Joe Sandbox Cloud Basic Analysis Report
Edit tour

Windows Analysis Report
nested-Vendor Questionnaires.eml

Overview

General Information

Sample name:nested-Vendor Questionnaires.eml
Analysis ID:1671107
MD5:94df7e799a3bbf92e3c0ea5529c884cc
SHA1:78aa673e447228ddcb02ae4c9180a37f1f0b5bd6
SHA256:e0f1b54c0f48fe03eb9fdb59aa796ecd3dca62b670b8957b8deb7a48fe0587ca
Infos:

Detection

Score:21
Range:0 - 100
Confidence:80%

Signatures

AI detected suspicious elements in Email header
Queries the volume information (name, serial number etc) of a device
Stores large binary data to the registry

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

Process Tree

  • System is w10x64
  • OUTLOOK.EXE (PID: 8504 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\nested-Vendor Questionnaires.eml" MD5: 91A5292942864110ED734005B7E005C0)
    • ai.exe (PID: 8828 cmdline: "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "10FFF0B8-B1FD-44B5-858D-8C5CEBF65931" "EBA7C961-5A55-43A8-AB4B-291C3C2F448A" "8504" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx" MD5: EC652BEDD90E089D9406AFED89A8A8BD)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE, ProcessId: 8504, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Addins\OneNote.OutlookAddin\1

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Phishing

barindex
Source: nested-Vendor Questionnaires.emlJoe Sandbox AI: Detected suspicious elements in Email header: Email originates from AWS EC2 instance (174.129.171.56) which is unusual for business correspondence. Domain 'cybersecuritycompliance.info' is suspicious - security-themed domains are commonly used in phishing. Message ID contains a UUID pattern that matches the 'local' hostname, suggesting automated/scripted sending. Return-path domain matches suspicious sender domain. The combination of AWS infrastructure with a security-themed .info domain is highly suspicious. Plain text email format is unusual for legitimate security compliance communications
Source: OUTLOOK_16_0_16827_20130-20250422T1043410487-8504.etl.0.drString found in binary or memory: https://login.windows.local
Source: OUTLOOK_16_0_16827_20130-20250422T1043410487-8504.etl.0.drString found in binary or memory: https://login.windows.localMiR
Source: OUTLOOK_16_0_16827_20130-20250422T1043410487-8504.etl.0.drString found in binary or memory: https://login.windows.localnullCha
Source: OUTLOOK_16_0_16827_20130-20250422T1043410487-8504.etl.0.drString found in binary or memory: https://login.windows.localnullK(
Source: classification engineClassification label: sus21.winEML@3/3@0/0
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile created: C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmpJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile created: C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20250422T1043410487-8504.etlJump to behavior
Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\nested-Vendor Questionnaires.eml"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "10FFF0B8-B1FD-44B5-858D-8C5CEBF65931" "EBA7C961-5A55-43A8-AB4B-291C3C2F448A" "8504" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "10FFF0B8-B1FD-44B5-858D-8C5CEBF65931" "EBA7C961-5A55-43A8-AB4B-291C3C2F448A" "8504" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: c2r64.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: userenv.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{F959DBBB-3867-41F2-8E5F-3B8BEFAA81B3}\InprocServer32Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEWindow found: window name: SysTabControl32Jump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\CommonJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\outlook\ConfigContextData 1Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information queried: ProcessInformationJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeQueries volume information: C:\Program Files (x86)\Microsoft Office\root\Office16\AI\WordCombinedFloatieLreOnline.onnx VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
DLL Side-Loading		1
Process Injection		1
Masquerading		OS Credential Dumping1
Process Discovery		Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		1
Modify Registry		LSASS Memory12
System Information Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Process Injection		Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
DLL Side-Loading		NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1671107 Sample: nested-Vendor Questionnaires.eml Startdate: 22/04/2025 Architecture: WINDOWS Score: 21 10 AI detected suspicious elements in Email header 2->10 6 OUTLOOK.EXE 140 68 2->6         started        process3 process4 8 ai.exe 6->8         started       

Screenshots

Download Video

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://login.windows.localnullK(0%Avira URL Cloudsafe
https://login.windows.localnullCha0%Avira URL Cloudsafe
https://login.windows.localMiR0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
s-0005.dual-s-dc-msedge.net
52.123.130.14
truefalse
    		high
    NameSourceMaliciousAntivirus DetectionReputation
    https://login.windows.localOUTLOOK_16_0_16827_20130-20250422T1043410487-8504.etl.0.drfalse
      		high
      https://login.windows.localnullK(OUTLOOK_16_0_16827_20130-20250422T1043410487-8504.etl.0.drfalse
      • Avira URL Cloud: safe
      		unknown
      https://login.windows.localnullChaOUTLOOK_16_0_16827_20130-20250422T1043410487-8504.etl.0.drfalse
      • Avira URL Cloud: safe
      		unknown
      https://login.windows.localMiROUTLOOK_16_0_16827_20130-20250422T1043410487-8504.etl.0.drfalse
      • Avira URL Cloud: safe
      		unknown

      World Map of Contacted IPs

      No contacted IP infos

      General Information

      Joe Sandbox version:42.0.0 Malachite
      Analysis ID:1671107
      Start date and time:2025-04-22 16:42:46 +02:00
      Joe Sandbox product:CloudBasic
      Overall analysis duration:0h 4m 4s
      Hypervisor based Inspection enabled:false
      Report type:full
      Cookbook file name:default.jbs
      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
      Number of analysed new started processes analysed:7
      Number of new started drivers analysed:0
      Number of existing processes analysed:0
      Number of existing drivers analysed:0
      Number of injected processes analysed:0
      Technologies:
      • HCA enabled
      • EGA enabled
      • AMSI enabled
      Analysis Mode:default
      Analysis stop reason:Timeout
      Sample name:nested-Vendor Questionnaires.eml
      Detection:SUS
      Classification:sus21.winEML@3/3@0/0
      EGA Information:Failed
      HCA Information:
      • Successful, ratio: 100%
      • Number of executed functions: 0
      • Number of non-executed functions: 0
      Cookbook Comments:
      • Found application associated with file extension: .eml
      • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
      • Excluded IPs from analysis (whitelisted): 52.109.8.89, 52.109.20.39, 23.209.84.26, 23.209.84.39, 20.189.173.27, 184.29.183.29, 52.123.130.14, 20.190.190.196, 4.245.163.56, 150.171.31.254
      • Excluded domains from analysis (whitelisted): omex.cdn.office.net, slscr.update.microsoft.com, cus-config.officeapps.live.com, roaming.officeapps.live.com, dual-s-0005-office.config.skype.com, login.live.com, onedscolprdwus21.westus.cloudapp.azure.com, officeclient.microsoft.com, osiprod-scus-buff-azsc-000.southcentralus.cloudapp.azure.com, a1864.dscd.akamai.net, ecs.office.com, self-events-data.trafficmanager.net, ev2-ring.msedge.net, fs.microsoft.com, prod.configsvc1.live.com.akadns.net, us2.roaming1.live.com.akadns.net, self.events.data.microsoft.com, ctldl.windowsupdate.com, scus-azsc-000.roaming.officeapps.live.com, prod.roaming1.live.com.akadns.net, fe3cr.delivery.mp.microsoft.com, config.officeapps.live.com, us.configsvc1.live.com.akadns.net, ecs.office.trafficmanager.net, omex.cdn.office.net.akamaized.net
      • Not all processes where analyzed, report is missing behavior information
      • Report size getting too big, too many NtQueryAttributesFile calls found.
      • Report size getting too big, too many NtQueryValueKey calls found.

      Simulations

      Behavior and APIs

      No simulations

      Joe Sandbox View / Context

      IPs

      No context

      Domains

      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
      s-0005.dual-s-dc-msedge.netCNjHXThF.emlGet hashmaliciousHTMLPhisher, Invisible JSBrowse
      • 52.123.131.14
      Evidence of Insurance-1.msgGet hashmaliciousUnknownBrowse
      • 52.123.130.14
      phish_alert_sp2_2.0.0.0 (6).emlGet hashmaliciousUnknownBrowse
      • 52.123.131.14
      Newsletter (276Ko).msgGet hashmaliciousUnknownBrowse
      • 52.123.131.14
      REIT Financial Statements Tool v2.0.1.10 Master.xlsmGet hashmaliciousUnknownBrowse
      • 52.123.131.14
      7 copy2.xlsmGet hashmaliciousUnknownBrowse
      • 52.123.130.14
      REIT Financial Statements Tool v2.0.1.10 Master.xlsmGet hashmaliciousUnknownBrowse
      • 52.123.130.14
      Doc_76564556787900875687.xlam.xlsxGet hashmaliciousUnknownBrowse
      • 52.123.130.14
      PAYMENT SLIP.xlam.xlsxGet hashmaliciousUnknownBrowse
      • 52.123.130.14
      Doc_76564556787900875687.xlam.xlsxGet hashmaliciousUnknownBrowse
      • 52.123.131.14

      ASNs

      No context

      JA3 Fingerprints

      No context

      Dropped Files

      No context

      Created / dropped Files

      C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20250422T1043410487-8504.etl

      Download File
      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
      File Type:data
      Category:dropped
      Size (bytes):131072
      Entropy (8bit):4.675228508051054
      Encrypted:false
      SSDEEP:768:swB2IEQ8DNns4aosxAD3qM9jsiodtv0XhFWT3aOHbbA7+xW36Fq11Yh0tU8T:wi4aFod9js30XhejW36FqXI8T
      MD5:5F7919072C9C1F46CDFD76799B91945E
      SHA1:401C8F2ED39FD1CAF395F2012E3F673CF47192A4
      SHA-256:33AA29FC87B0282E814DA4A4E9BA7166634D96A75D098AA49E1BA563ADBA697B
      SHA-512:344BF496CC07EBA21DD636B6397E82E638DF068925C3C6F7F03F6EB502EC22DA95CBA6F1882CC9C592C949E46A105F0BA2F62F0913B3B623D6B7F3651195BA1B
      Malicious:false
      Reputation:low
      Preview:............................................................................d...<!..8!..8p....................eJ..............Zb..2...................................,...@.t.z.r.e.s...d.l.l.,.-.1.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.1.1.1...............................................................T...........8p............v.2._.O.U.T.L.O.O.K.:.2.1.3.8.:.a.a.d.6.8.4.e.0.c.d.f.d.4.2.3.5.8.6.d.1.8.5.c.3.f.1.f.6.c.2.0.4...C.:.\.U.s.e.r.s.\.a.l.f.o.n.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.O.u.t.l.o.o.k. .L.o.g.g.i.n.g.\.O.U.T.L.O.O.K._.1.6._.0._.1.6.8.2.7._.2.0.1.3.0.-.2.0.2.5.0.4.2.2.T.1.0.4.3.4.1.0.4.8.7.-.8.5.0.4...e.t.l...........P.P.<!..8!..8p....................................................................................................................................................................................................................................................................................................

      C:\Users\user\Documents\Outlook Files\Outlook Data File - NoEmail.pst

      Download File
      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
      File Type:Microsoft Outlook email folder (>=2003)
      Category:dropped
      Size (bytes):271360
      Entropy (8bit):2.2571854176964083
      Encrypted:false
      SSDEEP:1536:AIjf+r7wLYzJqsYioDW53jEpEHPVQ10BAwr5ZFqW53jEpEHPVQ10BAwr1:vfCYPpj6apj
      MD5:2AAC8C0E693E4E31887978E358FCC713
      SHA1:D6BBCE2F3D4E8959F96163C2928CC2E858C2FA62
      SHA-256:2BF1C6398CE25AE8529B9D67D63F3CDB5D12C5754AB2AEB5B512B7C590AA5A60
      SHA-512:D837E447F4BA27E556F25147409F22A38FBCA7DAAFE1B6DF72D91177877BBF1AC90270F0AA1A9CE85F4C7E4671CF9998BEA7D78AFBD816A3265476CE99D9540A
      Malicious:false
      Reputation:low
      Preview:!BDN..SM......\...............D.......`................@...........@...@...................................@...........................................................................$.......D......................C........L......@...................................................................................................................................................................................................................................................................................................|..0........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

      C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmp

      Download File
      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
      File Type:data
      Category:dropped
      Size (bytes):131072
      Entropy (8bit):1.3489889855727555
      Encrypted:false
      SSDEEP:768:xW53amEpAHRHPVQ10BAwr1LCYbburfsdl:xW53jEpEHPVQ10BAwr19qsd
      MD5:CA7D20892AFA78BF759D14BC36295982
      SHA1:93BC9668F3CD7BC319DD1609BA6A74DA003DC43B
      SHA-256:45B209828FF6ACF30567A800DCE041AFA96DC3C5C7914E841E04BFD952E65DFE
      SHA-512:FA858C3CD8B54E72DB13CA0D8D6207AC27CA27CF70236481CC968A61CF1DF030F1901B25B0B220A4B9C972BE8D8A0CB690A7CE768A3C35154026F07488B93CA9
      Malicious:false
      Reputation:low
      Preview:+...C...\.......8!...B......................#.!BDN..SM......\...............D.......`................@...........@...@...................................@...........................................................................$.......D......................C........L......@...................................................................................................................................................................................................................................................................................................|..0.....B.........B............#.........................................................................................................................................................................................................................................................................................................................................................................................................

      Static File Info

      General

      File type:RFC 822 mail, ASCII text, with CRLF line terminators
      Entropy (8bit):5.999260373069116
      TrID:
      • E-Mail message (Var. 5) (54515/1) 100.00%
      File name:nested-Vendor Questionnaires.eml
      File size:5'396 bytes
      MD5:94df7e799a3bbf92e3c0ea5529c884cc
      SHA1:78aa673e447228ddcb02ae4c9180a37f1f0b5bd6
      SHA256:e0f1b54c0f48fe03eb9fdb59aa796ecd3dca62b670b8957b8deb7a48fe0587ca
      SHA512:38075126d2f84315530bc9b4fe8b94be7531595a85650b913b0b85cbe7e3582d7fd3e2fb7331aa4ca7275fa85e8f53ce4e1c359db715e370d6312ecce17cdd8b
      SSDEEP:96:2AFecYkow0BFF9igsqi5A4hB8YCJ4IICGUQV9jcXI+qItFEUX:2Ptw0pAgsa4hWY2yVUQV9IWCEe
      TLSH:C4B12C61A96E482D18D1800C2BA4FB9ED262495682F551DC3F9C53677F3430F61EC4B7
      File Content Preview:Received: from mail-qv1-f53.google.com (mail-qv1-f53.google.com [209.85.219.53])...by mx0a-00109701.pphosted.com (PPS) with ESMTPS id 464y2xs68j-1...(version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT)...for <teuler@healthesystems.com>

      Static Mail

      General

      Subject:Vendor Questionnaires
      From:Andres Garza <andres@cybersecuritycompliance.info>
      To:teuler@healthesystems.com
      Cc:
      BCC:
      Date:Tue, 22 Apr 2025 13:26:11 +0000
      Communications:
      • Hi Tracy, Security vendor questionnaires often stall deals. We combine expert consulting with automation to make compliance effortlessturning security into a growth enabler. Want me to send a case study? Best, Andres from Carbide Secure Reply "stop" if youd prefer I dont reach out again.
      Attachments:
        Key Value
        Receivedfrom 42c9ce41-ae9f-4b45-adfc-f501ffd78c47.local (ec2-174-129-171-56.compute-1.amazonaws.com. [174.129.171.56]) by smtp.gmail.com with ESMTPSA id 6a1803df08f44-6f2c2b0e84dsm57864986d6.35.2025.04.22.06.26.12 for <teuler@healthesystems.com> (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 22 Apr 2025 06:26:12 -0700 (PDT)
        DKIM-Signaturev=1; a=rsa-sha256; c=relaxed/relaxed; d=cybersecuritycompliance.info; s=google; t=1745328373; x=1745933173; darn=healthesystems.com; h=mime-version:date:content-transfer-encoding:subject:to:from :message-id:from:to:cc:subject:date:message-id:reply-to; bh=1oJYKc3l7/Pwz0ZOWVVKXaQPqnUKo44OszC0G17BGCA=; b=A7CugxZLKowAGqrvSEb6uAS2rGuIoVjPqqe6hay0hmxBKTXA1LGMxoSSsNrhpVZ35y R+SpOgTuHK9Npk+x9JIzbG2I7v+H5aQBKD2I3Z2O8R5ydUfJbhqgkrCNcADuktH4xo8j ob3mBoJZw7qyI94fRFq8Iv6FBYZK/WwfDaRM9Anh4Xi0qiiQC3CkOm+/c/M72h2CKb+6 syjn6PAsE+/Q+5IUG5oTJWJ47BzlTuf4Xupa26J+gCGios/u/SbXmCeBLllRm/KAw6Q7 QxruhGH91VEUq4+ZXRzd0tsO2jgegxf70hJVXnq6OXYurV6MPL3AUjQr0JmN2qXyukgH Pp8g==
        X-Google-DKIM-Signaturev=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1745328373; x=1745933173; h=mime-version:date:content-transfer-encoding:subject:to:from :message-id:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=1oJYKc3l7/Pwz0ZOWVVKXaQPqnUKo44OszC0G17BGCA=; b=qOjIXaj/a/4gNT8Xw6OwHZG/u7O9+5LELl5GM9xujZpIVYwaiwi6BZxHPwteeSruSQ y9J5Su9q8x3NDYeYBTPBPUJr0KfDN4QR9/M1NecaY99iCWsPqEsT8DWz9Il6yweDFbVq Q/8fCMwxDvAcuY81P4AFV3EOyFw0wN8LCIIUP4IEI16eLp79Dde+BOcL/OoXTRMuKpVG +g1wqfMQawnsiJdkLJwfIPBxbQfPZan0OrLW3tq0UOPy4Jhp5HXt/NrIicpjEm0T9o76 z2HoUuQSBYBddNkfaUyLOKPFSlTsZO5jOoAvGmgXytC5hN0auT0e30CJEvxtiGtZURuf k8SA==
        X-Gm-Message-StateAOJu0YyugU2r01aLt578MeYafEjuamnHYIw0BicCWF2cH/IPQzl5oebK rKl4exWOxEdHZGyRiEq0UyFi94jj0Mm4NNM8f2Yi8bwr/OnY6pQGRMRor0Vcj3m/nytpUigiHf1 z
        X-Gm-GgASbGncvMfhkQQ4NMpd2GmwBBF2lfndoP1MV/gPlJYDQq3W+ZuT4Ra4hE9KtEBW6fI+X eWy40Qn9QsUIJdllA79VHUTgaiIOXBPkcT6I3CGU67uXJOLFUXupp+NRsS6BzFVzyDT8NfqPnFn Z1u3cGu6aEBoamR0wcLlmtzsX/TO7FBTypmtgVliJ9t+cOjEOlkEWgoosMHfxwnnMmNZjZLGZ6y JJDvcyspraaDesEOQ9O+6Ws13fSkWzFZ3Q4Q56mhocZWpjdoOhnOJ/xOtoP3UYG4L7os1QKmJU1 dv2xIzodPzUIRC3cgaqBMix27/6boVqux3il0sV+clitmveGitalrBGiihTpGj5S4Qf++5CsMbN p2kKJu94ZG55RZAMYhdGKEmzX1jGGwcL38aLy3yLAt0RA76NKk8n1Bu6Tc7MnuhePLfHUaqskjY FBO8j8HG0=
        X-Google-Smtp-SourceAGHT+IEf1xWtRcd3/5xIvfDCQ0QsGzLnczSgkhh63rhcn/CJnXFiiefRZYhnkfFL7Lez7xy0TadzEA==
        X-Receivedby 2002:a05:6214:c64:b0:6ea:d393:9634 with SMTP id 6a1803df08f44-6f2c44e6184mr275051526d6.3.1745328372693; Tue, 22 Apr 2025 06:26:12 -0700 (PDT)
        Return-Path<andres@cybersecuritycompliance.info>
        Message-ID<42c9ce41-ae9f-4b45-adfc-f501ffd78c47@cybersecuritycompliance.info>
        FromAndres Garza <andres@cybersecuritycompliance.info>
        Toteuler@healthesystems.com
        SubjectVendor Questionnaires
        DateTue, 22 Apr 2025 13:26:11 +0000
        X-CLX-ShadesMLX
        X-Authority-Analysisv=2.4 cv=D/RHKuRj c=1 sm=1 tr=0 ts=680798f6 cx=c_pps a=k+UpYAzc8REPnh4cOiqX8g==:117 a=0Gaazqg/mF3Pv2mhX1MVsA==:17 a=IkcTkHD0fZMA:10 a=MKtGQD3n3ToA:10 a=1oJP67jkp3AA:10 a=XR8D0OoHHMoA:10 a=aVObAeVHoTsA:10 a=__MO0CcqhVWig94ltwIA:9 a=QEXdDO2ut3YA:10 a=ZXulRonScM0A:10 a=nJ_aLg6Ybf7iGA-QXnsL:22 a=m_yw9IL0q2Vk4dkBHFnD:22
        X-CLX-Response1TFkXEhMRCkx6FxoRCllEF21QX0Fte2ZhBU5JEQpYWBdlHXJCaBlecFNDchE KeE4XbWFuZ2YBQFMaUEQRCnlMF25wQFMaZmRgHE1gEQpDSBcHHhsRCkNZFwcbHxIRCkNJFxoEGh oaEQpZTRdnZnIRCllJFxpxGhAadwYTGnEeHBAedwYHGwYaEQpZXhdsbHkRCklGF0JPS0ZeQk9ZU 1leT0dZdUJFWV5PThEKSUcXeE9NEQpDThd/XHB7WR1waWZ1ZEZHZnxybnBieEMYa3h7fR9JXENT HxEKWFwXHwQaBBkTEgUbGgQbGxoEGxkeBBkZEBseGh8aEQpeWRdMen4YeBEKTVwXBxwbEQpMWhd saU1BaxEKTEYXb2tra2trEQpCTxdtUnMSQVtpRBMeTBEKQ1oXGBoTBBIfBBgbEwQfGREKQl4XGx EKQlwXGxEKXk4XGxEKQksXbWFuZ2YBQFMaUEQRCkJJF21hbmdmAUBTGlBEEQpCRRdlcxx/Hn0BS VNPWREKQk4XbWFuZ2YBQFMaUEQRCkJMF2UdckJoGV5wU0NyEQpCbBdpbXtLfB0YaF0YaREKQkAX bUdwGEJOWlNOTx4RCkJYF2B+GAFyYkBIZmlhEQpNXhcbEQpaWBcbEQp5Qxd6HX5Ye08ZYEZLQRE KWUsXGxoSGhEKcGgXZVlufx5eXkhNTh4QGRoRCnBoF21eHGFoZ116b2FEEBkaEQpwaBdhY0JsbU ZmbmJ6bxAZGhEKcGwXY11yeWBPbG5BZUAQGhEKcEMXbkNYTUsfU3hIaWwQBxscEQptfhcbEQpYT RdLESA=
        X-Proofpoint-GUIDUvZQs7ZCL_NlmLVXDZHRi2ARQW5cviy5
        X-Proofpoint-ORIG-GUIDUvZQs7ZCL_NlmLVXDZHRi2ARQW5cviy5
        X-Proofpoint-Banner-Triggerinbound
        Content-Typetext/plain; charset="utf-8"
        Content-Transfer-Encodingquoted-printable
        MIME-Version1.0

        File Icon

        Icon Hash:46070c0a8e0c67d6

        Network Behavior

        DNS Answers

        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
        Apr 22, 2025 16:43:47.359462023 CEST1.1.1.1192.168.2.50xec4dNo error (0)ecs-office.s-0005.dual-s-msedge.netshed.s-0005.dual-s-dc-msedge.netCNAME (Canonical name)IN (0x0001)false
        Apr 22, 2025 16:43:47.359462023 CEST1.1.1.1192.168.2.50xec4dNo error (0)shed.s-0005.dual-s-dc-msedge.nets-0005.dual-s-dc-msedge.netCNAME (Canonical name)IN (0x0001)false
        Apr 22, 2025 16:43:47.359462023 CEST1.1.1.1192.168.2.50xec4dNo error (0)s-0005.dual-s-dc-msedge.net52.123.130.14A (IP address)IN (0x0001)false
        Apr 22, 2025 16:43:47.359462023 CEST1.1.1.1192.168.2.50xec4dNo error (0)s-0005.dual-s-dc-msedge.net52.123.131.14A (IP address)IN (0x0001)false

        Statistics

        CPU Usage

        050100s020406080100

        Click to jump to process

        Memory Usage

        050100s0.0050100MB

        Click to jump to process

        High Level Behavior Distribution

        • File
        • Registry

        Click to dive into process behavior distribution

        Behavior

        Click to jump to process

        System Behavior

        General

        Target ID:0
        Start time:10:43:39
        Start date:22/04/2025
        Path:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
        Wow64 process (32bit):true
        Commandline:"C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\nested-Vendor Questionnaires.eml"
        Imagebase:0x7c0000
        File size:34'446'744 bytes
        MD5 hash:91A5292942864110ED734005B7E005C0
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:high
        Has exited:false
        Show Windows behavior

        File Activities

        Show Windows behavior

        Section Activities

        Show Windows behavior

        Registry Activities

        Show Windows behavior

        COM Activities

        Show Windows behavior

        Mutex Activities

        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
        Show Windows behavior

        Thread Activities

        Show Windows behavior

        Memory Activities

        Show Windows behavior

        System Activities

        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
        Show Windows behavior

        Windows UI Activities

        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

        General

        Target ID:1
        Start time:10:43:45
        Start date:22/04/2025
        Path:C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe
        Wow64 process (32bit):false
        Commandline:"C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "10FFF0B8-B1FD-44B5-858D-8C5CEBF65931" "EBA7C961-5A55-43A8-AB4B-291C3C2F448A" "8504" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
        Imagebase:0x7ff7e9f60000
        File size:710'048 bytes
        MD5 hash:EC652BEDD90E089D9406AFED89A8A8BD
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:high
        Has exited:false
        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
        Show Windows behavior

        Section Activities

        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
        Show Windows behavior

        Mutex Activities

        Show Windows behavior

        Process Activities

        Show Windows behavior

        Thread Activities

        Show Windows behavior

        Memory Activities

        Show Windows behavior

        System Activities

        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

        Disassembly

        No disassembly