Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
FW Sensitive - ADMINISTRATIVE LICENSE REVOCATION (ALR) HEARING REQUEST.msg

Overview

General Information

Sample name:FW Sensitive - ADMINISTRATIVE LICENSE REVOCATION (ALR) HEARING REQUEST.msg
Analysis ID:1634340
MD5:aff08944fccbcba2ee661c6318e4de03
SHA1:139dad9b65ad32649bfa5855271ce2f7e5e4df7f
SHA256:0e3efa80baed68b1a2b5f7a8b9bd68f1c3b782ea4b39c5c03738af5dcb695ed9
Infos:

Detection

Score:48
Range:0 - 100
Confidence:100%

Signatures

AI detected landing page (webpage, office document or email)
AI detected suspicious elements in Email content
Queries the volume information (name, serial number etc) of a device
Sigma detected: Office Autorun Keys Modification
Stores large binary data to the registry

Classification

Process Tree

  • System is w10x64_ra
  • OUTLOOK.EXE (PID: 6300 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /f "C:\Users\user\Desktop\FW Sensitive - ADMINISTRATIVE LICENSE REVOCATION (ALR) HEARING REQUEST.msg" MD5: 91A5292942864110ED734005B7E005C0)
    • ai.exe (PID: 6428 cmdline: "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "C5C71786-3044-4298-9B42-8048D1B18920" "D714FDF9-0EFE-4A5D-B459-901C66212976" "6300" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx" MD5: EC652BEDD90E089D9406AFED89A8A8BD)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

Sigma detected: Office Autorun Keys Modification
Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE, ProcessId: 6300, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Addins\OneNote.OutlookAddin\1

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Phishing

barindex
AI detected landing page (webpage, office document or email)
Source: EmailJoe Sandbox AI: Email contains prominent button: 'click this to access the secure message'
AI detected suspicious elements in Email content
Source: EmailJoe Sandbox AI: Detected potential phishing email: The email claims to be from Texas DPS (noreply@dps.texas.gov) but uses a suspicious FortiMail secure message service link. The URL structure in the 'secure message' link is unusually long and complex, containing random-looking parameters. The email creates urgency around a sensitive administrative license topic to compel the user to click the link
Source: EmailClassification: Credential Stealer
Source: FW Sensitive - ADMINISTRATIVE LICENSE REVOCATION (ALR) HEARING REQUEST.msgString found in binary or memory: https://aka.ms/LearnAboutSenderIdentification
Source: FW Sensitive - ADMINISTRATIVE LICENSE REVOCATION (ALR) HEARING REQUEST.msgString found in binary or memory: https://docs.fortinet.com/document/fortimail/7.4.3/webmail-guide-ibe/index.htm
Source: FW Sensitive - ADMINISTRATIVE LICENSE REVOCATION (ALR) HEARING REQUEST.msgString found in binary or memory: https://mailc.dps.texas.gov/module/semail.fe?fewReq=:B:JVA0PTg2NHxrf2FsZGttejNCYW1vYmsofGt/b216Z2FgM
Source: classification engineClassification label: mal48.winMSG@3/4@0/0
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile created: C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmpJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile created: C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20250310T1629470864-6300.etlJump to behavior
Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /f "C:\Users\user\Desktop\FW Sensitive - ADMINISTRATIVE LICENSE REVOCATION (ALR) HEARING REQUEST.msg"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "C5C71786-3044-4298-9B42-8048D1B18920" "D714FDF9-0EFE-4A5D-B459-901C66212976" "6300" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "C5C71786-3044-4298-9B42-8048D1B18920" "D714FDF9-0EFE-4A5D-B459-901C66212976" "6300" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: c2r64.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: userenv.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{F959DBBB-3867-41F2-8E5F-3B8BEFAA81B3}\InprocServer32Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEWindow found: window name: SysTabControl32Jump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\CommonJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{2B379600-B42B-4FE9-A59C-A312FB934935} DeviceTicketJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information queried: ProcessInformationJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeQueries volume information: C:\Program Files (x86)\Microsoft Office\root\Office16\AI\WordCombinedFloatieLreOnline.onnx VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation21
Browser Extensions		1
Process Injection		1
Masquerading		OS Credential Dumping1
Process Discovery		Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/Job1
DLL Side-Loading		1
DLL Side-Loading		1
Modify Registry		LSASS Memory12
System Information Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Process Injection		Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
DLL Side-Loading		NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
FW Sensitive - ADMINISTRATIVE LICENSE REVOCATION (ALR) HEARING REQUEST.msg0%VirustotalBrowse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://mailc.dps.texas.gov/module/semail.fe?fewReq=:B:JVA0PTg2NHxrf2FsZGttejNCYW1vYmsofGt/b216Z2FgM0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
s-0005.dual-s-msedge.net
52.123.128.14
truefalse
    		high

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    https://mailc.dps.texas.gov/module/semail.fe?fewReq=:B:JVA0PTg2NHxrf2FsZGttejNCYW1vYmsofGt/b216Z2FgMFW Sensitive - ADMINISTRATIVE LICENSE REVOCATION (ALR) HEARING REQUEST.msgfalse
    • Avira URL Cloud: safe
    		unknown
    https://docs.fortinet.com/document/fortimail/7.4.3/webmail-guide-ibe/index.htmFW Sensitive - ADMINISTRATIVE LICENSE REVOCATION (ALR) HEARING REQUEST.msgfalse
      		high
      https://aka.ms/LearnAboutSenderIdentificationFW Sensitive - ADMINISTRATIVE LICENSE REVOCATION (ALR) HEARING REQUEST.msgfalse
        		high

        World Map of Contacted IPs

        No contacted IP infos

        General Information

        Joe Sandbox version:42.0.0 Malachite
        Analysis ID:1634340
        Start date and time:2025-03-10 21:29:15 +01:00
        Joe Sandbox product:CloudBasic
        Overall analysis duration:0h 2m 3s
        Hypervisor based Inspection enabled:false
        Report type:full
        Cookbook file name:defaultwindowsinteractivecookbook.jbs
        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
        Number of analysed new started processes analysed:10
        Number of new started drivers analysed:0
        Number of existing processes analysed:0
        Number of existing drivers analysed:0
        Number of injected processes analysed:0
        Technologies:
        • EGA enabled
        • AMSI enabled
        Analysis Mode:default
        Analysis stop reason:Timeout
        Sample name:FW Sensitive - ADMINISTRATIVE LICENSE REVOCATION (ALR) HEARING REQUEST.msg
        Detection:MAL
        Classification:mal48.winMSG@3/4@0/0
        Cookbook Comments:
        • Found application associated with file extension: .msg

        Warnings

        • Exclude process from analysis (whitelisted): SIHClient.exe, SgrmBroker.exe, svchost.exe
        • Excluded IPs from analysis (whitelisted): 2.16.185.191, 2.22.242.98, 2.22.242.113, 52.111.243.40, 52.111.243.43, 52.111.243.42, 52.111.243.41, 13.69.109.131, 20.189.173.15, 52.123.128.14, 20.190.159.23, 4.175.87.197
        • Excluded domains from analysis (whitelisted): ecs.office.com, omex.cdn.office.net, fs.microsoft.com, slscr.update.microsoft.com, onedscolprdweu03.westeurope.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, mobile.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com, prod1.naturallanguageeditorservice.osi.office.net.akadns.net, dual-s-0005-office.config.skype.com, nleditor.osi.office.net, prod-eu-resolver.naturallanguageeditorservice.osi.office.net.akadns.net, login.live.com, e16604.f.akamaiedge.net, ecs.office.trafficmanager.net, prod.fs.microsoft.com.akadns.net, onedscolprdwus14.westus.cloudapp.azure.com, omex.cdn.office.net.akamaized.net, mobile.events.data.trafficmanager.net, a1864.dscd.akamai.net
        • Report size getting too big, too many NtQueryAttributesFile calls found.
        • Report size getting too big, too many NtQueryValueKey calls found.
        • Report size getting too big, too many NtReadVirtualMemory calls found.

        Simulations

        Behavior and APIs

        No simulations

        Joe Sandbox View / Context

        IPs

        No context

        Domains

        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
        s-0005.dual-s-msedge.netNouvelle_commande9353834.xlsGet hashmaliciousUnknownBrowse
        • 52.123.129.14
        Order_Mar25.xlsGet hashmaliciousUnknownBrowse
        • 52.123.128.14
        840.xlsGet hashmaliciousUnknownBrowse
        • 52.123.128.14
        COTA#U00c7#U00c3O.xlsGet hashmaliciousUnknownBrowse
        • 52.123.128.14
        Order_Mar25.xlsGet hashmaliciousUnknownBrowse
        • 52.123.128.14
        840.xlsGet hashmaliciousUnknownBrowse
        • 52.123.129.14
        POETDB24-2577.xla.xlsxGet hashmaliciousUnknownBrowse
        • 52.123.129.14
        POETDB24-25771.xla.xlsxGet hashmaliciousUnknownBrowse
        • 52.123.129.14
        POETDB24-2577.xla.xlsxGet hashmaliciousUnknownBrowse
        • 52.123.129.14
        POETDB24-25771.xla.xlsxGet hashmaliciousUnknownBrowse
        • 52.123.129.14

        ASNs

        No context

        JA3 Fingerprints

        No context

        Dropped Files

        No context

        Created / dropped Files

        C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20250310T1629470864-6300.etl

        Download File
        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
        File Type:data
        Category:dropped
        Size (bytes):86016
        Entropy (8bit):4.444298504805035
        Encrypted:false
        SSDEEP:768:spQ7laxHLf/2+jSI4l+X7bD9ap9QuMXsQB6I0G:iT4l+LbD9ap9QNXIG
        MD5:8EC0D62D3445F92C831A9699E283C179
        SHA1:9BE782323909F92A6C340039AFC1F6124B479853
        SHA-256:D0D1ED979C3B229B9A58955EEF32DEE98BF41D53CE052578948237429273A30E
        SHA-512:7DE7D9D13932E17F0645C2E64A7C31466E69E215EEF0669924BCA55007D1FB2F631662D6D040D57BEFAE2C5A60221DBBF1B1B26F7C7E33042735F337F5B43B63
        Malicious:false
        Reputation:low
        Preview:............................................................................`...........k..*....................eJ..............Zb..2...................................,...@.t.z.r.e.s...d.l.l.,.-.1.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.1.1.1........................................................... 5.3...........k..*............v.2._.O.U.T.L.O.O.K.:.1.8.9.c.:.f.8.c.d.f.a.d.8.6.c.9.5.4.7.0.c.a.e.1.6.4.d.f.7.3.b.a.b.7.d.2.5...C.:.\.U.s.e.r.s.\.c.a.l.i.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.O.u.t.l.o.o.k. .L.o.g.g.i.n.g.\.O.U.T.L.O.O.K._.1.6._.0._.1.6.8.2.7._.2.0.1.3.0.-.2.0.2.5.0.3.1.0.T.1.6.2.9.4.7.0.8.6.4.-.6.3.0.0...e.t.l.......P.P.........k..*............................................................................................................................................................................................................................................................................................................

        C:\Users\user\AppData\Local\Temp\~DF583254176D843387.TMP

        Download File
        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
        File Type:data
        Category:dropped
        Size (bytes):163840
        Entropy (8bit):0.4796295827794093
        Encrypted:false
        SSDEEP:384:9olLuMApcfk5BUDmJGAUBli1niXHOuqM:97qk5qDmJGi1niXHODM
        MD5:F8C78E1ABC46CAE1681CDBEB4861481B
        SHA1:8D4F0CC9F42F27BA30A6373FF9E74D3C9BC68ED6
        SHA-256:7DE88220A5548651BA19FAA38E7D0E8F1F5C16DC4ACF2BC0D18152451FCC3D54
        SHA-512:36D9E7C06F5FBE75030F60298317BDAEB763E3329638590210E2CFCD02632BB8F2F02AEC81BBBD6D406CEBA126FFF3E02077E062F8A426682ED17D1713FCFE1D
        Malicious:false
        Reputation:low
        Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

        C:\Users\user\Documents\Outlook Files\Outlook Data File - NoEmail.pst

        Download File
        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
        File Type:Microsoft Outlook email folder (>=2003)
        Category:dropped
        Size (bytes):271360
        Entropy (8bit):1.3359411964117622
        Encrypted:false
        SSDEEP:768:T4QcIHrnq7U5yrHhs62Gmbprd+dVWnGtuR0lBf:TLcU5shsXfR3507f
        MD5:55F47C6E4995AA6FACDF8452740A7A55
        SHA1:3BB9FB93D146390D30837837A34E83289C4FC7EE
        SHA-256:CAD54368C1017F29E5D4BA03299441395767A92CD79BCC4C9CF49743831F4C12
        SHA-512:93B7682A7114DAD776C31A00B27C6698471DF9A8D905A2AB690DD2D4F2D17C7BD5DA2998F6A139C7B339A98F70A4DA4E6B1F4965B1FC4140BC9D1272C41FA83D
        Malicious:true
        Reputation:low
        Preview:!BDN...8SM......\...............].......G................@...........@...@...................................@...........................................................................$.......D......................U...............\....................................................................................................................................................................................................................................................................................................?.P..X.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

        C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmp

        Download File
        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
        File Type:data
        Category:dropped
        Size (bytes):131072
        Entropy (8bit):0.9648721748242559
        Encrypted:false
        SSDEEP:384:YTD1eEtZTDyGNRFZZG0yO4rgW+hl7ujS1R4:YTxz6G7IBfTS
        MD5:34E6B60B69F41A91CEF7DB75CCBE80F6
        SHA1:2E1CF123FCCD91D2D9609A805A2510F54DC9C6C7
        SHA-256:A1B8D3AFF247E2D6E51525CE3FD1E777DC73CC251A3F70C59A9108A2BC97CCD5
        SHA-512:BFD5DC17E3A96B6FFAACA5A49E736B78700D34D475D9CB51B0ACC78F4B063DC160DEBB81FCE710255D2EC1C3A792F380629C6802E1D84AA74CF6073C54F52F4E
        Malicious:true
        Reputation:low
        Preview:&2.p0................E.*......................#.!.......L...............q.......................&"......W...............o.......[........4.............$...............O.......f....................................../.......................h.......:........(............................................................................................................................................................................................................................................................................................................l7.P0................E.*......................#./.......L....................}..#.......x..............."....}..&.............................}b'............................}..0............................}..C.......................".....j.F..............................gG.............................j.P.......p.....................j.c.......................".....j.f..............................gg.............................j.p.......

        Static File Info

        General

        File type:CDFV2 Microsoft Outlook Message
        Entropy (8bit):4.104139325832604
        TrID:
        • Outlook Message (71009/1) 58.92%
        • Outlook Form Template (41509/1) 34.44%
        • Generic OLE2 / Multistream Compound File (8008/1) 6.64%
        File name:FW Sensitive - ADMINISTRATIVE LICENSE REVOCATION (ALR) HEARING REQUEST.msg
        File size:111'616 bytes
        MD5:aff08944fccbcba2ee661c6318e4de03
        SHA1:139dad9b65ad32649bfa5855271ce2f7e5e4df7f
        SHA256:0e3efa80baed68b1a2b5f7a8b9bd68f1c3b782ea4b39c5c03738af5dcb695ed9
        SHA512:36dcd7a06c25405137df2d9fcf553b13617d705f8290dd19750861457639988a58182a763c7d04f952edd9030e44ef281379e59e636200ea595822e6d6bc405d
        SSDEEP:3072:uw7HWBQ0Y4mVOPehMzcX2u/gNzS6dp71:bHeQ0Y4GOPeKzcXvgN+
        TLSH:29B323113AFA1119F277AF368BE6A097893BBC526D14D95F2191330E0672E41DC62F3B
        File Content Preview:........................>...................................!...................r..............................................................................................................................................................................

        Static Mail

        General

        Subject:FW: Sensitive - ADMINISTRATIVE LICENSE REVOCATION (ALR) HEARING REQUEST
        From:Rosemary Salinas <rsalinas@wcctxlaw.com>
        To:"support@corerecon.com" <support@corerecon.com>
        Cc:
        BCC:
        Date:Mon, 10 Mar 2025 14:59:01 +0100
        Communications:
        • Can you please let me know if this e-mail is safe to open and answer. Best Regards, Rosie Salinas Legal Assistant WEBB, CASON & MANNING 710 Mesquite Street Corpus Christi, TX 78401 361.887.1031 (Telephone) 361.887.0903 (Fax) 361.443.0414 (Cell) rsalinas@wcctxlaw.com <mailto:rsalinas@wcctxlaw.com>
        • From: noreply@dps.texas.gov <noreply@dps.texas.gov> Sent: Saturday, March 8, 2025 3:10 PM To: Rosemary Salinas <rsalinas@wcctxlaw.com> Subject: Sensitive - ADMINISTRATIVE LICENSE REVOCATION (ALR) HEARING REQUEST You don't often get email from noreply@dps.texas.gov <mailto:noreply@dps.texas.gov> . Learn why this is important <https://aka.ms/LearnAboutSenderIdentification> You have received a secure message Read your secure message by clicking the link below, the web browser will be launched and prompt you to log in. Click this to access the secure message <https://mailc.dps.texas.gov/module/semail.fe?fewReq=:B:JVA0PTg2NHxrf2FsZGttejNCYW1vYmsofGt/b216Z2FgMzw+KGdqM3x9b2JnYG99TnltbXp2Ym95IG1hYyh+b2lrM31rY29nYlFrYHhrYmF+KH17bGRrbXozXWtgfWd6Z3hrKzw+Iys8Pk9KQ0dAR11aXE9aR1hLKzw+QkdNS0BdSys8PlxLWEFNT1pHQUArPD4mT0JcJys8PkZLT1xHQEkrPD5cS19bS11aKH1rYGprfDNgYXxrfmJ3Tmp+fSB6a3ZvfSBpYXgoZ2xrR2ozR0xLIDs8NkJPSnY5Pj88Ozw7Izs8NkJPSnY2Pj88Ozw7KH1rbXt8a1FtYWprM3x9b2JnYG99Kzo+eW1tenZib3kgbWFjKz1vR0xLIDs8NkJPSnY5Pj88Ozw7Izs8NkJPSnY2Pj88Ozw7Kz1veGt8Kz1vPCs9bz4/Kz1vPj8rPW83ajo4PW9tazY/Pjg7PjxraG8/bzY2PTdobGxqaGs4O29tNz9ramw2> If you have concerns about the validity of this message, contact the sender directly. About FortiMail Secure Message Service <https://docs.fortinet.com/document/fortimail/7.4.3/webmail-guide-ibe/index.htm>
        Attachments:

          Headers

          Key Value
          Receivedfrom SN6PR06MB4734.namprd06.prod.outlook.com
          1359:01 +0000
          ARC-Seali=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none;
          ARC-Message-Signaturei=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
          h=FromDate:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
          ARC-Authentication-Resultsi=1; mx.microsoft.com 1; spf=pass
          2a01111:f403:2414::70d as permitted sender) receiver=protection.outlook.com;
          by DS0PR11MB7621.namprd11.prod.outlook.com (260310b6:8:143::16) with
          2025 1359:01 +0000
          (260310b6:a0f:fc02::13a) with Microsoft SMTP Server (version=TLS1_3,
          10 Mar 2025 1359:06 +0000
          Authentication-Resultsspf=pass (sender IP is 2a01:111:f403:2414::70d)
          Received-SPFPass (protection.outlook.com: domain of wcctxlaw.com designates
          client-ip=2a01111:f403:2414::70d;
          (2a01111:f403:2414::70d) by SJ5PEPF000001D6.mail.protection.outlook.com
          DKIM-Signaturev=1; a=rsa-sha256; c=relaxed/relaxed; d=wcctxlaw.com;
          by LV8PR06MB9792.namprd06.prod.outlook.com (260310b6:408:244::10) with
          ([fe80:937f:55d7:3eaa:42d6%6]) with mapi id 15.20.8511.025; Mon, 10 Mar 2025
          FromRosemary Salinas <rsalinas@wcctxlaw.com>
          To"support@corerecon.com" <support@corerecon.com>
          SubjectFW: Sensitive - ADMINISTRATIVE LICENSE REVOCATION (ALR) HEARING
          Thread-TopicSensitive - ADMINISTRATIVE LICENSE REVOCATION (ALR) HEARING
          Thread-IndexAQHbkG6JS49wrnnqMkKo7jGG2ryCBbNsaDKw
          DateMon, 10 Mar 2025 13:59:01 +0000
          Message-ID<SN6PR06MB473472E51FCF439DBDD38086ADD62@SN6PR06MB4734.namprd06.prod.outlook.com>
          References<20250308151025.528FAPaL003375@dps.texas.gov>
          In-Reply-To<20250308151025.528FAPaL003375@dps.texas.gov>
          Accept-Languageen-US
          Content-Languageen-US
          X-MS-Has-AttachX-MS-TNEF-Correlator:
          Authentication-Results-Originaldkim=none (message not signed)
          x-ms-traffictypediagnosticSN6PR06MB4734:EE_|LV8PR06MB9792:EE_|SJ5PEPF000001D6:EE_|DS0PR11MB7621:EE_|CY5PR11MB6308:EE_
          X-MS-Office365-Filtering-Correlation-Idceaccad2-86d2-4bbf-f686-08dd5fdbb9da
          x-ms-exchange-senderadcheck1
          x-ms-exchange-antispam-relay0
          X-Microsoft-Antispam-UntrustedBCL:0;ARA:13230040|376014|366016|1800799024|8096899003|38070700018;
          X-Microsoft-Antispam-Message-Info-Original=?us-ascii?Q?rURz2rwVXCY/vrfiszyi1nlTIjlbDYag9kI5CMSdToA/C7jeCg/I9T4Ydrej?=
          X-Forefront-Antispam-Report-UntrustedCIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:SN6PR06MB4734.namprd06.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(376014)(366016)(1800799024)(8096899003)(38070700018);DIR:OUT;SFP:1102;
          X-MS-Exchange-AntiSpam-MessageData-Original-ChunkCount1
          X-MS-Exchange-AntiSpam-MessageData-Original-0=?utf-8?B?Wnh4WisvWkpQR3gyc0V1ZHJxaWtYaHNJQ0JVWWNGTjVXaFhCMkYweWFmR2k4?=
          Content-Typemultipart/alternative;
          MIME-Version1.0
          X-MS-Exchange-Transport-CrossTenantHeadersStampedDS0PR11MB7621
          Return-Pathrsalinas@wcctxlaw.com
          X-MS-Exchange-Organization-ExpirationStartTime10 Mar 2025 13:59:07.7089
          X-MS-Exchange-Organization-ExpirationStartTimeReasonOriginalSubmit
          X-MS-Exchange-Organization-ExpirationInterval1:00:00:00.0000000
          X-MS-Exchange-Organization-ExpirationIntervalReasonOriginalSubmit
          X-MS-Exchange-Organization-Network-Message-Idceaccad2-86d2-4bbf-f686-08dd5fdbb9da
          X-EOPAttributedMessage0
          X-EOPTenantAttributedMessagefd95b4e8-ccc7-4e27-b8dc-ec4c54e4a14d:0
          X-MS-Exchange-Organization-MessageDirectionalityIncoming
          X-MS-Exchange-Transport-CrossTenantHeadersStrippedSJ5PEPF000001D6.namprd05.prod.outlook.com
          X-MS-Exchange-Transport-CrossTenantHeadersPromotedSJ5PEPF000001D6.namprd05.prod.outlook.com
          X-MS-PublicTrafficTypeEmail
          X-MS-Exchange-Organization-AuthSourceSJ5PEPF000001D6.namprd05.prod.outlook.com
          X-MS-Exchange-Organization-AuthAsAnonymous
          X-MS-Office365-Filtering-Correlation-Id-Prvsb00eb0c8-8ea7-4b0d-9165-08dd5fdbb62f
          X-MS-Exchange-Organization-SCL1
          X-Microsoft-AntispamBCL:0;ARA:13230040|35042699022|8096899003|13003099007;
          X-Forefront-Antispam-ReportCIP:2a01:111:f403:2414::70d;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:NAM11-BN8-obe.outbound.protection.outlook.com;PTR:mail-bn8nam11on2070d.outbound.protection.outlook.com;CAT:NONE;SFS:(13230040)(35042699022)(8096899003)(13003099007);DIR:INB;
          X-MS-Exchange-CrossTenant-OriginalArrivalTime10 Mar 2025 13:59:06.2558
          X-MS-Exchange-CrossTenant-Network-Message-Idceaccad2-86d2-4bbf-f686-08dd5fdbb9da
          X-MS-Exchange-CrossTenant-Idfd95b4e8-ccc7-4e27-b8dc-ec4c54e4a14d
          X-MS-Exchange-CrossTenant-AuthSourceSJ5PEPF000001D6.namprd05.prod.outlook.com
          X-MS-Exchange-CrossTenant-AuthAsAnonymous
          X-MS-Exchange-CrossTenant-FromEntityHeaderInternet
          X-MS-Exchange-Transport-EndToEndLatency00:00:04.9700251
          X-MS-Exchange-Processed-By-BccFoldering15.20.8511.025
          X-Microsoft-Antispam-Mailbox-Deliveryucf:0;jmr:0;auth:0;dest:I;ENG:(910005)(944506478)(944626604)(4716014)(920097)(930097)(140003);
          X-Microsoft-Antispam-Message-Info=?us-ascii?Q?FjHDmBaAzpp6mtpdm69d0F6Epl9HwX+7aH8nTY8yzNUjqqlb+UH38z0KAIv9?=
          dateMon, 10 Mar 2025 14:59:01 +0100

          File Icon

          Icon Hash:c4e1928eacb280a2

          Network Behavior

          DNS Answers

          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
          Mar 10, 2025 21:29:49.450465918 CET1.1.1.1192.168.2.160xdad5No error (0)ecs-office.s-0005.dual-s-msedge.nets-0005.dual-s-msedge.netCNAME (Canonical name)IN (0x0001)false
          Mar 10, 2025 21:29:49.450465918 CET1.1.1.1192.168.2.160xdad5No error (0)s-0005.dual-s-msedge.net52.123.128.14A (IP address)IN (0x0001)false
          Mar 10, 2025 21:29:49.450465918 CET1.1.1.1192.168.2.160xdad5No error (0)s-0005.dual-s-msedge.net52.123.129.14A (IP address)IN (0x0001)false

          Statistics

          CPU Usage

          Click to jump to process

          Memory Usage

          Click to jump to process

          High Level Behavior Distribution

          Click to dive into process behavior distribution

          Behavior

          Click to jump to process

          System Behavior

          General

          Target ID:0
          Start time:16:29:47
          Start date:10/03/2025
          Path:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
          Wow64 process (32bit):true
          Commandline:"C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /f "C:\Users\user\Desktop\FW Sensitive - ADMINISTRATIVE LICENSE REVOCATION (ALR) HEARING REQUEST.msg"
          Imagebase:0xd90000
          File size:34'446'744 bytes
          MD5 hash:91A5292942864110ED734005B7E005C0
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:high
          Has exited:false

          General

          Target ID:1
          Start time:16:29:49
          Start date:10/03/2025
          Path:C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe
          Wow64 process (32bit):false
          Commandline:"C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "C5C71786-3044-4298-9B42-8048D1B18920" "D714FDF9-0EFE-4A5D-B459-901C66212976" "6300" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
          Imagebase:0x7ff6ef480000
          File size:710'048 bytes
          MD5 hash:EC652BEDD90E089D9406AFED89A8A8BD
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:high
          Has exited:false

          Disassembly

          No disassembly