Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
D. Bayham, Group #0070302, and Claim #7270930 - Support to Max.eml

Overview

General Information

Sample name:D. Bayham, Group #0070302, and Claim #7270930 - Support to Max.eml
Analysis ID:1540823
MD5:3eff18c9614bd2601979dc751467f38b
SHA1:4cc2586455a775d21253ae0ca3d8139564af78a2
SHA256:d9525d46f8515b3908440f139eff262d01e5554b87d2e0ff867f788d8a117983
Infos:

Detection

Score:2
Range:0 - 100
Whitelisted:false
Confidence:80%

Signatures

Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sigma detected: Office Autorun Keys Modification
Sigma detected: Outlook Security Settings Updated - Registry

Classification

Process Tree

  • System is w10x64
  • OUTLOOK.EXE (PID: 4304 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\D. Bayham, Group #0070302, and Claim #7270930 - Support to Max.eml" MD5: 91A5292942864110ED734005B7E005C0)
    • ai.exe (PID: 644 cmdline: "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "AA663763-67F1-49BD-BE3C-AAB64F081339" "0538504D-C34A-4E39-8433-79C1F4C09CDB" "4304" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx" MD5: EC652BEDD90E089D9406AFED89A8A8BD)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

Sigma detected: Office Autorun Keys Modification
Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE, ProcessId: 4304, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Addins\OneNote.OutlookAddin\1
Sigma detected: Outlook Security Settings Updated - Registry
Source: Registry Key setAuthor: frack113: Data: Details: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\9IETW22K\, EventID: 13, EventType: SetValue, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE, ProcessId: 4304, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Security\OutlookSecureTempFolder

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficDNS traffic detected: DNS query: 3d248eb1-0a4d-46d7-8654-303e982f1249.rms.na.aadrm.com
Source: LogFile_4304_1.ipclog.0.drString found in binary or memory: http://aka.ms/sia
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: http://b.c2r.ts.cdn.office.net/pr
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: http://weather.service.msn.com/data.aspx
Source: LogFile_4304_1.ipclog.0.drString found in binary or memory: https://3d248eb1-0a4d-46d7-8654-303e982f1249.rms.na.aadrm.com/_wmcs/licensing
Source: LogFile_4304_1.ipclog.0.drString found in binary or memory: https://3d248eb1-0a4d-46d7-8654-303e982f1249.rms.na.aadrm.com/_wmcs/licensing)
Source: LogFile_4304_1.ipclog.0.drString found in binary or memory: https://3d248eb1-0a4d-46d7-8654-303e982f1249.rms.na.aadrm.com/_wmcs/licensing/server.asmx
Source: LogFile_4304_1.ipclog.0.drString found in binary or memory: https://3d248eb1-0a4d-46d7-8654-303e982f1249.rms.na.aadrm.com/_wmcs/oauth2/servicediscovery/serviced
Source: LogFile_4304_1.ipclog.0.drString found in binary or memory: https://3d248eb1-0a4d-46d7-8654-303e982f1249.rms.na.aadrm.com/_wmcs/servicediscovery
Source: LogFile_4304_1.ipclog.0.drString found in binary or memory: https://3d248eb1-0a4d-46d7-8654-303e982f1249.rms.na.aadrm.com/_wmcs/servicediscovery/ServiceDiscover
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://addinsinstallation.store.office.com/app/acquisitionlogging
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://addinsinstallation.store.office.com/app/download
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/authenticated
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticated
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://addinsinstallation.store.office.com/orgid/appinstall/authenticated
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://addinslicensing.store.office.com/apps/remove
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://addinslicensing.store.office.com/commerce/query
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://addinslicensing.store.office.com/entitlement/query
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://addinslicensing.store.office.com/orgid/apps/remove
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://addinslicensing.store.office.com/orgid/entitlement/query
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://analysis.windows.net/powerbi/api
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://api.aadrm.com
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://api.aadrm.com/
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://api.addins.omex.office.net/api/addins/search
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://api.addins.store.office.com/addinstemplate
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://api.addins.store.office.com/app/query
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://api.addins.store.officeppe.com/addinstemplate
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://api.cortana.ai
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://api.diagnostics.office.com
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://api.diagnosticssdf.office.com
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://api.diagnosticssdf.office.com/v2/feedback
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://api.diagnosticssdf.office.com/v2/file
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://api.microsoftstream.com
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://api.microsoftstream.com/api/
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://api.office.net
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://api.officescripts.microsoftusercontent.com/api
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://api.onedrive.com
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/imports
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://api.scheduler.
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://apis.live.net/v5.0/
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://apis.mobile.m365.svc.cloud.microsoft
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://app.powerbi.com
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://arc.msn.com/v4/api/selection
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://augloop.office.com
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://augloop.office.com/v2
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://autodiscover-s.outlook.com/
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://canary.designerapp.
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://cdn.designerapp.osi.office.net
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://cdn.designerapp.osi.office.net/designer-mobile
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/fonts
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/mobile-assets
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/mobile-dynamic-strings
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/mobile-home-screen
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/mobile-toolbar
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://cdn.entity.
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://cdn.hubblecontent.osi.office.net/
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://cdn.int.designerapp.osi.office.net/fonts
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://clients.config.office.net
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://clients.config.office.net/
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://clients.config.office.net/c2r/v1.0/DeltaAdvisory
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://clients.config.office.net/c2r/v1.0/InteractiveInstallation
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://consent.config.office.com/consentcheckin/v1.0/consents
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://consent.config.office.com/consentweb/v1.0/consents
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://cortana.ai
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://cortana.ai/api
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://cr.office.com
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://d.docs.live.net
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://dataservice.o365filtering.com
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://dataservice.o365filtering.com/
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://designerapp.azurewebsites.net
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://designerappservice.officeapps.live.com
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://dev.cortana.ai
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://devnull.onenote.com
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://directory.services.
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://ecs.office.com
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://ecs.office.com/config/v1/Designer
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://ecs.office.com/config/v2/Office
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://edge.skype.com/registrar/prod
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://edge.skype.com/rps
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://enrichment.osi.office.net/
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Refresh/v1
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Resolve/v1
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Search/v1
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/StockHistory/v1
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/ipcheck/v1
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/v2.1601652342626
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/metadata.json
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/desktop/main.cshtml
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/web/main.cshtml
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://entitlement.diagnostics.office.com
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://fpastorage.cdn.office.net/%s
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://fpastorage.cdn.office.net/firstpartyapp/addins.xml
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://globaldisco.crm.dynamics.com
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://graph.ppe.windows.net
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://graph.ppe.windows.net/
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://graph.windows.net
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://graph.windows.net/
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/pivots/
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?secureurl=1
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://ic3.teams.office.com
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://incidents.diagnostics.office.com
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://inclient.store.office.com/gyro/client
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://inclient.store.office.com/gyro/clientstore
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://invites.office.com/
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://lifecycle.office.com
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://login.microsoftonline.com
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://login.microsoftonline.com/
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://login.microsoftonline.com/organizations
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://login.windows.local
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://make.powerautomate.com
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://management.azure.com
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://management.azure.com/
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://messagebroker.mobile.m365.svc.cloud.microsoft
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://messaging.action.office.com/
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://messaging.action.office.com/setcampaignaction
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://messaging.action.office.com/setuseraction16
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://messaging.engagement.office.com/
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://messaging.engagement.office.com/campaignmetadataaggregator
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://messaging.lifecycle.office.com/
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://messaging.lifecycle.office.com/getcustommessage16
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://messaging.office.com/
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://metadata.templates.cdn.office.net/client/log
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://mss.office.com
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://my.microsoftpersonalcontent.com
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://ncus.contentsync.
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://ncus.pagecontentsync.
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://ods-diagnostics-ppe.trafficmanager.net
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://officeapps.live.com
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://officeci.azurewebsites.net/api/
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://officepyservice.office.net/
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://officepyservice.office.net/service.functionality
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentities
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentitiesupdated
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://onedrive.live.com
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://onedrive.live.com/embed?
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://otelrules.azureedge.net
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://otelrules.svc.static.microsoft
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://outlook.office.com
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://outlook.office.com/
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://outlook.office365.com
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://outlook.office365.com/
Source: ~WRS{5666306E-90C1-4F37-AE27-FD32B3E00A55}.tmp.0.drString found in binary or memory: https://outlook.office365.com/Encryption/lock.png
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://outlook.office365.com/connectors
Source: ~WRS{5666306E-90C1-4F37-AE27-FD32B3E00A55}.tmp.0.drString found in binary or memory: https://outlook.office365.com/owa/?viewmodel=ReadMessageItem&InternetMessageID=%3cYT2PPF15C092F3DA27
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://pages.store.office.com/review/query
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://powerlift-user.acompli.net
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://powerlift.acompli.net
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://prod.mds.office.com/mds/api/v1.0/clientmodeldirectory
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://pushchannel.1drv.ms
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://res.cdn.office.net
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://res.cdn.office.net/mro1cdnstorage/fonts/prod/4.40
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://res.cdn.office.net/polymer/models
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://safelinks.protection.outlook.com/api/GetPolicy
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://service.officepy.microsoftusercontent.com/
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://service.powerapps.com
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://settings.outlook.com
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://shell.suite.office.com:1443
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://skyapi.live.net/Activity/
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://staging.cortana.ai
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://store.office.cn/addinstemplate
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://store.office.de/addinstemplate
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://substrate.office.com
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://substrate.office.com/Notes-Internal.ReadWrite
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://substrate.office.com/search/api/v1/SearchHistory
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://substrate.office.com/search/api/v2/init
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://tasks.office.com
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://templatesmetadata.office.net/
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://useraudit.o365auditrealtimeingestion.manage.office.com
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://web.microsoftstream.com/video/
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://webshell.suite.office.com
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://word-edit.officeapps.live.com/we/rrdiscovery.ashx
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://wus2.contentsync.
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://wus2.pagecontentsync.
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://www.odwebp.svc.ms
Source: 28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drString found in binary or memory: https://www.yammer.com
Source: classification engineClassification label: clean2.winEML@3/23@1/0
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile created: C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmpJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile created: C:\Users\user~1\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20241024T0220500007-4304.etlJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile read: C:\Users\desktop.iniJump to behavior
Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\D. Bayham, Group #0070302, and Claim #7270930 - Support to Max.eml"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "AA663763-67F1-49BD-BE3C-AAB64F081339" "0538504D-C34A-4E39-8433-79C1F4C09CDB" "4304" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "AA663763-67F1-49BD-BE3C-AAB64F081339" "0538504D-C34A-4E39-8433-79C1F4C09CDB" "4304" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: c2r64.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: userenv.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{F959DBBB-3867-41F2-8E5F-3B8BEFAA81B3}\InprocServer32Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEWindow found: window name: SysTabControl32Jump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEWindow detected: Number of UI elements: 16
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\CommonJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile opened: PhysicalDrive0Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile Volume queried: C:\Windows\SysWOW64 FullSizeInformationJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information queried: ProcessInformationJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeQueries volume information: C:\Program Files (x86)\Microsoft Office\root\Office16\AI\WordCombinedFloatieLreOnline.onnx VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
DLL Side-Loading		1
Process Injection		1
Masquerading		OS Credential Dumping1
Security Software Discovery		Remote ServicesData from Local System1
Non-Application Layer Protocol		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		1
Virtualization/Sandbox Evasion		LSASS Memory1
Virtualization/Sandbox Evasion		Remote Desktop ProtocolData from Removable Media1
Application Layer Protocol		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Process Injection		Security Account Manager1
Process Discovery		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
DLL Side-Loading		NTDS1
File and Directory Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets23
System Information Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1540823 Sample: D. Bayham, Group #0070302, ... Startdate: 24/10/2024 Architecture: WINDOWS Score: 2 10 3d248eb1-0a4d-46d7-8654-303e982f1249.rms.na.aadrm.com 2->10 6 OUTLOOK.EXE 514 194 2->6         started        process3 process4 8 ai.exe 6->8         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://api.diagnosticssdf.office.com0%URL Reputationsafe
https://login.microsoftonline.com/0%URL Reputationsafe
https://shell.suite.office.com:14430%URL Reputationsafe
https://designerapp.azurewebsites.net0%URL Reputationsafe
https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize0%URL Reputationsafe
https://autodiscover-s.outlook.com/0%URL Reputationsafe
https://useraudit.o365auditrealtimeingestion.manage.office.com0%URL Reputationsafe
https://outlook.office365.com/connectors0%URL Reputationsafe
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr0%URL Reputationsafe
https://cdn.entity.0%URL Reputationsafe
https://api.addins.omex.office.net/appinfo/query0%URL Reputationsafe
https://clients.config.office.net/user/v1.0/tenantassociationkey0%URL Reputationsafe
https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/0%URL Reputationsafe
https://powerlift.acompli.net0%URL Reputationsafe
https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
https://lookup.onenote.com/lookup/geolocation/v10%URL Reputationsafe
https://cortana.ai0%URL Reputationsafe
https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech0%URL Reputationsafe
https://api.powerbi.com/v1.0/myorg/imports0%URL Reputationsafe
https://cloudfiles.onenote.com/upload.aspx0%URL Reputationsafe
https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile0%URL Reputationsafe
https://entitlement.diagnosticssdf.office.com0%URL Reputationsafe
https://api.aadrm.com/0%URL Reputationsafe
https://ofcrecsvcapi-int.azurewebsites.net/0%URL Reputationsafe
https://canary.designerapp.0%URL Reputationsafe
https://ic3.teams.office.com0%URL Reputationsafe
https://www.yammer.com0%URL Reputationsafe
https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies0%URL Reputationsafe
https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive0%URL Reputationsafe
https://cr.office.com0%URL Reputationsafe
https://messagebroker.mobile.m365.svc.cloud.microsoft0%URL Reputationsafe
https://portal.office.com/account/?ref=ClientMeControl0%URL Reputationsafe
https://clients.config.office.net/c2r/v1.0/DeltaAdvisory0%URL Reputationsafe
https://edge.skype.com/registrar/prod0%URL Reputationsafe
https://graph.ppe.windows.net0%URL Reputationsafe
https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
https://powerlift-user.acompli.net0%URL Reputationsafe
https://tasks.office.com0%URL Reputationsafe
https://officeci.azurewebsites.net/api/0%URL Reputationsafe
https://sr.outlook.office.net/ws/speech/recognize/assistant/work0%URL Reputationsafe
https://api.scheduler.0%URL Reputationsafe
https://store.office.cn/addinstemplate0%URL Reputationsafe
https://api.aadrm.com0%URL Reputationsafe
https://edge.skype.com/rps0%URL Reputationsafe
https://globaldisco.crm.dynamics.com0%URL Reputationsafe
https://messaging.engagement.office.com/0%URL Reputationsafe
https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech0%URL Reputationsafe
https://dev0-api.acompli.net/autodetect0%URL Reputationsafe
https://www.odwebp.svc.ms0%URL Reputationsafe
https://api.diagnosticssdf.office.com/v2/feedback0%URL Reputationsafe
https://api.powerbi.com/v1.0/myorg/groups0%URL Reputationsafe
https://web.microsoftstream.com/video/0%URL Reputationsafe
https://api.addins.store.officeppe.com/addinstemplate0%URL Reputationsafe
https://graph.windows.net0%URL Reputationsafe
https://dataservice.o365filtering.com/0%URL Reputationsafe
https://officesetup.getmicrosoftkey.com0%URL Reputationsafe
https://analysis.windows.net/powerbi/api0%URL Reputationsafe
https://prod-global-autodetect.acompli.net/autodetect0%URL Reputationsafe
https://substrate.office.com0%URL Reputationsafe
https://outlook.office365.com/autodiscover/autodiscover.json0%URL Reputationsafe
https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios0%URL Reputationsafe
https://consent.config.office.com/consentcheckin/v1.0/consents0%URL Reputationsafe
https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech0%URL Reputationsafe
https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices0%URL Reputationsafe
https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json0%URL Reputationsafe
https://safelinks.protection.outlook.com/api/GetPolicy0%URL Reputationsafe
https://ncus.contentsync.0%URL Reputationsafe
https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/0%URL Reputationsafe
http://weather.service.msn.com/data.aspx0%URL Reputationsafe
https://apis.live.net/v5.0/0%URL Reputationsafe
https://officepyservice.office.net/service.functionality0%URL Reputationsafe
https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks0%URL Reputationsafe
https://templatesmetadata.office.net/0%URL Reputationsafe
https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios0%URL Reputationsafe
https://messaging.lifecycle.office.com/0%URL Reputationsafe
https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml0%URL Reputationsafe
https://mss.office.com0%URL Reputationsafe
https://pushchannel.1drv.ms0%URL Reputationsafe
https://management.azure.com0%URL Reputationsafe
https://outlook.office365.com0%URL Reputationsafe
https://wus2.contentsync.0%URL Reputationsafe
https://incidents.diagnostics.office.com0%URL Reputationsafe
https://clients.config.office.net/user/v1.0/ios0%URL Reputationsafe
https://make.powerautomate.com0%URL Reputationsafe
https://api.addins.omex.office.net/api/addins/search0%URL Reputationsafe
https://insertmedia.bing.office.net/odc/insertmedia0%URL Reputationsafe
https://outlook.office365.com/api/v1.0/me/Activities0%URL Reputationsafe
https://api.office.net0%URL Reputationsafe
https://incidents.diagnosticssdf.office.com0%URL Reputationsafe
https://asgsmsproxyapi.azurewebsites.net/0%URL Reputationsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
3d248eb1-0a4d-46d7-8654-303e982f1249.rms.na.aadrm.com
unknown
unknownfalse
    		unknown

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    https://api.diagnosticssdf.office.com28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drfalse
    • URL Reputation: safe
    		unknown
    https://login.microsoftonline.com/28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drfalse
    • URL Reputation: safe
    		unknown
    https://shell.suite.office.com:144328DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drfalse
    • URL Reputation: safe
    		unknown
    https://designerapp.azurewebsites.net28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drfalse
    • URL Reputation: safe
    		unknown
    https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drfalse
    • URL Reputation: safe
    		unknown
    https://autodiscover-s.outlook.com/28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drfalse
    • URL Reputation: safe
    		unknown
    https://useraudit.o365auditrealtimeingestion.manage.office.com28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drfalse
    • URL Reputation: safe
    		unknown
    https://outlook.office365.com/connectors28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drfalse
    • URL Reputation: safe
    		unknown
    https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drfalse
    • URL Reputation: safe
    		unknown
    https://cdn.entity.28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drfalse
    • URL Reputation: safe
    		unknown
    https://api.addins.omex.office.net/appinfo/query28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drfalse
    • URL Reputation: safe
    		unknown
    https://clients.config.office.net/user/v1.0/tenantassociationkey28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drfalse
    • URL Reputation: safe
    		unknown
    https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drfalse
    • URL Reputation: safe
    		unknown
    https://powerlift.acompli.net28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drfalse
    • URL Reputation: safe
    		unknown
    https://rpsticket.partnerservices.getmicrosoftkey.com28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drfalse
    • URL Reputation: safe
    		unknown
    https://lookup.onenote.com/lookup/geolocation/v128DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drfalse
    • URL Reputation: safe
    		unknown
    https://cortana.ai28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drfalse
    • URL Reputation: safe
    		unknown
    https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drfalse
    • URL Reputation: safe
    		unknown
    https://api.powerbi.com/v1.0/myorg/imports28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drfalse
    • URL Reputation: safe
    		unknown
    https://cloudfiles.onenote.com/upload.aspx28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drfalse
    • URL Reputation: safe
    		unknown
    https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drfalse
    • URL Reputation: safe
    		unknown
    https://entitlement.diagnosticssdf.office.com28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drfalse
    • URL Reputation: safe
    		unknown
    https://api.aadrm.com/28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drfalse
    • URL Reputation: safe
    		unknown
    https://ofcrecsvcapi-int.azurewebsites.net/28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drfalse
    • URL Reputation: safe
    		unknown
    https://canary.designerapp.28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drfalse
    • URL Reputation: safe
    		unknown
    https://ic3.teams.office.com28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drfalse
    • URL Reputation: safe
    		unknown
    https://www.yammer.com28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drfalse
    • URL Reputation: safe
    		unknown
    https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drfalse
    • URL Reputation: safe
    		unknown
    https://api.microsoftstream.com/api/28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drfalse
      		unknown
      https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drfalse
      • URL Reputation: safe
      		unknown
      https://cr.office.com28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drfalse
      • URL Reputation: safe
      		unknown
      https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drfalse
        		unknown
        https://messagebroker.mobile.m365.svc.cloud.microsoft28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drfalse
        • URL Reputation: safe
        		unknown
        https://otelrules.svc.static.microsoft28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drfalse
          		unknown
          https://portal.office.com/account/?ref=ClientMeControl28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drfalse
          • URL Reputation: safe
          		unknown
          https://clients.config.office.net/c2r/v1.0/DeltaAdvisory28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drfalse
          • URL Reputation: safe
          		unknown
          https://edge.skype.com/registrar/prod28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drfalse
          • URL Reputation: safe
          		unknown
          https://graph.ppe.windows.net28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drfalse
          • URL Reputation: safe
          		unknown
          https://res.getmicrosoftkey.com/api/redemptionevents28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drfalse
          • URL Reputation: safe
          		unknown
          https://powerlift-user.acompli.net28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drfalse
          • URL Reputation: safe
          		unknown
          https://tasks.office.com28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drfalse
          • URL Reputation: safe
          		unknown
          https://officeci.azurewebsites.net/api/28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drfalse
          • URL Reputation: safe
          		unknown
          https://outlook.office365.com/owa/?viewmodel=ReadMessageItem&InternetMessageID=%3cYT2PPF15C092F3DA27~WRS{5666306E-90C1-4F37-AE27-FD32B3E00A55}.tmp.0.drfalse
            		unknown
            https://sr.outlook.office.net/ws/speech/recognize/assistant/work28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drfalse
            • URL Reputation: safe
            		unknown
            https://api.scheduler.28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drfalse
            • URL Reputation: safe
            		unknown
            https://my.microsoftpersonalcontent.com28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drfalse
              		unknown
              https://outlook.office365.com/Encryption/lock.png~WRS{5666306E-90C1-4F37-AE27-FD32B3E00A55}.tmp.0.drfalse
                		unknown
                https://store.office.cn/addinstemplate28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drfalse
                • URL Reputation: safe
                		unknown
                https://3d248eb1-0a4d-46d7-8654-303e982f1249.rms.na.aadrm.com/_wmcs/licensing/server.asmxLogFile_4304_1.ipclog.0.drfalse
                  		unknown
                  https://api.aadrm.com28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drfalse
                  • URL Reputation: safe
                  		unknown
                  https://edge.skype.com/rps28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drfalse
                  • URL Reputation: safe
                  		unknown
                  https://outlook.office.com/autosuggest/api/v1/init?cvid=28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drfalse
                    		unknown
                    https://globaldisco.crm.dynamics.com28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://messaging.engagement.office.com/28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://dev0-api.acompli.net/autodetect28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://www.odwebp.svc.ms28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://api.diagnosticssdf.office.com/v2/feedback28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://api.powerbi.com/v1.0/myorg/groups28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://web.microsoftstream.com/video/28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://api.addins.store.officeppe.com/addinstemplate28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://graph.windows.net28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://dataservice.o365filtering.com/28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://officesetup.getmicrosoftkey.com28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://analysis.windows.net/powerbi/api28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://prod-global-autodetect.acompli.net/autodetect28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://substrate.office.com28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://outlook.office365.com/autodiscover/autodiscover.json28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://consent.config.office.com/consentcheckin/v1.0/consents28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://d.docs.live.net28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drfalse
                      		unknown
                      https://safelinks.protection.outlook.com/api/GetPolicy28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drfalse
                      • URL Reputation: safe
                      		unknown
                      https://ncus.contentsync.28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drfalse
                      • URL Reputation: safe
                      		unknown
                      https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drfalse
                        		unknown
                        https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drfalse
                        • URL Reputation: safe
                        		unknown
                        http://weather.service.msn.com/data.aspx28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drfalse
                        • URL Reputation: safe
                        		unknown
                        https://apis.live.net/v5.0/28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drfalse
                        • URL Reputation: safe
                        		unknown
                        https://officepyservice.office.net/service.functionality28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drfalse
                        • URL Reputation: safe
                        		unknown
                        https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drfalse
                        • URL Reputation: safe
                        		unknown
                        https://templatesmetadata.office.net/28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drfalse
                        • URL Reputation: safe
                        		unknown
                        https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drfalse
                        • URL Reputation: safe
                        		unknown
                        https://messaging.lifecycle.office.com/28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drfalse
                        • URL Reputation: safe
                        		unknown
                        https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drfalse
                        • URL Reputation: safe
                        		unknown
                        https://mss.office.com28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drfalse
                        • URL Reputation: safe
                        		unknown
                        https://pushchannel.1drv.ms28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drfalse
                        • URL Reputation: safe
                        		unknown
                        https://management.azure.com28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drfalse
                        • URL Reputation: safe
                        		unknown
                        https://outlook.office365.com28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drfalse
                        • URL Reputation: safe
                        		unknown
                        https://wus2.contentsync.28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drfalse
                        • URL Reputation: safe
                        		unknown
                        https://incidents.diagnostics.office.com28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drfalse
                        • URL Reputation: safe
                        		unknown
                        https://clients.config.office.net/user/v1.0/ios28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drfalse
                        • URL Reputation: safe
                        		unknown
                        https://make.powerautomate.com28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drfalse
                        • URL Reputation: safe
                        		unknown
                        https://api.addins.omex.office.net/api/addins/search28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drfalse
                        • URL Reputation: safe
                        		unknown
                        https://insertmedia.bing.office.net/odc/insertmedia28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drfalse
                        • URL Reputation: safe
                        		unknown
                        https://outlook.office365.com/api/v1.0/me/Activities28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drfalse
                        • URL Reputation: safe
                        		unknown
                        https://api.office.net28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drfalse
                        • URL Reputation: safe
                        		unknown
                        https://incidents.diagnosticssdf.office.com28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drfalse
                        • URL Reputation: safe
                        		unknown
                        https://asgsmsproxyapi.azurewebsites.net/28DBC50C-3409-4EDB-9D07-7155CDF53F73.0.drfalse
                        • URL Reputation: safe
                        		unknown

                        World Map of Contacted IPs

                        No contacted IP infos

                        General Information

                        Joe Sandbox version:41.0.0 Charoite
                        Analysis ID:1540823
                        Start date and time:2024-10-24 08:19:07 +02:00
                        Joe Sandbox product:CloudBasic
                        Overall analysis duration:0h 5m 25s
                        Hypervisor based Inspection enabled:false
                        Report type:full
                        Cookbook file name:default.jbs
                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                        Number of analysed new started processes analysed:10
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:0
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Sample name:D. Bayham, Group #0070302, and Claim #7270930 - Support to Max.eml
                        Detection:CLEAN
                        Classification:clean2.winEML@3/23@1/0
                        EGA Information:Failed
                        HCA Information:
                        • Successful, ratio: 100%
                        • Number of executed functions: 0
                        • Number of non-executed functions: 0
                        Cookbook Comments:
                        • Found application associated with file extension: .eml

                        Warnings

                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, sppsvc.exe, WMIADAP.exe, conhost.exe, svchost.exe
                        • Excluded IPs from analysis (whitelisted): 52.109.89.18, 52.113.194.132, 52.109.89.19, 13.107.6.181, 20.189.173.25, 2.19.126.151, 2.19.126.160, 52.109.28.48
                        • Excluded domains from analysis (whitelisted): osiprod-uks-bronze-azsc-000.uksouth.cloudapp.azure.com, omex.cdn.office.net, odc.officeapps.live.com, slscr.update.microsoft.com, europe.odcsm1.live.com.akadns.net, weu-azsc-000.roaming.officeapps.live.com, weu-azsc-config.officeapps.live.com, eur.roaming1.live.com.akadns.net, mobile.events.data.microsoft.com, ecs-office.s-0005.s-msedge.net, roaming.officeapps.live.com, osiprod-weu-buff-azsc-000.westeurope.cloudapp.azure.com, login.live.com, officeclient.microsoft.com, a1864.dscd.akamai.net, ecs.office.com, prod.configsvc1.live.com.akadns.net, aadrm-com.b-0026.b-msedge.net, prod.roaming1.live.com.akadns.net, s-0005-office.config.skype.com, fe3cr.delivery.mp.microsoft.com, uks-azsc-000.odc.officeapps.live.com, s-0005.s-msedge.net, config.officeapps.live.com, b-0026.b-msedge.net, onedscolprdwus20.westus.cloudapp.azure.com, ecs.office.trafficmanager.net, omex.cdn.office.net.akamaized.net, europe.configsvc1.live.com.akadns.net, mobile.events.data.trafficmanager.net, p
                        • Not all processes where analyzed, report is missing behavior information
                        • Report size exceeded maximum capacity and may have missing behavior information.
                        • Report size getting too big, too many NtCreateFile calls found.
                        • Report size getting too big, too many NtQueryAttributesFile calls found.
                        • Report size getting too big, too many NtQueryValueKey calls found.
                        • Report size getting too big, too many NtReadVirtualMemory calls found.
                        • Report size getting too big, too many NtSetValueKey calls found.
                        • VT rate limit hit for: D. Bayham, Group #0070302, and Claim #7270930 - Support to Max.eml

                        Simulations

                        Behavior and APIs

                        No simulations

                        LLM Input / Output

                        InputOutput
                        URL: Model: claude-3-5-sonnet-20240620
                        {
    "explanation": [
        "The email is from a legitimate domain (manulife.ca) and appears to be a standard encrypted message notification",
        "The subject line and recipient list suggest a business-related communication",
        "The message contains standard Microsoft Purview Message Encryption information and links"
    ],
    "phishing": false,
    "confidence": 8
}
                        Is this email content a phishing attempt? Please respond only in valid JSON format:
    Email content converted to JSON:
{
    "date": "Wed, 23 Oct 2024 19:48:47 +0000", 
    "subject": "D. Bayham, Group #0070302, and Claim #7270930 - Support to Max", 
    "communications": [
        "vanessa osai (Vanessa_Osai@manulife.ca) has sent you a protected message.\n\n\n\n <https://outlook.office365.com/Encryption/lock.png>\n\nRead the message<https://outlook.office365.com/owa/?viewmodel=ReadMessageItem&InternetMessageID=%3cYT2PPF15C092F3DA27DCB1DFFA84E9A9321F14D2%40YT2PPF15C092F3D.CANPRD01.PROD.OUTLOOK.COM%3e>\n\n\n\nLearn about messages protected by Microsoft Purview Message Encryption.<https://go.microsoft.com/fwlink/?Linkid=844050>\nPrivacy Statement<https://go.microsoft.com/fwlink/p/?linkid=857875>\n\nLearn More<https://go.microsoft.com/fwlink/?Linkid=844050> on email encryption.\nMicrosoft Corporation, One Microsoft Way, Redmond, WA 98052\n"
    ], 
    "from": "vanessa osai <Vanessa_Osai@manulife.ca>", 
    "to": "Troels Hegh <th@hartmann-packaging.com>, Wray Hussey Sr <WJH@hartmann-packaging.com>, Brenda MacDonald <BMAC@hartmann-packaging.com>"
}
                        URL: Email Model: claude-3-haiku-20240307
                        ```json
{
  "contains_trigger_text": true,
  "trigger_text": "Read the message",
  "prominent_button_name": "Read the message",
  "text_input_field_labels": "unknown",
  "pdf_icon_visible": false,
  "has_visible_captcha": false,
  "has_urgent_text": false,
  "has_visible_qrcode": false
}
                        URL: Email Model: claude-3-haiku-20240307
                        ```json
{
  "brands": [
    "Microsoft Purview Message Encryption",
    "Microsoft Corporation"
  ]
}

                        Joe Sandbox View / Context

                        IPs

                        No context

                        Domains

                        No context

                        ASNs

                        No context

                        JA3 Fingerprints

                        No context

                        Dropped Files

                        No context

                        Created / dropped Files

                        C:\Users\user\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

                        Download File
                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                        File Type:data
                        Category:dropped
                        Size (bytes):231348
                        Entropy (8bit):4.394906418930815
                        Encrypted:false
                        SSDEEP:3072:EbggLmgkmiGu2nqoQDvrt0Fvjio+AQNjfuf8:ELGmi2qc+AQNjfu0
                        MD5:BF646CD567F754968D425A2A476DC707
                        SHA1:8BE60BEE6E50E48E85A743F7483E11B12C7004F5
                        SHA-256:153D5F8FD0A300CCB9B7CDD72F62818DECD4E2A812024C4DA07ECF5AFE6407E5
                        SHA-512:4588D2AFDDB2FE63AE45AC4F5953A9CC70B377D57321FA2B3223018804D7E74BC8F21F8E797546EE54CD617B5D2089C443E61C1BD6B30968D7CF5248B8D7C40F
                        Malicious:false
                        Reputation:low
                        Preview:TH02...... .P....%......SM01X...,...p....%..........IPM.Activity...........h...............h............H..h,.......93* ...h............H..h\FRO ...1\Ap...h....0..........h.+QI...........h........_`Tk...h.*QI@...I.tw...h....H...8.Yk...0....T...............d.........2h...............k..............!h.............. h9.2...........#h....8.........$h........8....."h.E.......E....'h..............1h.+QI<.........0h....4....Yk../h....h.....YkH..h.n..p...,.....-h ............+h.(QI.... ................... ..............F7..............FIPM.Activity....Form....Standard....Journal Entry...IPM.Microsoft.FolderDesign.FormsDescription................F.k..........1122110020000000.GwwMicrosoft...This form is used to create journal entries.........kf...... ..........&...........(.......(... ...@.....................................................................................................................fffffffff........wwwwwwww.p....pp..............p...............pw..............pw..DDDDO..

                        C:\Users\user\AppData\Local\Microsoft\MSIPC\CERT-Machine-2048.drm

                        Download File
                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                        File Type:data
                        Category:dropped
                        Size (bytes):29882
                        Entropy (8bit):3.981062841464128
                        Encrypted:false
                        SSDEEP:384:6ENGTyYjWjPo+KENGThU19y7pjPo+MKOWnN8y7PKCol7a8YrKF:cr+shcEm+MK3N8EPKCol7yrKF
                        MD5:ACEC2F9728045812011F0D32DA926111
                        SHA1:22D41F860A3DB8EDB119E739966562EEF77C154D
                        SHA-256:B565CAB87AEFDB3A64175254274F682AE8AB8C515A14A30BF9A04DDAF9082091
                        SHA-512:5D949A3FCBB5F89D92184383A3DBEC7C6E0EA5A19D33F5B7E2D10E1C20961AE69E0017158E7F05A9D10CC4D7342B99964DD065BCD4FF39EB5F614C54039A038A
                        Malicious:false
                        Reputation:low
                        Preview:<.X.r.M.L. .v.e.r.s.i.o.n.=.".1...2.". .x.m.l.n.s.=.".".>.<.B.O.D.Y. .t.y.p.e.=.".L.I.C.E.N.S.E.". .v.e.r.s.i.o.n.=.".3...0.".>.<.I.S.S.U.E.D.T.I.M.E.>.2.0.2.4.-.1.0.-.2.4.T.0.6.:.2.0.<./.I.S.S.U.E.D.T.I.M.E.>.<.D.E.S.C.R.I.P.T.O.R.>.<.O.B.J.E.C.T. .t.y.p.e.=.".M.a.c.h.i.n.e.-.C.e.r.t.i.f.i.c.a.t.e.".>.<.I.D. .t.y.p.e.=.".M.S.-.G.U.I.D.".>.{.9.2.9.9.2.2.3.6.-.A.9.2.0.-.4.1.5.2.-.A.B.A.C.-.1.C.8.3.4.6.7.C.5.A.5.7.}.<./.I.D.>.<.N.A.M.E.>.M.i.c.r.o.s.o.f.t. .M.a.c.h.i.n.e.-.C.e.r.t.i.f.i.c.a.t.e.<./.N.A.M.E.>.<./.O.B.J.E.C.T.>.<./.D.E.S.C.R.I.P.T.O.R.>.<.I.S.S.U.E.R.>.<.O.B.J.E.C.T. .t.y.p.e.=.".M.S.-.D.R.M.-.D.e.s.k.t.o.p.-.S.e.c.u.r.i.t.y.-.P.r.o.c.e.s.s.o.r.".>.<.I.D. .t.y.p.e.=.".M.S.-.G.U.I.D.".>.{.4.3.4.C.F.C.2.5.-.B.9.3.E.-.4.2.9.8.-.9.C.3.B.-.A.3.B.E.4.9.B.7.3.7.D.B.}.<./.I.D.>.<.N.A.M.E.>.M.i.c.r.o.s.o.f.t. .D.R.M. .P.r.o.d.u.c.t.i.o.n. .D.e.s.k.t.o.p. .S.e.c.u.r.i.t.y. .P.r.o.c.e.s.s.o.r. .A.c.t.i.v.a.t.i.o.n. .C.e.r.t.i.f.i.c.a.t.e.<./.N.A.M.E.>.<./.O.B.J.E.C.T.>.<.P.U.B.L.I.C.

                        C:\Users\user\AppData\Local\Microsoft\MSIPC\CERT-Machine.drm

                        Download File
                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                        File Type:data
                        Category:dropped
                        Size (bytes):26606
                        Entropy (8bit):3.9578770944798256
                        Encrypted:false
                        SSDEEP:384:6IU04aivIgmNaiiKqO74K6iPa8YeKxgVXq:SvmliKd74K6AyeKiVa
                        MD5:9055B7BA0A610D440E769C67B1147F5A
                        SHA1:FB7713FC5CEC3F34D11EB54A0EE3AFF3ADFCA6AA
                        SHA-256:AD3F9A921FC36559A42F75169A4A80E508F126FBEC6F1327B8F0C4E6873C779C
                        SHA-512:201DF5B83485AB0E65CE5BA2460EE9F1116565F9212BB51F6298C5019068179B44EC03CAA98BD3C0F80A07040C6A5F73F6EA1CB9AD6B582C49C1C68477897F67
                        Malicious:false
                        Reputation:low
                        Preview:<.X.r.M.L. .v.e.r.s.i.o.n.=.".1...2.". .x.m.l.n.s.=.".".>.<.B.O.D.Y. .t.y.p.e.=.".L.I.C.E.N.S.E.". .v.e.r.s.i.o.n.=.".3...0.".>.<.I.S.S.U.E.D.T.I.M.E.>.2.0.2.4.-.1.0.-.2.4.T.0.6.:.2.0.<./.I.S.S.U.E.D.T.I.M.E.>.<.D.E.S.C.R.I.P.T.O.R.>.<.O.B.J.E.C.T. .t.y.p.e.=.".M.a.c.h.i.n.e.-.C.e.r.t.i.f.i.c.a.t.e.".>.<.I.D. .t.y.p.e.=.".M.S.-.G.U.I.D.".>.{.9.2.9.9.2.2.3.6.-.A.9.2.0.-.4.1.5.2.-.A.B.A.C.-.1.C.8.3.4.6.7.C.5.A.5.7.}.<./.I.D.>.<.N.A.M.E.>.M.i.c.r.o.s.o.f.t. .M.a.c.h.i.n.e.-.C.e.r.t.i.f.i.c.a.t.e.<./.N.A.M.E.>.<./.O.B.J.E.C.T.>.<./.D.E.S.C.R.I.P.T.O.R.>.<.I.S.S.U.E.R.>.<.O.B.J.E.C.T. .t.y.p.e.=.".M.S.-.D.R.M.-.D.e.s.k.t.o.p.-.S.e.c.u.r.i.t.y.-.P.r.o.c.e.s.s.o.r.".>.<.I.D. .t.y.p.e.=.".M.S.-.G.U.I.D.".>.{.5.b.4.4.e.d.9.2.-.3.8.9.4.-.4.3.e.b.-.8.3.9.5.-.2.a.1.3.a.e.8.d.f.2.2.3.}.<./.I.D.>.<.N.A.M.E.>.M.i.c.r.o.s.o.f.t. .D.R.M. .P.r.o.d.u.c.t.i.o.n. .D.e.s.k.t.o.p. .S.e.c.u.r.i.t.y. .P.r.o.c.e.s.s.o.r. .A.c.t.i.v.a.t.i.o.n. .C.e.r.t.i.f.i.c.a.t.e.<./.N.A.M.E.>.<./.O.B.J.E.C.T.>.<.P.U.B.L.I.C.

                        C:\Users\user\AppData\Local\Microsoft\MSIPC\Logs\LogFile_1.lock

                        Download File
                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                        File Type:data
                        Category:dropped
                        Size (bytes):108
                        Entropy (8bit):1.4536274638408817
                        Encrypted:false
                        SSDEEP:3:JlqN+PR1clGpKYll:JsogGpKI
                        MD5:6C302CDD75EDFF7F2EA9C95575E79417
                        SHA1:8E65FDABFDDC135D6D33AFFB0896168E21B3E0CE
                        SHA-256:44D4368947456A539AFEE5E95798C335D680AC6C65BA2C47DB50D1E15F9D7960
                        SHA-512:E1F28ED19D35F682F66507AAAC92E3F9325C6F7D46AB5898C29808356118FC7D7549281E6036E946DA67FE8849A44ECA1468FCC0EA8A9EFA3143C2E82FF5B35A
                        Malicious:false
                        Reputation:low
                        Preview:L.o.g.F.i.l.e._.4.3.0.4._.1...i.p.c.l.o.g...................................................................

                        C:\Users\user\AppData\Local\Microsoft\MSIPC\Logs\LogFile_4304_1.ipclog

                        Download File
                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                        File Type:ASCII text, with very long lines (313), with CRLF, LF line terminators
                        Category:dropped
                        Size (bytes):406070
                        Entropy (8bit):5.633847328373314
                        Encrypted:false
                        SSDEEP:6144:93QL9/wmV/qmJem3QLoxE/FFamf/UFpmP/CmM/dF+mM:93QLV3QLou
                        MD5:F8C6E43E6EA03E0EFB770B72AF9AC24D
                        SHA1:9D7B414CF1D87641A716348854EDC85F62844E5F
                        SHA-256:A173B804ECAFE8744DB46F592DE7FDCDA9E28B4D66798745796107E881DE0C86
                        SHA-512:9D8EB1D8BB650898B11A5EAF314F132E7099478FBA2D966E43DA76D5C5A372E8E735FAEAED314F27AF979EED6463EAB2D9F2CF69AAE91C6C9837263881483DC6
                        Malicious:false
                        Reputation:low
                        Preview:{{[1][msipc]:[Info]:[4188]:[2024-10-24 06:20:53.429]: ippapi.cpp:ippInitializeAuthAndFileBasedLoggingIfNeeded:5008....Logging Initialized for client mode, store name is NULL....}}{{[2][msipc]:[Info]:[4188]:[2024-10-24 06:20:53.429]: ippapi.cpp:ippInitializeAuthAndFileBasedLoggingIfNeeded:5011....Log Version: 1.1....}}{{[7][msipc]:[Warning]:[4188]:[2024-10-24 06:20:53.429]: ipcauthadal.cpp:Microsoft::InformationProtection::AuthInit::Initialize:69....Client id is not set, authentication against Evo will not be possible.....}}{{[8][msipc]:[Warning]:[4188]:[2024-10-24 06:20:53.429]: ipcauthadal.cpp:Microsoft::InformationProtection::AuthInit::Initialize:73....Redirection uri is not set, authentication against Evo will not be possible.....}}{{[14][msipc]:[Info]:[4188]:[2024-10-24 06:20:53.429]: ippapi.cpp:ippInitializeAuthAndFileBasedLoggingIfNeeded:5017....Flighting Ring Id: Client not part of any flighting ring.....}}{{[16][msipc]:[Info]:[4188]:[2024-10-24 06:20:53.429]: registry.h:Microso

                        C:\Users\user\AppData\Local\Microsoft\MSIPC\keyfile3.drm

                        Download File
                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                        File Type:OpenPGP Secret Key
                        Category:dropped
                        Size (bytes):4096
                        Entropy (8bit):7.953033091645739
                        Encrypted:false
                        SSDEEP:96:4yiy83PcFZF5HslLDXvM3nRCGVvZyApUInIiOeXdP4ExdCqUs:4xQdsdM3nRCKv9pUInzOeXBBL
                        MD5:8D5EADFAD27E7C41BB346B32E263CB03
                        SHA1:823924BFE6B88AE660FB125D756B9E0D98067480
                        SHA-256:1A6DDBFAADDDA1EC1A9A854345B12DC5998F88A2DD26FBB87DCE4E285EBC8DC3
                        SHA-512:30AEF7F4FE147A6BB99FBA78AEA522B643C185A81D3C70B5ED0C6EE88F91CE4306497F9D103AAA91A7DB40E6B29C107F97498851BCB64A4638AEED2CEBD1DE0D
                        Malicious:false
                        Reputation:low
                        Preview:...CpB....Q[r.H...&..T..Op.rK..G...U=t......o8..1.n.6.6.`.j..../...6..T.....S.*n.'..J..v._..R....x`]...Mx<#z.B.*[NVr..A....$L..d8...b./].Q.=q.`.G...j@..C....N.H7...o....E..jo..c1T..B..'..!XJ?G$....+i+..Qit/b....^..."..^-.DK9..G...F.Ua..V.-..PX...P%.{..w.L..J.i.>..z.x..v.@w.....!..A.....w....$.b]6.}.h..1Xd.....:..".M....b..3....1....2./.<....H8......|.,F;T...=./oD...c.3 O.Vn..${hgTO@b..a...]........y(%m.......W.u..}.O/."._I../Wk.......5.'..VfJ..Ee...E....].= .......</....M..?e*..3....5s$.x}-....2..?.....lY....{...n..A...+......y..0....4.I.U.i.h.........".W..9..!....;......"..&.$...a....!,..D..V.03.z..T3.].E .J......G..c!............n...Ft..=...`Y(.._.`...i....K.A.6j..v....zS.CN3..8.X.S)..x.63..nQ..c..s..[..e>0.C...l...b.I..s{...S .;..."s.....j..m.5..X8.D.]..F...=L"..3..s.|...Z..K.X_.|...&0T.....!....Z[..~t..N......HP...L.+4...A..?.t.....i.R...jS..d.+.P.....P6..\....!...R$T...o.p/M...BA~.=,..S.3.X.q.D......I....r.?.U.z.

                        C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\28DBC50C-3409-4EDB-9D07-7155CDF53F73

                        Download File
                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):178267
                        Entropy (8bit):5.290273150088817
                        Encrypted:false
                        SSDEEP:1536:Ei2XfRAqFbH41gwEwLe7HW8QM/o/NMdcAZl1p5ihs7EXXDEAD2Odago:OCe7HW8QM/o/TXgk9o
                        MD5:84C602C53C7E3BD73147F8E57BA8EFDA
                        SHA1:438CB63CB64A77830B8822F6A69613F8A41B6BEE
                        SHA-256:925ECF4117088178255A2D72F914B051C2C61B963CB3E33EC3D8DD95D064CDA1
                        SHA-512:37519896BFE0CBD31EC94AAE17F2F07D3D66D21D00DF4A2C5A96686D1DD8A2C4126A8279FFF75D79DF2EE29F8BCDB5BE6279F45F741DEB823AB12CAEA39F533A
                        Malicious:false
                        Reputation:low
                        Preview:<?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2024-10-24T06:20:52">.. Build: 16.0.18209.40127-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://word-edit.officeapps.live.com/we/rrdiscovery.ashx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId" o:authentication="1">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. <o:ticket o:policy="MBI_SSL_SHORT" o:idprovider="1" o:target="[MAX.AuthHost]" o:headerValue="Passport1.4 from-PP='{}&amp;p='" />.. <o:ticket o:idprovider="3" o:headerValue="Bearer {}" o:resourceId="[

                        C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db

                        Download File
                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                        File Type:SQLite 3.x database, last written using SQLite version 3034001, writer version 2, read version 2, file counter 2, database pages 1, cookie 0, schema 0, largest root page 1, unknown 0 encoding, version-valid-for 2
                        Category:dropped
                        Size (bytes):4096
                        Entropy (8bit):0.09304735440217722
                        Encrypted:false
                        SSDEEP:3:lSWFN3l/klslpEl9Xll:l9F8E+9
                        MD5:D0DE7DB24F7B0C0FE636B34E253F1562
                        SHA1:6EF2957FDEDDC3EB84974F136C22E39553287B80
                        SHA-256:B6DC74E4A39FFA38ED8C93D58AADEB7E7A0674DAC1152AF413E9DA7313ADE6ED
                        SHA-512:42D00510CD9771CE63D44991EA10C10C8FBCF69DF08819D60B7F8E7B0F9B1D385AE26912C847A024D1D127EC098904784147218869AE8D2050BCE9B306DB2DDE
                        Malicious:false
                        Reputation:high, very likely benign file
                        Preview:SQLite format 3......@ ..........................................................................K.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                        C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-journal

                        Download File
                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                        File Type:SQLite Rollback Journal
                        Category:dropped
                        Size (bytes):4616
                        Entropy (8bit):0.13725295831344367
                        Encrypted:false
                        SSDEEP:3:7FEG2l+E/FllkpMRgSWbNFl/sl+ltlslN04l9Xllb:7+/l7g9bNFlEs1E39z
                        MD5:AA5AE42F163EE2931CA7E9D58AEB6C37
                        SHA1:0981C37C7FEDD7828099FDABF30EB29007E0FD58
                        SHA-256:CEB09DE74C16BD945B72799C7725C8CA80CD0C696EEFA707AB6B098B416641B6
                        SHA-512:44198077590BA62CA6DEE096A27970AD2F933619ACBC32606C064FB21FE23E63C2D59E685D87824499044236C5A0A366E23C4E39ABD12495CA7CAB859A618761
                        Malicious:false
                        Preview:.... .c.....aK>z....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................SQLite format 3......@ ..........................................................................K.................................................................................................................................................................................................................................................................................................................................................................................................

                        C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-shm

                        Download File
                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                        File Type:data
                        Category:dropped
                        Size (bytes):32768
                        Entropy (8bit):0.04482848510499482
                        Encrypted:false
                        SSDEEP:3:G4l2g5HYLCfrBt4l2g5HYLCfrK/8lL9//Xlvlll1lllwlvlllglbXdbllAlldl+l:G4l2aNBt4l2aNa0L9XXPH4l942U
                        MD5:C2F3C888EA641B2460CD27778404F8BA
                        SHA1:F2F73AF01A9EBD01F988921EE1D34F5E78B41FD4
                        SHA-256:CD6EF20EDB1633DB56073C426FF21F53FCA282949B3832B11DF43146D90DD96B
                        SHA-512:18FDC358116772663F5C87B499A553D75B73B3FBE5A8924B0ED45D0691A13A9C1562F37006BB0967A0BF0B1670F6014C4BFBB962085BC90DA8FC23C144F6BDA1
                        Malicious:false
                        Preview:..-.......................c...T.!.f[Dq.P.g.1M.{..-.......................c...T.!.f[Dq.P.g.1M.{........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                        C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-wal

                        Download File
                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                        File Type:SQLite Write-Ahead Log, version 3007000
                        Category:dropped
                        Size (bytes):45352
                        Entropy (8bit):0.3950180548330496
                        Encrypted:false
                        SSDEEP:24:KqwQMIzRDq676ill7DBtDi4kZERD2NZaNTxqt8VtbDBtDi4kZERDq/:vwQjH6ill7DYMyNZaJxO8VFDYMG
                        MD5:20FD0F2CC51E22504B143A86074AAB8F
                        SHA1:07D8D2439915B48A1415A0538C38C6B87C54CAD0
                        SHA-256:3B0886B10CB9187648A6AE545E00B481AB22CB48BF90C12B27506ADE777A252B
                        SHA-512:A73F13D4EA28F17CFDCBB097B4282A8B67654430559E60F9C2B1766C63E4DC2A4BE516AF7B771A716442B89B5AF9ECBEA6F6A201A1251739C88EAA5469FB322A
                        Malicious:false
                        Preview:7....-..........!.f[Dq.P0M!48.j.........!.f[Dq.P^r.B,..SQLite format 3......@ ..........................................................................K.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\9IETW22K\message_v2 (002).rpmsg

                        Download File
                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                        File Type:rpmsg Restricted Permission Message
                        Category:dropped
                        Size (bytes):60150
                        Entropy (8bit):7.993949883846222
                        Encrypted:true
                        SSDEEP:1536:0Y6VSE1aIol7Y/+E6uikPiKTY/ztNhL7zfKSkgFF:z6VLR+E6UiKTY/JfKSbr
                        MD5:ED3304B18490B69E9D9965DB1BD618E2
                        SHA1:4CDBA20823E5777F08E463B2B702B1D33A0FABE2
                        SHA-256:D63702A24BD36A52FF54570F37B2EB6C8D06A4D1353AAFBB4F961993C1C7D6F6
                        SHA-512:D006192576C5F7E3AE561F6BD01468143259D617E58C99C54A5039B719BF0A3612BE770A2160ADE72F9D25F8EF7A4FDE314B9FDB92366F968CD1CB411C0A65B2
                        Malicious:false
                        Preview:v..`..............x...y8Tm...}.J..c+T.},...HYF.....$..(1H4JF!{.....l.Q.,..z.........w.y.y..........q...:...}..A..9J@..@X.......}..l.?.gb.X..Q.j..?....z.....`.,...-.@.v..v......\....^....n ....@...4.."@...q.....@.H... 8......r@.(.E.....P.j?.6....@.h.mp..#@...}`....0.&.(0.f...;...W....@.88.l.........I.....p....p......^....>....<... ...`..BA.... ....~.....a-t.....?.N.1.....i..........?......jC/~.w.y..........w....._e.......k..G'......wn..2....^.B>?...s..<.`......>.._..*t.=...;......W=X..L...:c. ...9.....c.yR%.../T}6d..'(<.Tq.X.+O.......k.#j...2.M.4.._.l>.5K.k\.(..zRzn*>....@.=mw.`f...T.^t.....8..ZIz.!..I_~..z..)Oz..7...z....+....wi.g.yw.y&.....8.Q.>(.$...HV:.......E...y.8.A.,.4.'g..1.X...?a..M#........%..uS.aR[...t..0{.b.c.A..J.RS.....)..hj..d{D.%.Rw.....6..Q.]w..E.:...9..p}.&..e...U.....t].....TH..j.d.......R.fP.....C..l=$...~S=)'.c.P.dp.....!0......[$....x .s<.#.c....%`...O....LW.v.;-.~O.p...=...R............k..~V.x.9.]pGD.L.|

                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\9IETW22K\message_v2 (002).rpmsg:Zone.Identifier

                        Download File
                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                        File Type:ASCII text, with CRLF line terminators
                        Category:modified
                        Size (bytes):26
                        Entropy (8bit):3.95006375643621
                        Encrypted:false
                        SSDEEP:3:gAWY3n:qY3n
                        MD5:FBCCF14D504B7B2DBCB5A5BDA75BD93B
                        SHA1:D59FC84CDD5217C6CF74785703655F78DA6B582B
                        SHA-256:EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913
                        SHA-512:AA1D2B1EA3C9DE3CCADB319D4E3E3276A2F27DD1A5244FE72DE2B6F94083DDDC762480482C5C2E53F803CD9E3973DDEFC68966F974E124307B5043E654443B98
                        Malicious:false
                        Preview:[ZoneTransfer]..ZoneId=3..

                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\9IETW22K\message_v2.rpmsg

                        Download File
                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                        File Type:rpmsg Restricted Permission Message
                        Category:dropped
                        Size (bytes):60150
                        Entropy (8bit):7.993949883846222
                        Encrypted:true
                        SSDEEP:1536:0Y6VSE1aIol7Y/+E6uikPiKTY/ztNhL7zfKSkgFF:z6VLR+E6UiKTY/JfKSbr
                        MD5:ED3304B18490B69E9D9965DB1BD618E2
                        SHA1:4CDBA20823E5777F08E463B2B702B1D33A0FABE2
                        SHA-256:D63702A24BD36A52FF54570F37B2EB6C8D06A4D1353AAFBB4F961993C1C7D6F6
                        SHA-512:D006192576C5F7E3AE561F6BD01468143259D617E58C99C54A5039B719BF0A3612BE770A2160ADE72F9D25F8EF7A4FDE314B9FDB92366F968CD1CB411C0A65B2
                        Malicious:false
                        Preview:v..`..............x...y8Tm...}.J..c+T.},...HYF.....$..(1H4JF!{.....l.Q.,..z.........w.y.y..........q...:...}..A..9J@..@X.......}..l.?.gb.X..Q.j..?....z.....`.,...-.@.v..v......\....^....n ....@...4.."@...q.....@.H... 8......r@.(.E.....P.j?.6....@.h.mp..#@...}`....0.&.(0.f...;...W....@.88.l.........I.....p....p......^....>....<... ...`..BA.... ....~.....a-t.....?.N.1.....i..........?......jC/~.w.y..........w....._e.......k..G'......wn..2....^.B>?...s..<.`......>.._..*t.=...;......W=X..L...:c. ...9.....c.yR%.../T}6d..'(<.Tq.X.+O.......k.#j...2.M.4.._.l>.5K.k\.(..zRzn*>....@.=mw.`f...T.^t.....8..ZIz.!..I_~..z..)Oz..7...z....+....wi.g.yw.y&.....8.Q.>(.$...HV:.......E...y.8.A.,.4.'g..1.X...?a..M#........%..uS.aR[...t..0{.b.c.A..J.RS.....)..hj..d{D.%.Rw.....6..Q.]w..E.:...9..p}.&..e...U.....t].....TH..j.d.......R.fP.....C..l=$...~S=)'.c.P.dp.....!0......[$....x .s<.#.c....%`...O....LW.v.;-.~O.p...=...R............k..~V.x.9.]pGD.L.|

                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\9IETW22K\message_v2.rpmsg:Zone.Identifier

                        Download File
                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                        File Type:ASCII text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):26
                        Entropy (8bit):3.95006375643621
                        Encrypted:false
                        SSDEEP:3:gAWY3n:qY3n
                        MD5:FBCCF14D504B7B2DBCB5A5BDA75BD93B
                        SHA1:D59FC84CDD5217C6CF74785703655F78DA6B582B
                        SHA-256:EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913
                        SHA-512:AA1D2B1EA3C9DE3CCADB319D4E3E3276A2F27DD1A5244FE72DE2B6F94083DDDC762480482C5C2E53F803CD9E3973DDEFC68966F974E124307B5043E654443B98
                        Malicious:false
                        Preview:[ZoneTransfer]..ZoneId=3..

                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{5666306E-90C1-4F37-AE27-FD32B3E00A55}.tmp

                        Download File
                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                        File Type:data
                        Category:dropped
                        Size (bytes):5188
                        Entropy (8bit):3.2976163134544314
                        Encrypted:false
                        SSDEEP:48:WP7Erz9t4W3ZfhKMzqNFSySySySi6ULKM5lYcC0m0HOHJLSoGLq3ZgLkeLqrKV+:m7Erz9FKXFSySySySi6ZlKdo3b
                        MD5:4565958DA125C0EEF885CD5DB75CE10B
                        SHA1:91D6EC67F4DA9F0376CB2C5CC51591A88EDFEF4E
                        SHA-256:732E13210345C7F6A9FA24BB309221D447C838D53AF8717281DE438BF676497A
                        SHA-512:91D9518574EA7D5FDB05CBB40451ABA721B45FDF1CB8C27A76704A57B437E2FD9BC630D070DCEE93F10707DA65AF54DBD2AB77841074CAA2A09497D1540975AF
                        Malicious:false
                        Preview:....v.a.n.e.s.s.a. .o.s.a.i. .(.V.a.n.e.s.s.a._.O.s.a.i.@.m.a.n.u.l.i.f.e...c.a.). .h.a.s. .s.e.n.t. .y.o.u. .a. .p.r.o.t.e.c.t.e.d. .m.e.s.s.a.g.e... ........................................................................................................................................................................................................................................................................................................................................................................................."...&...........l...n...p...t...v...x.................................................................................................................................................................................................................................................................................................................................................*...$..$.If........!v..h.#v....:V.......t.....6......5.......4........4........a.........$..d....a

                        C:\Users\user\AppData\Local\Temp\Diagnostics\OUTLOOK\App1729750850348120100_0CE0A864-326A-4FBF-89B2-2B43730EF39B.log

                        Download File
                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                        File Type:ASCII text, with very long lines (28729), with CRLF line terminators
                        Category:dropped
                        Size (bytes):20971520
                        Entropy (8bit):0.1777204978735413
                        Encrypted:false
                        SSDEEP:1536:gDcUWxrHg5TPjn9dXzkANiT2wWvkvRYFnD15jK2lojdbREI7xVVB9Ppt:tlHYPn9KPl+x8WGt
                        MD5:9828E06B14C85422BA0C4F9EE82C1C65
                        SHA1:B6AE2C03B5D316C0109F7F96A7E72E074666CA45
                        SHA-256:6F0064FB14308F633CDB4B75F55E7B239EB1D9F86D1B541E167FF6DD4F531506
                        SHA-512:18F5ECD3C0679F3A726B6609C0170A0EC3C2A52AA125E41F2B2B45A88DD6E90C1179246961C254F801BBC1CE31AEEEFB9B79831EDE3E49EF29132C4921C60B14
                        Malicious:false
                        Preview:Timestamp.Process.TID.Area.Category.EventID.Level.Message.Correlation..10/24/2024 06:20:50.476.OUTLOOK (0x10D0).0x1A7C.Microsoft Outlook.Telemetry Event.b7vzq.Medium.SendEvent {"EventName":"Office.Text.GDIAssistant.HandleCallback","Flags":30962256044949761,"InternalSequenceNumber":20,"Time":"2024-10-24T06:20:50.476Z","Contract":"Office.System.Activity","Activity.CV":"ZKjgDGoyv0+JsitDcw7zmw.4.9","Activity.Duration":59,"Activity.Count":1,"Activity.AggMode":0,"Activity.Success":true,"Data.GdiFamilyName":"","Data.CloudFontStatus":6,"Data.CloudFontTypes":256}...10/24/2024 06:20:50.491.OUTLOOK (0x10D0).0x1A7C.Microsoft Outlook.Telemetry Event.b7vzq.Medium.SendEvent {"EventName":"Office.Text.ResourceClient.Deserialize","Flags":30962256044949761,"InternalSequenceNumber":22,"Time":"2024-10-24T06:20:50.491Z","Contract":"Office.System.Activity","Activity.CV":"ZKjgDGoyv0+JsitDcw7zmw.4.10","Activity.Duration":15253,"Activity.Count":1,"Activity.AggMode":0,"Activity.Success":true,"Data.JsonFileMajorV

                        C:\Users\user\AppData\Local\Temp\Diagnostics\OUTLOOK\App1729750850348453600_0CE0A864-326A-4FBF-89B2-2B43730EF39B.log

                        Download File
                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                        File Type:data
                        Category:dropped
                        Size (bytes):20971520
                        Entropy (8bit):0.0
                        Encrypted:false
                        SSDEEP:3::
                        MD5:8F4E33F3DC3E414FF94E5FB6905CBA8C
                        SHA1:9674344C90C2F0646F0B78026E127C9B86E3AD77
                        SHA-256:CD52D81E25F372E6FA4DB2C0DFCEB59862C1969CAB17096DA352B34950C973CC
                        SHA-512:7FB91E868F3923BBD043725818EF3A5D8D08EBF1059A18AC0FE07040D32EEBA517DA11515E6A4AFAEB29BCC5E0F1543BA2C595B0FE8E6167DDC5E6793EDEF5BB
                        Malicious:false
                        Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                        C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20241024T0220500007-4304.etl

                        Download File
                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                        File Type:data
                        Category:dropped
                        Size (bytes):110592
                        Entropy (8bit):4.49458991849665
                        Encrypted:false
                        SSDEEP:768:2g/sdVtzBkQf0WpkFIOO4t7MGZCbuZU9/9U4/ev6rXyHXWVWrAqlUK+QN:KNz4tA9/ic86Xkyqtv
                        MD5:11D7DFA66BDBCA864D25550B054A955F
                        SHA1:8DBE35565C7130B020A5FA9301124122E919FBD3
                        SHA-256:F4B21ECA19E7787887C5485AA545408A6FC0D8F0E7C36D2556CE625AA2FDA77C
                        SHA-512:B843A4EA2D8409AD94D9136D85FB8A9CECB80D076D4B4EA4C7F14F5F5148B7A54CCF026F6357F15EB2C9D101CF4F3709ED4517E7E5EFF3448AD9EE39AAA851AC
                        Malicious:false
                        Preview:............................................................................h...|............%..................eJ..............Zb..2...................................,...@.t.z.r.e.s...d.l.l.,.-.1.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.1.1.1...........................................................0.*.U................%..........v.2._.O.U.T.L.O.O.K.:.1.0.d.0.:.4.b.f.c.2.8.4.a.a.d.8.3.4.0.8.4.a.8.4.1.c.0.3.3.5.2.c.3.4.6.4.a...C.:.\.U.s.e.r.s.\.F.R.O.N.T.D.~.1.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.O.u.t.l.o.o.k. .L.o.g.g.i.n.g.\.O.U.T.L.O.O.K._.1.6._.0._.1.6.8.2.7._.2.0.1.3.0.-.2.0.2.4.1.0.2.4.T.0.2.2.0.5.0.0.0.0.7.-.4.3.0.4...e.t.l.......P.P.|........W...%..................................................................................................................................................................................................................................................................................................

                        C:\Users\user\AppData\Roaming\Microsoft\Office\MSO3072.acl

                        Download File
                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                        File Type:data
                        Category:dropped
                        Size (bytes):30
                        Entropy (8bit):1.2389205950315936
                        Encrypted:false
                        SSDEEP:3:tHzX:
                        MD5:794C1C7746C3ABECB50882A0DECF5729
                        SHA1:E52EB86FE6A0E93D94328966063CC58B113B86E8
                        SHA-256:FF6F7D5B26BDF5F8668DE91DAED3CE6E459A53C9625B504EFCFF3259B733311F
                        SHA-512:62C873BB90B3BF56AECAAD2E4E525A4BF9AFE8FEF0B9EEDE8DBFDFDF629BD69663DBD6D44A14965C7645542D61239459A7C465109B8CC1B05B476FB1F442C9FF
                        Malicious:false
                        Preview:..............................

                        C:\Users\user\AppData\Roaming\Microsoft\Outlook\NoEmail.srs

                        Download File
                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                        File Type:Composite Document File V2 Document, Cannot read section info
                        Category:dropped
                        Size (bytes):16384
                        Entropy (8bit):0.6704277064741759
                        Encrypted:false
                        SSDEEP:12:rl3baFCSqLKeTy2MyheC8T23BMyhe+S7wzQP9zNMyhe+S7xMyheCCC7OL:r/mnq1Py961LOL
                        MD5:F1D11F2B96BD295B70E7FC3971FA8844
                        SHA1:B4CD7B46D8E6B4A1B2874C6BD746FCA305578F79
                        SHA-256:DCC65B9F440181C5ACD8E44AAF2C76D35A8A1291B07B331CEEE7E5B67FD84C01
                        SHA-512:988B71A7303437BFCD500F4F6CC5471029CD783887D9E2BED08FCFE6D471B52F21899A3EA65ABA78CAEC5F981227DE1F93DF923210126CABCBC5383F2D34250D
                        Malicious:false
                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                        C:\Users\user\Documents\Outlook Files\Outlook Data File - NoEmail.pst

                        Download File
                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                        File Type:Microsoft Outlook email folder (>=2003)
                        Category:dropped
                        Size (bytes):271360
                        Entropy (8bit):4.858259103427101
                        Encrypted:false
                        SSDEEP:3072:QYfWiDFvTUGyU1PT4rLhFVPsUffsJM8bet5p95Kfp9:nDFfJBT4LVEUGMp5Mf
                        MD5:3263AC491FA0757D814FFB7FB40275D8
                        SHA1:BD74500529C7E978D139E568EB6F67242BB80F68
                        SHA-256:4C8BC3175824FD9B4404977001D62DCC152638400EFCA125F1B8307874C317BB
                        SHA-512:BFA65EF10DA04B169401B05D4BDF489B97811E06328757EA9CC92251AA539E9A26E873E963F2D8C70155CB731DA300F9DFD98DDF950E9C4279B0FD9AB6E3F0BC
                        Malicious:false
                        Preview:!BDN.wH.SM......\...}...........C.......h................@...........@...@...................................@...........................................................................$.......D......................A...............>........~..................................................................................................................................................................................................................................................................................p........e........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                        C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmp

                        Download File
                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                        File Type:data
                        Category:dropped
                        Size (bytes):131072
                        Entropy (8bit):3.2645195461231875
                        Encrypted:false
                        SSDEEP:1536:KW53jEpEHP4qQ10PAwr1GDOVQzBiUffaJRl2GWqxqQ8zhD4edW53jEpEHP4qQ10/:Ip9UysUffaJHeLp9
                        MD5:7E60B61ACD334454F5EB402C4469F67A
                        SHA1:411F54262408DED85BD44CF760EA14FECE2D389F
                        SHA-256:3AAFF3F7EC7864CA0308BB7BE8C4E0A5A783EDC3E58E4FBFE5929CE51A177CF6
                        SHA-512:BFE1398AFD846D28A11A32D4A47EE67F94C16675566891DDC885877FD3EAAC37CFD42C854B313E4379BE30C9E78266492FBEDD498852FF1328D6654C07976761
                        Malicious:false
                        Preview:&..G0................B...%.......D............#..._....................x............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................4.wP.D......A..0................B...%.......B............#.........................................................................................................................................................................................................................................................................................................................................................................................................

                        Static File Info

                        General

                        File type:RFC 822 mail, ASCII text, with very long lines (515), with CRLF line terminators
                        Entropy (8bit):6.129932469240778
                        TrID:
                        • E-Mail message (Var. 5) (54515/1) 100.00%
                        File name:D. Bayham, Group #0070302, and Claim #7270930 - Support to Max.eml
                        File size:103'249 bytes
                        MD5:3eff18c9614bd2601979dc751467f38b
                        SHA1:4cc2586455a775d21253ae0ca3d8139564af78a2
                        SHA256:d9525d46f8515b3908440f139eff262d01e5554b87d2e0ff867f788d8a117983
                        SHA512:1b339843e1ec15535c9e2c2b9f96f9cabce074dbbd4149f160fde25274e71db314b6cfe539088c512c3933fc13d633c75d9258cfa3898741715892ae9f4ff7fe
                        SSDEEP:1536:SOcJsDpv5SOZM1UnLLgDKmM6JMRSyX2S/j56pZL5fw1vfqhh2qLYeacFAziCQznZ:EsDvfwULLgDCSaZ/jYL5AqLAYdtsU
                        TLSH:D7A3F1244E0B2928CB21F1493615BD0F69187F82A4FB219526AFD13D22DF07B6E7AC75
                        File Content Preview:Received: from VI2P194MB2231.EURP194.PROD.OUTLOOK.COM (2603:10a6:800:22f::6).. by AS8P194MB1707.EURP194.PROD.OUTLOOK.COM with HTTPS; Wed, 23 Oct 2024.. 19:49:21 +0000..Received: from DU2PR04CA0318.eurprd04.prod.outlook.com (2603:10a6:10:2b5::23).. by VI2P

                        Static Mail

                        General

                        Subject:D. Bayham, Group #0070302, and Claim #7270930 - Support to Max
                        From:vanessa osai <Vanessa_Osai@manulife.ca>
                        To:Troels Hegh <th@hartmann-packaging.com>, Wray Hussey Sr <WJH@hartmann-packaging.com>, Brenda MacDonald <BMAC@hartmann-packaging.com>
                        Cc:
                        BCC:
                        Date:Wed, 23 Oct 2024 19:48:47 +0000
                        Communications:
                        • vanessa osai (Vanessa_Osai@manulife.ca) has sent you a protected message. <https://outlook.office365.com/Encryption/lock.png> Read the message<https://outlook.office365.com/owa/?viewmodel=ReadMessageItem&InternetMessageID=%3cYT2PPF15C092F3DA27DCB1DFFA84E9A9321F14D2%40YT2PPF15C092F3D.CANPRD01.PROD.OUTLOOK.COM%3e> Learn about messages protected by Microsoft Purview Message Encryption.<https://go.microsoft.com/fwlink/?Linkid=844050> Privacy Statement<https://go.microsoft.com/fwlink/p/?linkid=857875> Learn More<https://go.microsoft.com/fwlink/?Linkid=844050> on email encryption. Microsoft Corporation, One Microsoft Way, Redmond, WA 98052
                        Attachments:
                        • message_v2.rpmsg

                        Headers

                        Key Value
                        Receivedfrom YT2PPF15C092F3D.CANPRD01.PROD.OUTLOOK.COM ([fe80::6b98:c29e:94c0:b09f]) by YT2PPF15C092F3D.CANPRD01.PROD.OUTLOOK.COM ([fe80::6b98:c29e:94c0:b09f%6]) with mapi id 15.20.8069.024; Wed, 23 Oct 2024 19:48:47 +0000
                        Fromvanessa osai <Vanessa_Osai@manulife.ca>
                        ToTroels Hegh <th@hartmann-packaging.com>, Wray Hussey Sr <WJH@hartmann-packaging.com>, Brenda MacDonald <BMAC@hartmann-packaging.com>
                        SubjectD. Bayham, Group #0070302, and Claim #7270930 - Support to Max
                        Thread-TopicD. Bayham, Group #0070302, and Claim #7270930 - Support to Max
                        Thread-IndexAdslhD0l7J5LZrbWTIiIzGEj2qrJMQ==
                        Content-Classrpmsg.message
                        DateWed, 23 Oct 2024 19:48:47 +0000
                        Message-ID <YT2PPF15C092F3DA27DCB1DFFA84E9A9321F14D2@YT2PPF15C092F3D.CANPRD01.PROD.OUTLOOK.COM>
                        Accept-Languageen-US
                        Content-Languageen-US
                        X-MS-Exchange-Organization-AuthSource DU6PEPF0000B61D.eurprd02.prod.outlook.com
                        X-MS-Has-Attachyes
                        X-MS-Exchange-Organization-Network-Message-Id 39666a4e-b801-4d93-49b2-08dcf39bbdb7
                        X-MS-TNEF-Correlator
                        X-MS-Exchange-Organization-RecordReviewCfmType0
                        msip_labels MSIP_Label_0dd5db4b-78fb-42ac-8616-2bbd1a698c72_ActionId=d7bbb154-f2d2-4c3e-8b72-24d01c8b106c;MSIP_Label_0dd5db4b-78fb-42ac-8616-2bbd1a698c72_ContentBits=0;MSIP_Label_0dd5db4b-78fb-42ac-8616-2bbd1a698c72_Enabled=true;MSIP_Label_0dd5db4b-78fb-42ac-8616-2bbd1a698c72_Method=Privileged;MSIP_Label_0dd5db4b-78fb-42ac-8616-2bbd1a698c72_Name=EXTERNAL;MSIP_Label_0dd5db4b-78fb-42ac-8616-2bbd1a698c72_SetDate=2024-10-23T19:48:46Z;MSIP_Label_0dd5db4b-78fb-42ac-8616-2bbd1a698c72_SiteId=5d3e2773-e07f-4432-a630-1a0f68a28a05;
                        received-spfSoftFail (protection.outlook.com: domain of transitioning manulife.ca discourages use of 185.132.181.93 as permitted sender)
                        x-ms-exchange-organization-originalclientipaddress185.132.181.93
                        x-ms-exchange-organization-originalserveripaddress10.167.8.137
                        authentication-resultsspf=softfail (sender IP is 185.132.181.93) smtp.mailfrom=manulife.ca; dkim=fail (body hash did not verify) header.d=manulife.ca;dmarc=fail action=quarantine header.from=manulife.ca;compauth=none reason=451
                        x-forefront-antispam-report CIP:185.132.181.93;CTRY:DE;LANG:en;SCL:-1;SRV:;IPV:NLI;SFV:NSPM;H:mx07-00378701.pphosted.com;PTR:mx07-00378701.pphosted.com;CAT:NONE;SFS:(13230040)(35042699022)(30052699003)(82310400026)(8096899003);DIR:INB;
                        x-ms-office365-filtering-correlation-id39666a4e-b801-4d93-49b2-08dcf39bbdb7
                        x-microsoft-antispam BCL:0;ARA:13230040|35042699022|30052699003|82310400026|8096899003;
                        x-ms-publictraffictypeEmail
                        x-ms-traffictypediagnostic YT2PPF15C092F3D:EE_|YT2PR01MB5888:EE_|DU6PEPF0000B61D:EE_|VI2P194MB2231:EE_|AS8P194MB1707:EE_
                        x-ms-exchange-crosstenant-originalarrivaltime23 Oct 2024 19:49:00.6278 (UTC)
                        x-ms-exchange-crosstenant-fromentityheaderInternet
                        x-ms-exchange-crosstenant-id8b053d7b-0cc3-4fc0-91e0-ccbb3fff2dc3
                        x-ms-exchange-transport-crosstenantheadersstampedVI2P194MB2231
                        x-ms-exchange-transport-endtoendlatency00:00:20.8344118
                        x-ms-exchange-crosstenant-network-message-id 39666a4e-b801-4d93-49b2-08dcf39bbdb7
                        x-ms-exchange-processed-by-bccfoldering15.20.8093.014
                        arc-seali=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=gvh7uWLVeX1kXmrLNgNCPj+RAEV09UK5PxxINdR2+wFsoSr2lE/AQHW7YuNBYF8iKglZ2fhvo2fRfrLgjkhi41rN2tV9w4fiIgGsmvHSEyujWy51N755BezV9K7WArcrfVu06EOhqFB1gJzpljTIcZQXejt+ThHCn+9XkbUvOz2p6N26WY4MRDG4fUmAdohNCumGP8Gc1pZP2DYpFm/xifTsO9fKIbhnwTn8daKlUay5aKQnjxjZftRrVH6CCQz7msO8xkpnzi9QwqMHlwnsWbOchGpZPU77vZGj6hyzcl5vLcirM6Kmk40J6D0BkgjJ19FGDan7lluPdUyjF6sn5g==
                        arc-message-signaturei=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=4NFxiF4FonH5eL0ORblWXbiRD5xNwggSJ0o1rlrrNZo=; b=FJKDnlXDaFhmsqtNZNF+9rMZ1S27hSVqG5yPntbOyB6cI6eXynaYff++P5aJ4PEaKeGY2hrRoeXpuBy5Wpe2AXs1U9rH8LSO8pK4eVbE0Ep2O2Kc7+c2aAcYA8M+gDigEOM42E3smbOH1RV7W2WRbYm4phjWYeu2mV4mn9i6FUNFQ3N36QbmRZPSObuu1N0e5/W1pLRchldZkqm2UFVDuOSgYYvS0KDwmfmNXbQYU+aEQcoEPJzDo9FXoTHPGpFHF/DaeDqIgZnUloMNFem5zcu7XWGik4nzNP6yCDEWSI1eIM90TkRx5jC4ntON6PWbeMVwIvY7sbruLOIPR5TM5Q==
                        arc-authentication-resultsi=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=manulife.ca; dmarc=pass action=none header.from=manulife.ca; dkim=pass header.d=manulife.ca; arc=none
                        dkim-signaturev=1; a=rsa-sha256; c=relaxed/relaxed; d=manulife.ca; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=4NFxiF4FonH5eL0ORblWXbiRD5xNwggSJ0o1rlrrNZo=; b=cPz7KQWi+twIGK2kRsW1muWYgYORVpabCofu9iS1cuj2EHLXj1seAGCG7QfGhlg6rVFeN94aMaFH5CeyR7qJH8xhLTVfswyKW7coGw1KnaXOJoVVTOPjSYBqY1FVYjg66RRg5VO+eNeaJN7tbGlpcyu5Or0nCfC8nCCJyrB5/ps=
                        x-forefront-antispam-report-untrusted CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:YT2PPF15C092F3D.CANPRD01.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(13230040)(1800799024)(376014)(366016)(38070700018)(8096899003);DIR:OUT;SFP:1101;
                        x-ms-exchange-senderadcheck1
                        x-microsoft-antispam-untrusted BCL:0;ARA:13230040|1800799024|376014|366016|38070700018|8096899003;
                        x-microsoft-antispam-message-info-original UM0ox+QSZwABYpNneLYKDm8UsxVtfNsaJ2ZNLgKMGsBln1okusemHkkuqZB8yhSW/PRmDoz9g1WAO2f65T1dDFr6dMpfBihsIjRpFxZyHZaQbyM6lBFCO4P+Vj2sFXMY/8bVfoF+A9op6dvrqzeotM4b2Ghb5WsQUtDX6YLhcmUNPluNyTkHkdVods/VYaRBwmbKtfaj5EKDt+ae1AsHMoCjAMLdIDFO3BtTEbOvxfNGo8MQjARikyY0rul/D6lDBY6dVPY7a8/3YufloIXYE7RVGcMR1CpSayd/64P7Y3b6SO8vQfAD77siYrl/akAFfgeu1y1L7ErjyNblGcM+gVTvxb2CRVkIY/nLEWmtIYpept4zrYMKp8Y5ML/G+wmy3DZNzSi3q42rLmHvgtuusYQIGN3SnVosKCR2J6TWrn7b2QFXVxrpUNdvKIOlI9euXQRNgFveuciyWqSp2/MSLj2SwpCu93zn7FNLeBUouOQL/UyWdYTq/qUrpYYY6Uc8vPELYlo0fM7g6MONmv8TZwdTFe2O1LnzmfZLqHhO1VuqMkBAGxFCtu+gmm26M4X5mRy6onpNEhf4WxBvH/5odf2W0U5w8/UBj1yoEgkKDrhewJftXYgZoF8zCL3Q+hnpg21I5FkSYXgk7sSNKDM7AQJlZbPNBqwrOdsjZeitYK+S7yuwandXE+BRGWb7hFwUFdBPM21MVV8Tk4VlZvDLlqxWAvrCymSQrX/+inmozsJe0LqXzTrRSnQY0+Stu5jm5Ej05OYbrnZ/i94PAlMLAo8o6EblskY8/CyXxIlB1rMs3W+Fw80/6IyrbsbIzbuGP4RuUFUGMMSY7mB5ki5phpzMpVCH8mD/zTcl8AmaGUnKmuPSdiNi+9cvCpZUXJxhagiMOr9kXZY+BdWTg4twgkX4a7anl1YlWEdNv7mbWjGsn/2c224s1V3vx/lxTjrKBk+gXvd2rUgXR7jEVsQDyep0gwTXArdyQ/lUph5dFnD/HLHaCF62S35RNPLM6JEECbf2YpShEEJxqrjRLga1DJcTjuKW2HMBJIhIP7H4CGzz+pNJSVVvPvDm5ktl0F5xZ4F8ThDqTPuTsPQIxJ7IP0mBc1+uRllX5CnIwdkksL/Wc8Kc26qRk8HTsg3DRRnqwdZpJwgPoiCPkrHU5GP5JgHwPCf2CAZC+4wv/zqZPTGEa7B1cankgk8EYtMnBIn9dU5Uef3UpfHZeOUJZXStXrT7X0PCYfaQeOFjfGg51SNUlkyVh+My1cfgpG1TnvDovZveF0PBB73Tu16bMJgUDHR8RtiTr8HFaa48sr60V0Bkf5zXeFvpqLCfolz5IF7xbkPxxdCsqJ8mu2MeoYj8w9WvHmtph3vGoDxOg9HFOQ9ZxDCEVIy03TXla+fDC7V9
                        x-proofpoint-virus-versionvendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1051,Hydra:6.0.680,FMLib:17.12.62.30 definitions=2024-10-23_15,2024-10-23_01,2024-09-30_01
                        x-proofpoint-spam-detailsrule=inbound_notspam policy=inbound score=0 adultscore=0 malwarescore=0 spamscore=0 lowpriorityscore=0 mlxscore=0 impostorscore=0 clxscore=68 suspectscore=0 priorityscore=0 mlxlogscore=790 phishscore=0 bulkscore=0 classifier=spam authscore=0 adjust=0 reason=mlx scancount=1 engine=8.21.0-2409260000 definitions=main-2410230127 domainage_hfrom=8776
                        x-eopattributedmessage0
                        x-eoptenantattributedmessage8b053d7b-0cc3-4fc0-91e0-ccbb3fff2dc3:0
                        x-ms-exchange-transport-crosstenantheadersstripped DU6PEPF0000B61D.eurprd02.prod.outlook.com
                        x-ms-office365-filtering-correlation-id-prvs 01708c25-c408-46df-b6e3-08dcf39bb5a8
                        x-ms-exchange-crosstenant-authasAnonymous
                        x-ms-exchange-crosstenant-authsource DU6PEPF0000B61D.eurprd02.prod.outlook.com
                        x-clx-shadesMLX
                        x-clx-response1TFkXHBIRCkx6FxoRCllEF21tc2cdXFkdf01oEQpYWBdtaAV5enoTeFl4YxE KeE4XbXgYZ0JmeBtTfnsRCnlMF2B4HEZLU3hafXJoEQpDSBcHGxgTEQpDWRcHGB4dEQpDSRcaBB oaGhEKWU0XZ2ZyEQpfWRcYHRgRCl9NF2dmchEKWUkXBxsScRgGBxsSdwYYGhoGGxoaQhsTBhoGB xIGHhJxGBAadwYaBgcfGgYaBhoGGgYacRoQGncGGhEKWV4XaGN5EQpJRhdCS1heR0tERHVCRVle T04RCklHF3hPTREKQ04Xa3NdGlNPaWdjbxJ5YXN1UmtaHxl6T1pkGWVkemtLYhIRClhcFx8EGgQ ZHR0FGxoEEhoEGxkeBBkeEBseGh8aEQpeWRdPflxMYhEKTVwXBxsdEQpMWhdsaU1raxEKTEYXb2 trY2traxEKQk8XZXlrElxBTFhkZn8RCkNaFx4aBBsaHQQbExgEGRgRCkJeFxsRCkReFxwRCkJFF 2ZbS3BYZk1rWWsTEQpCThdteBhnQmZ4G1N+exEKQkwXbWgFeXp6E3hZeGMRCkJsF2R8Ykd6HRpo Z05IEQpCQBdjemBNeR4BUnxlbxEKQlgXb2BSTFJJemZDYUsRCk1eFxsRClpYFxMRCnlDF2lJYx0 aGQVwRllAEQpZSxcSHR0cEQpwaBdjTXt/fBpbXEh4fxAbGxgRCnBoF29OSFAZZkF4TkFzEBkaEQ pwaBd6QWYacB9NGklnZxAZGhEKcGgXbUx6QERBc1JZeXoQGRoRCnBoF21sfkdIQUsZQEZkEBkaE QpwaBdtf0tNU0QBH01GSxAdEhEKcGgXZEZhAUZ+c39ySBsQGxsfEQpwaBdvcE9nb0IdbX4TXRAb GxkRCnB9F21fWHtvS0BlaRllEBsaHhEKcH0XYXNkR0dIXkMceh8QGRoRCnB9F2x/GHJZBW1BEhl CEBsaHREKcH0XbENTHAEbeF1La34QGxofEQpwaxdjbhkYHmVyX21nTRAZGhEKcEsXZF9ISwVpHk kcGWUQGxsZEQpwfxduQU17T11BH0VJExASHhEKcF8XZQV+GBldRnofHRoQGxoeEQpwXxdtWkhPe FxbRmNdGRAbGh0RCnB/F2JGa0ESGgUFS2dFEBsaHBEKcF8XbR18cx5OaxIac2EQHRwRCnBfF2Ee Uh1sSGtuU0daEBsaGREKcGwXa3NJQ0liSEViSBMQGRoRCm1+FxsRClhNF0sRIA==
                        x-ms-exchange-atpmessagepropertiesSA|SL
                        x-proofpoint-orig-guidAYw0yeCMIE8SKY_xAp53PepN3ONPAaH8
                        x-proofpoint-guidAYw0yeCMIE8SKY_xAp53PepN3ONPAaH8
                        X-Microsoft-Antispam-Mailbox-Delivery ucf:0;jmr:0;auth:0;dest:I;ENG:(910001)(944506478)(944626604)(920097)(930097)(140003);
                        X-Microsoft-Antispam-Message-Info KiN3ZvZgBXrR/x4w7obOSbKS/eI8nwuzhktT8eLRbGorOO+xLiOfSHORRIBzExjI6ch6C0hj6hBSNF34NU9DqpvVaSgZaGZybIConA/91/f8cwVqmZgrMTSGVCye7jZCksJeiBvl+pOIWp9S0arJaKP4vI+Afhel0PvAPepa7nKdajL24tUGbdx+wp7PhJZxQUj5INaF++LRDGy0hFg7TctEoqqyer3Laxl977l0AXPjwPII4c1F39k4ZYF3m2pPBNUdUwuQo+DJ1iSY9BUeu74i3Ak0ZUkkl6eLccLV3zZQ3cAlur7Xtzj6QgGNAqDpzZ5aIt18Bihb886jEORD1jz9zGpk4/59UVoC4ZQV0DFMdSWty5zKPgUaZeijmGwhiH/lK3Kvi+exZVVt+JFrJ9qNH4YVWZjMa6h5k77enwIHolqBHVrl2Qt/aVA1jA+1PVdWoGS/4ZYDJs8yaXDhVHfeagsJgqpxuIXucNuSDfflbjBqzJuvi18Vv7WjI+PMfvA/Mo+dA0csAC2X8ts8tbTusuVeNUlivb8DiRv7ze4TqdYnltV1uNd+YUT0x7ZPR1mVdclLz4nLvpSbC1CCBpjZaDsB1w2S4hXpTyP3enQzrtX5gyKJm30pIVGrnuCOawa1T88IDyzfip2V8s51PRgNAAd3iRYoeazwAFFWSUmCJb4wenbOmvIvt6YT1gO6qp9chakYkKQH+sqYVouhsqiBa0hgVhYaKnag7JL57+WHkIBsONqje3z72bDIPyfMyebFbDlxbEuDrJAB9ssSjEt6KLE5iLKZz5wVvxH6RS7P6Tg3aRfIMEJmHQxJWoNwX5AY+aKrdKgsE4aI5QcWr1KtFfzWSjIwmZxz1xXISksrtHAP+SwJKX7u1wcQc5H2PN5GFyZzWii9ifpR/LGbHL90GmKTIv8jfaeWrmnsOGC4qGqvK/kSkzbMjJwXg/tmvFLsoIkUwMYefM2luIfqiRsVh+PLObY8ozoFBxyRB/M1mUPVFKP5groGhP2t7a+vhzT/UdsMRhpoVWHdhDtcn2rZXq64JNxAGR/Jybd6WZwT2qFXjby73+y72wUsmm6rnTsc/yXfF1nQSwHuV3rc8sw971UxBU0szMuxBwS2WgU3UX+fF302KrEP6cUx/dX5Dn14hTbwoaPH3nczLXI76dxuZnccR5IPdWxaagStQfKH5bDcTIx4a0AbWBGgAVFY0LV53unldep/ozbXYeCt4zYiet69SQDItyfPwQXB8b6/0tgFJ5960MPSu8FseD4hD7W1+8lTWbxhHliKx4dcwOZkZhHdS5gq/w02mBtVsfHWRApmZAAUzYpXWMdEpO+iMWk//xdG7XQ7fLNZjO54ZlWq4KDBD4lvFIYw/D1iPH0A/8X2SlSQ4vILbTolmW4uaFR1zZ+1t81SzJlS+WRfRpPfqGpliqw2AQOJAFkY3AbPsbol34CLiJbd4YAFqjRu+YJ8Huf0BQE1A3cRk3nXEcKh/NpWsOPr/EczwZrNS4xW3waD4HwTKzG/rKspUJDOebXr8B/2D4lCUo5IDktPjJWH1y6CrLJnzm0gGmFzsFJ/fBI8513rC4/uY/AU9uLIHgG8iPod1MzjnSrWcRo7qZVUjx5KajH++iRMWBKzXfC3BzPWk+qV/q7QlV6XfOq/ke68sNdkh9+/7E4PslxJczarj1kEoloFJonS0z7/NnHuLN2No4XycVcrcAhQAe365xy8BAoDYA8BogU7GTF6iBm1HFq4TuVHtQDNEU+N9pyRyD4ibnrGwf35+hlInw0v3UzzEbU2Pa1rgGTYQdJVipp0hOjy3ENvNtS45jRho0g5F2e2gq0MH6Fh2rIv51mA2rf5VITD2p7W5veWRGIgQ3u/venDw3Hu56zX5pDaswnHJVE6e7wz0Kd8lG2at8IC8k9YFW0j/5HO9E3oRhNWDO9TBxRGOH5kQkax6gkcswyhoK66Ko7XXJo0Ja4Q0EJ5z0re6paeVebHRdVlGOcjB/HvD/E2w5uGlpQo1cCQRO7C4ol10Lpl3We6YnAQ66mtEPHENP6OatrVi4LPaGLst8oeGFYl1C8P5ZBFJK5AF3pr5f0BvCK7QeIz8xlK+ZHHaIyN0vB0lhHHloI6DyfMtO1H9IX931AzKOBJVvLwmA3Y35Nm3k8aUcCgCIn65ibWFxQXMasDvhQaf/fwZwUR4LS5OnHQQRnFbLqa8k9KU4YOavWNuSN/9ZK+2qpjsgsfAVZpgRD59NM4d1J3oKJ/t0h5LB//hZfQFRmrwIqSukM=
                        Content-Typemultipart/mixed; boundary="_004_YT2PPF15C092F3DA27DCB1DFFA84E9A9321F14D2YT2PPF15C092F3D_"
                        MIME-Version1.0

                        File Icon

                        Icon Hash:46070c0a8e0c67d6

                        Network Behavior

                        Network Port Distribution

                        UDP Packets

                        TimestampSource PortDest PortSource IPDest IP
                        Oct 24, 2024 08:20:57.640130043 CEST5171453192.168.2.71.1.1.1

                        DNS Queries

                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                        Oct 24, 2024 08:20:57.640130043 CEST192.168.2.71.1.1.10xe220Standard query (0)3d248eb1-0a4d-46d7-8654-303e982f1249.rms.na.aadrm.comA (IP address)IN (0x0001)false

                        DNS Answers

                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                        Oct 24, 2024 08:20:57.677118063 CEST1.1.1.1192.168.2.70xe220No error (0)3d248eb1-0a4d-46d7-8654-303e982f1249.rms.na.aadrm.comaadrm-com.b-0026.b-msedge.netCNAME (Canonical name)IN (0x0001)false

                        Statistics

                        CPU Usage

                        Click to jump to process

                        Memory Usage

                        Click to jump to process

                        High Level Behavior Distribution

                        Click to dive into process behavior distribution

                        Behavior

                        Click to jump to process

                        System Behavior

                        General

                        Target ID:0
                        Start time:02:20:48
                        Start date:24/10/2024
                        Path:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                        Wow64 process (32bit):true
                        Commandline:"C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\D. Bayham, Group #0070302, and Claim #7270930 - Support to Max.eml"
                        Imagebase:0x7b0000
                        File size:34'446'744 bytes
                        MD5 hash:91A5292942864110ED734005B7E005C0
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:false

                        General

                        Target ID:5
                        Start time:02:21:04
                        Start date:24/10/2024
                        Path:C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe
                        Wow64 process (32bit):false
                        Commandline:"C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "AA663763-67F1-49BD-BE3C-AAB64F081339" "0538504D-C34A-4E39-8433-79C1F4C09CDB" "4304" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
                        Imagebase:0x7ff60cdb0000
                        File size:710'048 bytes
                        MD5 hash:EC652BEDD90E089D9406AFED89A8A8BD
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:false

                        Disassembly

                        No disassembly