Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
mail-41.eml

Overview

General Information

Sample name:	mail-41.eml
Analysis ID:	1585233
MD5:	36b739d0d85c39d12b639347b4e8108f
SHA1:	67d901d26be9238b7c9b8ba981ccc8fa639c7f69
SHA256:	b2e71e5f68b471375192f2f61ad48eafbb2594ab40d380907d67a72536bd988c
Infos:

Detection

Score:	48
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

AI detected landing page (webpage, office document or email)

AI detected potential phishing Email

Queries the volume information (name, serial number etc) of a device

Sigma detected: Office Autorun Keys Modification

Classification

×

Process Tree

System is w10x64

OUTLOOK.EXE (PID: 3132 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\mail-41.eml" MD5: 91A5292942864110ED734005B7E005C0)

ai.exe (PID: 6912 cmdline: "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "565FB84F-F488-4ACB-BC91-C6B71B5BC323" "4E034981-F782-4B0B-ADF7-EA8EC50D5057" "3132" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx" MD5: EC652BEDD90E089D9406AFED89A8A8BD)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

Sigma detected: Office Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE, ProcessId: 3132, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Addins\OneNote.OutlookAddin\1

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Phishing

AI detected landing page (webpage, office document or email)

Source: PDF document	Joe Sandbox AI: Page contains button: 'VIEW DOCUMENT' Source: 'PDF document'
Source: PDF document	Joe Sandbox AI: PDF document contains prominent button: 'view document'

AI detected potential phishing Email

Source: Email

Joe Sandbox AI: Detected potential phishing email: Suspicious sender domain 'guestlabs.com' attempting to impersonate eDocuSign. Generic and vague payment-related content with poor formatting. Suspicious attachment naming pattern targeting specific recipient

Source: Email

Classification: Invoice Scam

Source: classification engine

Classification label: mal48.winEML@3/4@0/0

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

File created: C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmp

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

File created: C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20250107T0506510221-3132.etl

Jump to behavior

Source: unknown	Process created: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\mail-41.eml"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "565FB84F-F488-4ACB-BC91-C6B71B5BC323" "4E034981-F782-4B0B-ADF7-EA8EC50D5057" "3132" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "565FB84F-F488-4ACB-BC91-C6B71B5BC323" "4E034981-F782-4B0B-ADF7-EA8EC50D5057" "3132" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"			Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: apphelp.dll			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: c2r64.dll			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: userenv.dll			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: msasn1.dll			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: cryptsp.dll			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: rsaenh.dll			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: cryptbase.dll			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: gpapi.dll			Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{F959DBBB-3867-41F2-8E5F-3B8BEFAA81B3}\InprocServer32

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

Window found: window name: SysTabControl32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX			Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

File Volume queried: C:\Windows\SysWOW64 FullSizeInformation

Jump to behavior

Source: mail-41.eml

Binary or memory string: AO98jGaP/xBF2gh85Jg4R2mhgFSMmO7ZZ2nTOBotFKlnQ8WxmY1W7gtFkwK22a8OgpjnYgSdn0l0

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe

Queries volume information: C:\Program Files (x86)\Microsoft Office\root\Office16\AI\WordCombinedFloatieLreOnline.onnx VolumeInformation

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	21 Browser Extensions	1 Process Injection	1 Masquerading	OS Credential Dumping	1 Security Software Discovery	Remote Services	Data from Local System	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 DLL Side-Loading	1 Process Injection	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 DLL Side-Loading	Security Account Manager	13 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

⊘No Antivirus matches

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
s-part-0017.t-0009.t-msedge.net	13.107.246.45	true	false		high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1585233
Start date and time:	2025-01-07 11:05:47 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 20s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	mail-41.eml
Detection:	MAL
Classification:	mal48.winEML@3/4@0/0
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .eml

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.109.32.97, 52.113.194.132, 51.116.253.170, 13.107.246.45, 172.202.163.200, 23.56.254.165
Excluded domains from analysis (whitelisted): ecs.office.com, client.wns.windows.com, slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, prod.configsvc1.live.com.akadns.net, ctldl.windowsupdate.com, s-0005-office.config.skype.com, mobile.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com, ecs-office.s-0005.s-msedge.net, s-0005.s-msedge.net, config.officeapps.live.com, azureedge-t-prod.trafficmanager.net, officeclient.microsoft.com, ecs.office.trafficmanager.net, ukw-azsc-config.officeapps.live.com, onedscolprdgwc07.germanywestcentral.cloudapp.azure.com, europe.configsvc1.live.com.akadns.net, mobile.events.data.trafficmanager.net, storeedgefd.dsx.mp.microsoft.com
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

⊘No simulations

LLM Input / Output

Input	Output
URL: email Model: Joe Sandbox AI	{ "explanation": [ "Suspicious sender domain 'guestlabs.com' attempting to impersonate eDocuSign", "Generic and vague payment-related content with poor formatting", "Suspicious attachment naming pattern targeting specific recipient" ], "phishing": true, "confidence": 9, "generated_by_ai": false }
{ "date": "Tue, 26 Nov 2024 03:45:39 +0000", "subject": "Action Required: Review approved payment summary for eSignature", "communications": [ " \n\n\n\nPlease find the attached Payment receipt enclosed\n \nPayoff instructions for inv-2255734   \n \nBest regards\n\nACCOUNTING.\n \n \n \n \n \n \n\n \nCONFIDENTIALITY STATEMENT. The information contained in this e-mail message, including attachments, is the confidential information of, and/or is the property. The information is intended for use solely by the individual or entity named in the message. If you are not an intended recipient or you received this in error, then any review, printing, copying, or distribution of any such information is prohibited, and please notify the sender immediately by reply e-mail.\n" ], "from": "\"[EXT] Garrett Baker via eDocuSign\" <infos@dev32849.guestlabs.com>", "to": "t.pusch@kostal.com", "attachements": [ "T Puschpaymentsummary.pdf" ] }
URL: Email Model: Joe Sandbox AI	{ "contains_trigger_text": true, "trigger_text": "Please find the attached Payment receipt enclosed", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_fake_security_alerts": false }

URL: PDF document Model: Joe Sandbox AI	{ "contains_trigger_text": true, "trigger_text": "A document is available for you. Please click the button below to see the details.", "prominent_button_name": "VIEW DOCUMENT", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_fake_security_alerts": false }

URL: PDF document Model: Joe Sandbox AI	{ "brands": [ "DocuSign" ] }
	{ "brands": [ "DocuSign" ] }
URL: Email Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }
URL: Email Model: Joe Sandbox AI	{"classification":"Invoice Scam"}
Email: Detected potential phishing email: Suspicious sender domain 'guestlabs.com' attempting to impersonate eDocuSign. Generic and vague payment-related content with poor formatting. Suspicious attachment naming pattern targeting specific recipient	{"classification":"Invoice Scam"}

Joe Sandbox View / Context

IPs

⊘No context

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
s-part-0017.t-0009.t-msedge.net	Mansourbank Swift-TT379733 Report.svg	Get hash	malicious	Branchlock Obfuscator	Browse	13.107.246.45
	Mansourbank Swift-TT680169 Report.svg	Get hash	malicious	Branchlock Obfuscator	Browse	13.107.246.45
	https://e.trustifi.com/#/fff2a0/615048/6b9108/bb6bb8/0c4d40/10c266/f490c9/97ed1b/e8666a/ef542d/85972d/627493/9a11d6/1f4096/1d247f/85de28/9434d8/86c8f5/bcad02/214fc7/998ea3/f74550/f15e41/328dbb/f2d014/49d879/3689f7/91b4f6/9617cd/897401/851960/993266/280340/ae6054/337b49/6f0428/673840/abdb07/82b8be/00f4e1/3270c4/922952/b4db4e/e9dcee/3a01c5/962a76/930521/2e7fc6/514759/a95ca8/c37226/be9e63/3c4ec2/89148e/13fdfe/ea86c0/04048b/56ab74/dca15f/97696c/fa7912/512e28/fc9f59/50d13f/4f0114/039a8f/84bd72/2603b6/e0eceb/28f211/4fdb34/a1dc16/2076ef/8e55cf/8f9d2c/0d4402/f5a713/43ec64/fabda1/b6994c/da2da1/2851a8/b04ed3/8cea9a/1e21dc/0abaf5/7df73e/f39a96/1f2244/423c00/5c4e8d	Get hash	malicious	HTMLPhisher	Browse	13.107.246.45
	https://t1.a.editions-legislatives.fr/r/?id=hfe20c57a%2C3602a3f1%2C7f94ba88&p1=//www.google.co.nz/url?q=k8pQvvqad5fe5yj7Y00xDjnlx9kIHvsdvds44vs4d4aAkImPuQvsdv44WtJjqJLi6stjtDz3yh&rct=tTPSrMOiaAkImPuQJnOIWtJjqJLi6stjtFX08pQvvq6xRvdsvsdvswqyicT&sa=t&url=amp/yesmotoring.com.sg/upthere/running/8mspbf71i0mf51h0zfhwhu2z/cGhpbC5sZXNzYXJkQG1vZHVsYS5jb20=&ago=212&ao=817&aca=-11&si=-11&ci=-11&pi=-11&ad=-11&sv1=-11&advt=-11&chnl=-11&vndr=1363&sz=539&u=eTLPPreWarranty%7CConsumer&red=http://www.lampsplus.com/?sourceid=eTLPPreWarranty&cm_mmc=TRA-EM-_-LP-_-eTLPPreWarranty-_-tlogo&counterid=tlogo	Get hash	malicious	HTMLPhisher	Browse	13.107.246.45
	64.exe	Get hash	malicious	Unknown	Browse	13.107.246.45
	iy1.dat.exe	Get hash	malicious	Unknown	Browse	13.107.246.45
	BXOZIGZEUa.exe	Get hash	malicious	Bdaejec	Browse	13.107.246.45
	w3245.exe	Get hash	malicious	Unknown	Browse	13.107.246.45
	w3245.exe	Get hash	malicious	Unknown	Browse	13.107.246.45
	https://app.saner.ai/shared/notes/7353e5ae-dd5f-410b-92c3-210c9e88052a	Get hash	malicious	HTMLPhisher	Browse	13.107.246.45

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20250107T0506510221-3132.etl

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	data
Category:	dropped
Size (bytes):	110592
Entropy (8bit):	4.51878626340634
Encrypted:	false
SSDEEP:	768:zCMXdLTpHFyhQ2DwAMzm4Od9YdKh9W2W1W20nNZXV4PDD1p90C:O1h4Od9Yd7cXu7Zp90C
MD5:	B511B2522FE0CCE09DBA7D9238616952
SHA1:	46C4DD8B6ACBF8D58459917DF87DE407B0ED3936
SHA-256:	B4B4459AF31535B6677656C577B103BC514D889BC10597DF5546C6A4F54A3A8B
SHA-512:	B87F7481162B91F9E7A5096953CCFC8E3636783CBEC0488242AAD6B2D2F2722D38FAE587FB1A080F0B24F722C95A7341358B5ECFA101A3E7648F129C5A02DAF0
Malicious:	false
Reputation:	low
Preview:	............................................................................f.......<...D0...`..................eJ..............Zb..2...................................,...@.t.z.r.e.s...d.l.l.,.-.1.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.1.1.1........................................................... ...H...........D0...`..........v.2._.O.U.T.L.O.O.K.:.c.3.c.:.0.0.2.5.a.f.7.5.8.a.d.b.4.e.4.a.9.4.b.9.8.0.7.3.c.9.a.8.2.0.9.a...C.:.\.U.s.e.r.s.\.e.n.g.i.n.e.e.r.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.O.u.t.l.o.o.k. .L.o.g.g.i.n.g.\.O.U.T.L.O.O.K._.1.6._.0._.1.6.8.2.7._.2.0.1.3.0.-.2.0.2.5.0.1.0.7.T.0.5.0.6.5.1.0.2.2.1.-.3.1.3.2...e.t.l.........P.P.....<...m....`..................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\olk7977.tmp

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	data
Category:	dropped
Size (bytes):	22103
Entropy (8bit):	7.783481080685945
Encrypted:	false
SSDEEP:	384:rlT4lyt6W9kKuf7lRtlKTzUzHmy01d+dkUF6SPbz54XRZ2fPiy:rlT4s7ZujqTAzHx0S+Qdb1mRofPiy
MD5:	D1251A8539704F007322CDE9912E0A2B
SHA1:	F9634BED8A61CF1AFB6ABFB1F3AA369B851D4E5B
SHA-256:	61F3205DF424C90473A49F2C0AFEB2FBD2E8DBBFB4AAEAFF919B3945AF3EFDBE
SHA-512:	608F09064B4962F28C4EAAE75631E5C59343306E466C8162173B837449C7AAC561E0C822187CE42B7AD518E42081A9B5A865FB51025BAB14FA50980D642420B5
Malicious:	false
Reputation:	low
Preview:	422 578.61328] 17 [543.94531] 24 [615.23438] 38 [459.47266] 60 [519.53125] 68 [854.98047 645.50781] 87 [516.60156] 94 [459.47266] 258 [479.00391] 272 [422.85156] 282 [525.39063 0 0 0 497.55859] 296 [305.17578] 336 [470.70313] 349 367 229.49219 373 [798.82813] 374 393 525.39063 410 [334.96094] 455 [452.63672] 856 [252.44141] 882 [306.15234] 890 [498.04688] 1005 1013 506.83594]./DW 0>>.endobj.88 0 obj.<</Filter /FlateDecode./Length 378>> stream.x.].Kn.0...O.e....+H.)%Ab.Js.....1.q..}..4....=..x....v.2xwc.........u$.t...F.C.......z.....=."..>.<\...m?.i%.7...Y>..f%..6M.t!..E!{:..\|i...B2.u......e...>.4l.j.....v.Z{&.+.T!..B......a.S..:...2W...."...2...X&..VXB.8e.83.C.,..+..Z+.kz.E..e.=.\|:^.Rh.e...J.&c.\..!E..u.....`...u.....bU..FP.e...o....-.....)K.hf.d{.N...C.....7.g.10..9.....d....c..q.....K..3.endstream.endobj.11 0 obj.<</Type /Font./Subtype /Type0./BaseFont /DAAAAA+Calibri./Encoding /Identity-H./DescendantFonts [87 0 R]./ToUnicode 88 0 R>>.endobj.89 0 obj.<</Lengt

C:\Users\user\Documents\Outlook Files\Outlook Data File - NoEmail.pst

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	Microsoft Outlook email folder (>=2003)
Category:	dropped
Size (bytes):	2302976
Entropy (8bit):	1.15793292448695
Encrypted:	false
SSDEEP:	3072:9YGlfufn81sjxzSUGe1k21YEH1w4vWoEtZl2b1hHCmwOsZlw7OvCTp9:9RAngsJSUGxEHLWoEtX2xhi7ECaT
MD5:	C2A5E2402ECD19BB78EF4D154DF2567B
SHA1:	312025C2D78A405DE169EF8D82D990528A4F3047
SHA-256:	56C446EC217C72E78E78FCFD6EE4558EE8F35F475660AB9DBFC2DA9EF64651E9
SHA-512:	E780A79B71BC3AFE6EF5B3E9F2DFD5F72BB7CC71515AB20356115BF63D7E7254372C0BA6BB97601624824C6626EE5BF7F75AAFDDCC82EE8D2E43B7169E94A4DE
Malicious:	true
Reputation:	low
Preview:	!BDNse.3SM......\....p..................[................@...........@...@...................................@...........................................................................$#......D......@e.......................n...............P...........................................................................................................................................................................................................................................................................................\...yw.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmp

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	data
Category:	dropped
Size (bytes):	262144
Entropy (8bit):	6.798499637114813
Encrypted:	false
SSDEEP:	3072:gp9m2sZl5iwqf4fj8msjzzgbG20k21YAHn24v+oECZl2z1h9C+RAdP:g2l/kOjjsrgbGKAHz+oECX2ph4zd
MD5:	98A0F768CC0D7F3EC739BC41C9A0EFA1
SHA1:	4E9AD6DF2D5DC6042FFE708E37C25784B3515726
SHA-256:	93318551C4B2FFDAF0D5B83F4274A1C92D52AC195764F4B263FAE0B5D5AB5FCF
SHA-512:	A5739C1F985743ECFFCA873232AA66EF2481681767910C9C8912386A26955856E6FDD3C5EA10ACFB0CEEAFDEFB39D3357060C6BE660828B03D63F97376FD6400
Malicious:	true
Reputation:	low
Preview:	....C...v.......<...mYf..`....................#.!BDNse.3SM......\....p..................[................@...........@...@...................................@...........................................................................$#......D......@e.......................n...............P...........................................................................................................................................................................................................................................................................................\...yw.mYf..`.......D............#...~.....................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	RFC 822 mail, ASCII text, with very long lines (921), with CRLF line terminators
Entropy (8bit):	6.100119342770113
TrID:	E-Mail message (Var. 5) (54515/1) 100.00%
File name:	mail-41.eml
File size:	221'775 bytes
MD5:	36b739d0d85c39d12b639347b4e8108f
SHA1:	67d901d26be9238b7c9b8ba981ccc8fa639c7f69
SHA256:	b2e71e5f68b471375192f2f61ad48eafbb2594ab40d380907d67a72536bd988c
SHA512:	787e2577f5d66ddda05a22e95b66ba203ffa4a18df2bf3cedbc3fbff0bb7c541f052be5173a6f0e3d3dc9c94e8e23f53cbf386478eb9e37ea54d15728225e08e
SSDEEP:	6144:wNkza3dSbALj7qET45z/wsnDXeH0o1Pfnj:KkO3dwEYwnH7Bj
TLSH:	FF240117EA422C58335953EB8713FD4618673D7B7B67ADE86376869A20D4F36A020C0F
File Content Preview:	Received: from DEBEMAIL011.kostal.int (10.20.2.161) by DEBEMAIL011.kostal.int.. (10.20.2.161) with Microsoft SMTP Server (version=TLS1_2,.. cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.37 via Mailbox.. Transport; Tue, 26 Nov 2024 04:46:28 +0

Static Mail

General

Subject:	Action Required: Review approved payment summary for eSignature
From:	"[EXT] Garrett Baker via eDocuSign" <infos@dev32849.guestlabs.com>
To:	t.pusch@kostal.com
Cc:
BCC:
Date:	Tue, 26 Nov 2024 03:45:39 +0000
Communications:	Please find the attached Payment receipt enclosed   Payoff instructions for inv-2255734      Best regards ACCOUNTING.               CONFIDENTIALITY STATEMENT. The information contained in this e-mail message, including attachments, is the confidential information of, and/or is the property. The information is intended for use solely by the individual or entity named in the message. If you are not an intended recipient or you received this in error, then any review, printing, copying, or distribution of any such information is prohibited, and please notify the sender immediately by reply e-mail.
Attachments:	T Puschpaymentsummary.pdf

Headers

Key	Value
Received	from e226-11.smtp-out.us-east-2.amazonses.com (e226-11.smtp-out.us-east-2.amazonses.com [23.251.226.11]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by edge02.kostal.com (Postfix) with ESMTPS id 8DAC31E00CB for <t.pusch@kostal.com>; Tue, 26 Nov 2024 04:45:56 +0100 (CET)
x-scoring-category	1 49, 19 17, 21 17, 25 17
Authentication-Results	edge02.kostal.com; dkim=pass header.d=dev32849.guestlabs.com header.s=gk73eym5rb75hhlir3au7lurb2ga5lck header.b=QBZmJCiW; dkim=pass header.d=amazonses.com header.s=xplzuhjr4seloozmmorg6obznvt7ijlt header.b=ATxfUSnY; spf=pass (edge02.kostal.com: domain of 010f0193669324be-93bfea73-80d4-464b-b456-b9bd71c6f3f3-000000@us-east-2.amazonses.com designates 23.251.226.11 as permitted sender) smtp.mailfrom=010f0193669324be-93bfea73-80d4-464b-b456-b9bd71c6f3f3-000000@us-east-2.amazonses.com; dmarc=pass (policy=none) header.from=dev32849.guestlabs.com
Content-Type	multipart/mixed; boundary="===============3449352749175425839=="
To	t.pusch@kostal.com
Subject	Action Required: Review approved payment summary for eSignature
Date	Tue, 26 Nov 2024 03:45:39 +0000
X-Original-Message-Id	<010f0193669324be-93bfea73-80d4-464b-b456-b9bd71c6f3f3-000000@us-east-2.amazonses.com>
X-Accept-Language	en-us, en
Feedback-ID	::1.us-east-2.rFISiNnbu+W3MbJAjMcEhgUI++Rz6R/dikTfK/t+NRk=:AmazonSES
X-SES-Outgoing	2024.11.26-23.251.226.11
X-Rspamd-Server	edge02.kostal.com
X-Rspamd-Queue-Id	8DAC31E00CB
X-Spamd-Result	default: False [30.40 / 6.00]; URL_SURBL_PH(7.50)[api.keepo.io]; URL_DBL_PHISH(7.50)[api.keepo.io]; URL_SURBL_ABUSE(5.00)[api.keepo.io]; FUZZY_SPAM(3.95)[<BODY_TEXT>,S Steinkepaymentsummary.pdf]; MISSING_MIMEOLE(2.00)[]; CBJ_GiveMeABreak(1.75)[__CBJ_GiveMeABreak4]; FROM_EXCESS_QP(1.20)[]; SUBJ_EXCESS_QP(1.20)[]; FORGED_SENDER(0.30)[infos@dev32849.guestlabs.com,010f0193669324be-93bfea73-80d4-464b-b456-b9bd71c6f3f3-000000@us-east-2.amazonses.com]; RWL_MAILSPIKE_GOOD(-0.10)[23.251.226.11:from]; BAD_REP_POLICIES(0.10)[]; MIME_GOOD(-0.10)[multipart/mixed,multipart/alternative,text/plain]; ONCE_RECEIVED(0.10)[]; BAYES_SPAM(0.00)[20.42%]; AUTH_SENDER_ENVELOPE(0.00)[010f0193669324be-93bfea73-80d4-464b-b456-b9bd71c6f3f3-000000@us-east-2.amazonses.com]; HAS_X_PRIO_ONE(0.00)[1]; ARC_NA(0.00)[]; FROM_NEQ_ENVFROM(0.00)[infos@dev32849.guestlabs.com,010f0193669324be-93bfea73-80d4-464b-b456-b9bd71c6f3f3-000000@us-east-2.amazonses.com]; MIME_TRACE(0.00)[0:+,1:+,2:+,3:~,4:~]; TO_DN_NONE(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; ASN(0.00)[asn:16509, ipnet:23.251.226.0/24, country:US]; R_DKIM_ALLOW(0.00)[dev32849.guestlabs.com:s=gk73eym5rb75hhlir3au7lurb2ga5lck,amazonses.com:s=xplzuhjr4seloozmmorg6obznvt7ijlt]; NEURAL_HAM(-0.00)[-1.000]; RCVD_COUNT_ZERO(0.00)[0]; MISSING_XM_UA(0.00)[]; R_SPF_ALLOW(0.00)[+ip4:23.251.226.0/24]; DKIM_TRACE(0.00)[dev32849.guestlabs.com:+,amazonses.com:+]; DMARC_POLICY_ALLOW(0.00)[dev32849.guestlabs.com,none]; HAS_ATTACHMENT(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; FROM_HAS_DN(0.00)[]
X-Rspamd-Action	add header
X-Spam	Yes
x-msw-jemd-scanning-scores	mailshell=50
x-msw-original-dkim-signature	v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple; s=xplzuhjr4seloozmmorg6obznvt7ijlt; d=amazonses.com; t=1732592739; h=Content-Type:MIME-Version:From:To:Subject:Date:Message-ID:Feedback-ID; bh=XaF25Xal/N+uQodLXf4nV/rYYSgdRHkBpyPf4sJ69es=; b=ATxfUSnYkEPj/NPIg9vw0kMeHYmUSz+A6ouVEHQ2BhQayfgtscFJN0Qe9kkaYeGJ dqj7rH8R4jwazYa03tdTd8e+TbIIOuLR0Z3Xe9UjDLYD1qgNjjeDosFZNtYrHHGpsDO Gl7nmccNpKcPTJUFyWW6EFrqB5Aun+vwZCNVLGs8=
x-agari-authentication-results	debemgw003.kostal.com;
From	"[EXT] Garrett Baker via eDocuSign" <infos@dev32849.guestlabs.com>
x-msw-jemd-malware	unknown
x-msw-jemd-refid	[1]50,3,0,,d41d8cd98f00b204,infos@dev32849.guestlabs.com,t.pusch@kostal.com,RULES_HIT:41:46:150:152:355:379:540:543:547:871:973:988:989:1216:1260:1313:1314:1345:1351:1381:1437:1516:1517:1518:1542:1575:1594:1676:1699:1711:1714:1730:1764:1777:1792:2194:2199:2527:2540:2557:2559:2562:2892:2911:3138:3139:3140:3141:3142:3350:3362:3421:3769:3865:3866:3868:3870:3871:3873:4321:4361:4425:5007:6248:6264:6653:6748:7281:7903:8583:8603:8957:9080:9108:10004:10215:10394:10400:11604:11658:12043:12297:12340:12517:12519:12555:12667:13019:13095:13139:13143:13227:13229:13230:13302:13303:14036:14093:14096:14516:14721:14827:15029:21080:21324:21433:21450:21451:21627:21659:21660:21703:21789:21803:21819:21838:21980:22058:22271:22410:22446:30021:30038:30054:30075:30091,0,RBL:23.251.226.11:@dev32849.guestlabs.com:t.pusch@kostal.com.lbl8.mailshell.net-64.201.201.201 62.8.0.100;04ygw4ydaqrmt5ignpjqihqrfhyzzyfs6rr3n1pmsm
x-msw-jemd-newsletter	false
x-msw-message-direction	incoming
Message-ID	<1pl8dg01idbkuieq@debemgw003.kostal.com>
Return-Path	010f0193669324be-93bfea73-80d4-464b-b456-b9bd71c6f3f3-000000@us-east-2.amazonses.com
X-MS-Exchange-Organization-Network-Message-Id	8354b9e6-9e48-4b95-7a7b-08dd0dcce802
X-MS-Exchange-Organization-AuthSource	DEBEMAIL010.kostal.int
X-MS-Exchange-Organization-AuthAs	Anonymous
X-MS-Exchange-Transport-EndToEndLatency	00:00:01.1145371
X-MS-Exchange-Processed-By-BccFoldering	15.01.2507.037
Importance	high
X-Priority	1
MIME-Version	1.0

File Icon


Icon Hash:	46070c0a8e0c67d6

Network Behavior

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 7, 2025 11:06:46.629112005 CET	1.1.1.1	192.168.2.6	0x943c	No error (0)	shed.dual-low.s-part-0017.t-0009.t-msedge.net	s-part-0017.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 7, 2025 11:06:46.629112005 CET	1.1.1.1	192.168.2.6	0x943c	No error (0)	s-part-0017.t-0009.t-msedge.net		13.107.246.45	A (IP address)	IN (0x0001)	false

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: OUTLOOK.EXEPID: 3132, Parent PID: 4004

General

Target ID:	2
Start time:	05:06:48
Start date:	07/01/2025
Path:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\mail-41.eml"
Imagebase:	0xd30000
File size:	34'446'744 bytes
MD5 hash:	91A5292942864110ED734005B7E005C0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Chronological Activities

Analysis Process: ai.exePID: 6912, Parent PID: 3132

General

Target ID:	4
Start time:	05:07:00
Start date:	07/01/2025
Path:	C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "565FB84F-F488-4ACB-BC91-C6B71B5BC323" "4E034981-F782-4B0B-ADF7-EA8EC50D5057" "3132" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
Imagebase:	0x7ff615fe0000
File size:	710'048 bytes
MD5 hash:	EC652BEDD90E089D9406AFED89A8A8BD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly