martin Andoni Martin Purchase/Foreign Procurement Manager LINK SOLUCIONES INDUSTRIALES Spain Purchase/Foreign Procurement Manager LINK SOLUCIONES INDUSTRIALES Spain Purchase/Foreign Procurement Manager LINK SOLUCIONES INDUSTRIALES Spain Zahony str. 7. - H-1031 - Madrid Spain+34 22 678 220andoni.martin@bizkaia.eu Zahony str. 7. - H-1031 - Madrid Spain+34 22 678 220andoni.martin@bizkaia.eu Spain+34 22 678 220andoni.martin@bizkaia.eu andoni.martin@bizkaia.eu mailto:andoni.martin@bizkaia.eu
        Attachments:
        • download.png
        Key Value
        X-BESS-REASONspf
        X-BESS-REASON-EXTRASoftFail
        Receivedfrom [223.24.156.241] ([223.24.156.241]) by gw.ks0486.com ([10.30.5.83]) with ESMTP id 1744369485.994835.139881688803072.gw for <casmith@arrowheadep.com>; Fri, 11 Apr 2025 20:04:45 +0900 (KST)
        FromAndoni Martin <purchase_order@babaszepsegverseny.hu>
        Tocasmith@arrowheadep.com
        SubjectOrder Inquiry - RFQ1190017594
        X-TERRACE-DUMMYSUBJECTTerrace Spam system *
        DateFri, 11 Apr 2025 18:04:45 +0700
        Message-ID<20250411180445.39E45890B8CA7E2D@babaszepsegverseny.hu>
        MIME-Version1.0
        Content-Typemultipart/related; boundary="----=_NextPart_000_0012_2BB1E38D.BACECA1E"
        X-TERRACE-SPAMMARKNO (SR:3.00) (by Terrace)
        X-TERRACE-SID1744369485.994835.139881688803072.gw
        X-BESS-ID1744369489-110890-7728-239-1
        X-BESS-VER2019.1_20250408.2322
        X-BESS-Apparent-Source-IP34.64.235.254
        X-BESS-PartsH4sIAAAAAAACAzWMOQ6EMBAE/zIxgeewB/MVtIE92JBwSBAgrfj7OmCTVqtVXe MXyn3BAMu1Qgf7CQNijNTq0tapKgWR0kvOXJ23GCz5PptjmiwFeLq/4NjmVyCM/P7FKk dtETSJGaFaKega4EiFBZ7PD0xonIqCAAAA
        Authentication-Resultsmx-inbound42-138.us-east-2c.ess.aws.cudaops.com; spf=softfail smtp.mailfrom=purchase_order@babaszepsegverseny.hu; dmarc=none header.from=purchase_order@babaszepsegverseny.hu
        Received-SPFsoftfail (mx-inbound42-138.us-east-2c.ess.aws.cudaops.com: domain of transitioning purchase_order@babaszepsegverseny.hu does not designate 34.64.235.254 as permitted sender)
        X-BESS-BRTS-Status1

        File Icon

        Icon Hash:46070c0a8e0c67d6

        Network Behavior

        DNS Answers

        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
        Apr 21, 2025 16:21:09.341512918 CEST1.1.1.1192.168.2.60x2543No error (0)ecs-office.s-0005.dual-s-msedge.nets-0005.dual-s-msedge.netCNAME (Canonical name)IN (0x0001)false
        Apr 21, 2025 16:21:09.341512918 CEST1.1.1.1192.168.2.60x2543No error (0)s-0005.dual-s-msedge.net52.123.128.14A (IP address)IN (0x0001)false
        Apr 21, 2025 16:21:09.341512918 CEST1.1.1.1192.168.2.60x2543No error (0)s-0005.dual-s-msedge.net52.123.129.14A (IP address)IN (0x0001)false

        Statistics

        CPU Usage

        050100s020406080100

        Click to jump to process

        Memory Usage

        050100s0.0050100MB

        Click to jump to process

        High Level Behavior Distribution

        • File
        • Registry

        Click to dive into process behavior distribution

        Behavior

        Click to jump to process

        System Behavior

        General

        Target ID:2
        Start time:10:21:03
        Start date:21/04/2025
        Path:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
        Wow64 process (32bit):true
        Commandline:"C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\1744369489-110890-7728-239-1.eml"
        Imagebase:0xf00000
        File size:34'446'744 bytes
        MD5 hash:91A5292942864110ED734005B7E005C0
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:high
        Has exited:false
        Show Windows behavior

        File Activities

        Show Windows behavior

        Section Activities

        Show Windows behavior

        Registry Activities

        Show Windows behavior

        COM Activities

        Show Windows behavior

        Mutex Activities

        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
        Show Windows behavior

        Thread Activities

        Show Windows behavior

        Memory Activities

        Show Windows behavior

        System Activities

        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
        Show Windows behavior

        Windows UI Activities

        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

        General

        Target ID:8
        Start time:10:21:08
        Start date:21/04/2025
        Path:C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe
        Wow64 process (32bit):false
        Commandline:"C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "1D647402-0F36-4A5D-A6F7-EE43391C8AD9" "958B232E-A099-47FA-B478-313DE96CFB0B" "7688" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
        Imagebase:0x7ff641820000
        File size:710'048 bytes
        MD5 hash:EC652BEDD90E089D9406AFED89A8A8BD
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:high
        Has exited:false
        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
        Show Windows behavior

        Section Activities

        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
        Show Windows behavior

        Mutex Activities

        Show Windows behavior

        Process Activities

        Show Windows behavior

        Thread Activities

        Show Windows behavior

        Memory Activities

        Show Windows behavior

        System Activities

        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

        Disassembly

        No disassembly