Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Town Of Castle Rock Open Benefits Enrollment.eml.msg

Overview

General Information

Sample name:	Town Of Castle Rock Open Benefits Enrollment.eml.msg
Analysis ID:	1562551
MD5:	0b7af109ab89093b3d0a010c90ee7849
SHA1:	b36459e6ed288409d10c1cfbc140c9eaffbb2393
SHA256:	ed3e6f3e0909da5e5dbbc6f1807d41072f2431f1e130af26e7d7d2e6e2348018
Infos:

Detection

Score:	21
Range:	0 - 100
Whitelisted:	false
Confidence:	80%

Signatures

AI detected potential phishing Email

Queries the volume information (name, serial number etc) of a device

Sigma detected: Office Autorun Keys Modification

Sigma detected: Potential Persistence Via Visual Studio Tools for Office

Classification

×

Process Tree

System is w10x64

OUTLOOK.EXE (PID: 7428 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /f "C:\Users\user\Desktop\Town Of Castle Rock Open Benefits Enrollment.eml.msg" MD5: 91A5292942864110ED734005B7E005C0)

ai.exe (PID: 7968 cmdline: "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "CD870B45-C509-4A45-9439-56A828AB902E" "584C2ECB-F035-4585-AF1C-282443772D9D" "7428" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx" MD5: EC652BEDD90E089D9406AFED89A8A8BD)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

Sigma detected: Office Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE, ProcessId: 7428, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Addins\OneNote.OutlookAddin\1

Sigma detected: Potential Persistence Via Visual Studio Tools for Office

Source: Registry Key set

Author: Bhabesh Raj: Data: Details: 1, EventID: 13, EventType: SetValue, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE, ProcessId: 7428, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Outlook\Addins\ShowNotification

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Phishing

AI detected potential phishing Email

Source: Email

Joe Sandbox AI: Detected potential phishing email: Multiple suspicious .shtml attachments which are uncommon for legitimate HR communications and could contain malicious code. The email creates urgency and threatens loss of benefits if action not taken, a common phishing tactic. While using official-looking branding, the email address 'HR-Benefits@crgov.com' appears suspicious for a government organization

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

File opened: C:\Program Files (x86)\Microsoft Office\root\vfs\SystemX86\MSVCR100.dll

Jump to behavior

Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: http://b.c2r.ts.cdn.office.net/pr
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: http://weather.service.msn.com/data.aspx
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://addinsinstallation.store.office.com/app/acquisitionlogging
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://addinsinstallation.store.office.com/app/download
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/authenticated
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticated
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://addinsinstallation.store.office.com/orgid/appinstall/authenticated
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://addinslicensing.store.office.com/apps/remove
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://addinslicensing.store.office.com/commerce/query
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://addinslicensing.store.office.com/entitlement/query
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://addinslicensing.store.office.com/orgid/apps/remove
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://addinslicensing.store.office.com/orgid/entitlement/query
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://analysis.windows.net/powerbi/api
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://api.aadrm.com
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://api.aadrm.com/
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://api.addins.omex.office.net/api/addins/search
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://api.addins.store.office.com/addinstemplate
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://api.addins.store.office.com/app/query
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://api.addins.store.officeppe.com/addinstemplate
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://api.cortana.ai
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://api.diagnostics.office.com
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://api.diagnosticssdf.office.com
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://api.diagnosticssdf.office.com/v2/feedback
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://api.diagnosticssdf.office.com/v2/file
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://api.microsoftstream.com
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://api.microsoftstream.com/api/
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://api.office.net
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://api.officescripts.microsoftusercontent.com/api
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://api.onedrive.com
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/imports
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://api.scheduler.
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://apis.live.net/v5.0/
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://apis.mobile.m365.svc.cloud.microsoft
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://app.powerbi.com
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://arc.msn.com/v4/api/selection
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://augloop.office.com
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://augloop.office.com/v2
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://autodiscover-s.outlook.com/
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://canary.designerapp.
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://cdn.designerapp.osi.office.net
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://cdn.designerapp.osi.office.net/designer-mobile
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/fonts
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/mobile-assets
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/mobile-dynamic-strings
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/mobile-home-screen
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/mobile-toolbar
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://cdn.entity.
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://cdn.hubblecontent.osi.office.net/
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://cdn.int.designerapp.osi.office.net/fonts
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://clients.config.office.net
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://clients.config.office.net/
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://clients.config.office.net/c2r/v1.0/DeltaAdvisory
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://clients.config.office.net/c2r/v1.0/InteractiveInstallation
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://consent.config.office.com/consentcheckin/v1.0/consents
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://consent.config.office.com/consentweb/v1.0/consents
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://cortana.ai
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://cortana.ai/api
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://cr.office.com
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://d.docs.live.net
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://dataservice.o365filtering.com
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://dataservice.o365filtering.com/
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://designerapp.azurewebsites.net
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://designerappservice.officeapps.live.com
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://dev.cortana.ai
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://devnull.onenote.com
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://directory.services.
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://ecs.office.com
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://ecs.office.com/config/v1/Designer
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://ecs.office.com/config/v2/Office
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://edge.skype.com/registrar/prod
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://edge.skype.com/rps
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://enrichment.osi.office.net/
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Refresh/v1
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Resolve/v1
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Search/v1
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/StockHistory/v1
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/ipcheck/v1
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/v2.1601652342626
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/metadata.json
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/desktop/main.cshtml
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/web/main.cshtml
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://entitlement.diagnostics.office.com
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://fpastorage.cdn.office.net/%s
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://fpastorage.cdn.office.net/firstpartyapp/addins.xml
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://globaldisco.crm.dynamics.com
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://graph.ppe.windows.net
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://graph.ppe.windows.net/
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://graph.windows.net
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://graph.windows.net/
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/pivots/
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?secureurl=1
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://ic3.teams.office.com
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://incidents.diagnostics.office.com
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://inclient.store.office.com/gyro/client
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://inclient.store.office.com/gyro/clientstore
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://invites.office.com/
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://lifecycle.office.com
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://login.microsoftonline.com
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://login.microsoftonline.com/
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://login.microsoftonline.com/organizations
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://login.windows.local
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://make.powerautomate.com
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://management.azure.com
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://management.azure.com/
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://messagebroker.mobile.m365.svc.cloud.microsoft
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://messaging.action.office.com/
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://messaging.action.office.com/setcampaignaction
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://messaging.action.office.com/setuseraction16
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://messaging.engagement.office.com/
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://messaging.engagement.office.com/campaignmetadataaggregator
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://messaging.lifecycle.office.com/
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://messaging.lifecycle.office.com/getcustommessage16
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://messaging.office.com/
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://metadata.templates.cdn.office.net/client/log
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://mss.office.com
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://my.microsoftpersonalcontent.com
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://ncus.contentsync.
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://ncus.pagecontentsync.
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://notification.m365.svc.cloud.microsoft/
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://notification.m365.svc.cloud.microsoft/PushNotifications.Register
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://ods-diagnostics-ppe.trafficmanager.net
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://officeapps.live.com
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://officeci.azurewebsites.net/api/
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://officepyservice.office.net/
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://officepyservice.office.net/service.functionality
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentities
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentitiesupdated
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://onedrive.live.com
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://onedrive.live.com/embed?
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://otelrules.azureedge.net
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://otelrules.svc.static.microsoft
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://outlook.office.com
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://outlook.office.com/
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://outlook.office365.com
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://outlook.office365.com/
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://outlook.office365.com/connectors
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://pages.store.office.com/review/query
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://planner.cloud.microsoft
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://powerlift-frontdesk.acompli.net
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://powerlift.acompli.net
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://prod.mds.office.com/mds/api/v1.0/clientmodeldirectory
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://pushchannel.1drv.ms
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://res.cdn.office.net
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://res.cdn.office.net/mro1cdnstorage/fonts/prod/4.40
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://res.cdn.office.net/polymer/models
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://safelinks.protection.outlook.com/api/GetPolicy
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://service.officepy.microsoftusercontent.com/
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://service.powerapps.com
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://settings.outlook.com
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://shell.suite.office.com:1443
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://skyapi.live.net/Activity/
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://staging.cortana.ai
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://statics.teams.cdn.office.net/evergreen-assets/illustrations/win32/m365-device-desktop-dark-1
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://statics.teams.cdn.office.net/evergreen-assets/illustrations/win32/m365-device-desktop-dark-2
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://statics.teams.cdn.office.net/evergreen-assets/illustrations/win32/m365-device-desktop-hc-100
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://statics.teams.cdn.office.net/evergreen-assets/illustrations/win32/m365-device-desktop-hc-150
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://statics.teams.cdn.office.net/evergreen-assets/illustrations/win32/m365-device-desktop-hc-200
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://statics.teams.cdn.office.net/evergreen-assets/illustrations/win32/m365-device-desktop-light-
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://store.office.cn/addinstemplate
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://store.office.de/addinstemplate
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://substrate.office.com
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://substrate.office.com/Notes-Internal.ReadWrite
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://substrate.office.com/search/api/v1/SearchHistory
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://substrate.office.com/search/api/v2/init
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://syncservice.o365syncservice.com/"
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://templatesmetadata.office.net/
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: Town Of Castle Rock Open Benefits Enrollment.eml.msg	String found in binary or memory: https://url.us.m.mimecastprotect.com/s/bsrcCxkw9pCLRZmZS8foHypG0I?domain=sherwin.cw1.ro
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://useraudit.o365auditrealtimeingestion.manage.office.com
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://web.microsoftstream.com/video/
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://webshell.suite.office.com
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://word-edit.officeapps.live.com/we/rrdiscovery.ashx
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://wus2.contentsync.
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://wus2.pagecontentsync.
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://www.odwebp.svc.ms
Source: 001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	String found in binary or memory: https://www.yammer.com

Source: classification engine

Classification label: sus21.winMSG@3/21@0/0

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Common AppData\Microsoft\Office\Heartbeat\HeartbeatCache.xml

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

File created: C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmp

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

File created: C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20241125T1156510063-7428.etl

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: unknown	Process created: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /f "C:\Users\user\Desktop\Town Of Castle Rock Open Benefits Enrollment.eml.msg"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "CD870B45-C509-4A45-9439-56A828AB902E" "584C2ECB-F035-4585-AF1C-282443772D9D" "7428" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "CD870B45-C509-4A45-9439-56A828AB902E" "584C2ECB-F035-4585-AF1C-282443772D9D" "7428" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"			Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: apphelp.dll			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: c2r64.dll			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: userenv.dll			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: msasn1.dll			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: cryptsp.dll			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: rsaenh.dll			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: cryptbase.dll			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: gpapi.dll			Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{F959DBBB-3867-41F2-8E5F-3B8BEFAA81B3}\InprocServer32

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

Window found: window name: SysTabControl32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

File opened: C:\Program Files (x86)\Microsoft Office\root\vfs\SystemX86\MSVCR100.dll

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX			Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

File Volume queried: C:\Windows\SysWOW64 FullSizeInformation

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe

Queries volume information: C:\Program Files (x86)\Microsoft Office\root\Office16\AI\WordCombinedFloatieLreOnline.onnx VolumeInformation

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 Browser Extensions	1 Process Injection	2 Masquerading	OS Credential Dumping	1 Process Discovery	Remote Services	Data from Local System	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 DLL Side-Loading	1 Process Injection	LSASS Memory	1 File and Directory Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 DLL Side-Loading	Security Account Manager	13 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

⊘No Antivirus matches

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://api.diagnosticssdf.office.com	001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	false		high
https://login.microsoftonline.com/	001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	false		high
https://shell.suite.office.com:1443	001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	false		high
https://designerapp.azurewebsites.net	001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	false		high
https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize	001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	false		high
https://autodiscover-s.outlook.com/	001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	false		high
https://useraudit.o365auditrealtimeingestion.manage.office.com	001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	false		high
https://outlook.office365.com/connectors	001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	false		high
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr	001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	false		high
https://cdn.entity.	001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	false		high
https://api.addins.omex.office.net/appinfo/query	001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	false		high
https://clients.config.office.net/user/v1.0/tenantassociationkey	001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	false		high
https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/	001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	false		high
https://powerlift.acompli.net	001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	false		high
https://rpsticket.partnerservices.getmicrosoftkey.com	001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	false		high
https://lookup.onenote.com/lookup/geolocation/v1	001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	false		high
https://cortana.ai	001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	false		high
https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	false		high
https://api.powerbi.com/v1.0/myorg/imports	001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	false		high
https://notification.m365.svc.cloud.microsoft/	001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	false		high
https://cloudfiles.onenote.com/upload.aspx	001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	false		high
https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile	001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	false		high
https://entitlement.diagnosticssdf.office.com	001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	false		high
https://api.aadrm.com/	001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	false		high
https://ofcrecsvcapi-int.azurewebsites.net/	001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	false		high
https://canary.designerapp.	001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	false		high
https://ic3.teams.office.com	001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	false		high
https://www.yammer.com	001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	false		high
https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies	001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	false		high
https://api.microsoftstream.com/api/	001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	false		high
https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive	001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	false		high
https://cr.office.com	001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	false		high
https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h	001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	false		high
https://messagebroker.mobile.m365.svc.cloud.microsoft	001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	false		high
https://otelrules.svc.static.microsoft	001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	false		high
https://url.us.m.mimecastprotect.com/s/bsrcCxkw9pCLRZmZS8foHypG0I?domain=sherwin.cw1.ro	Town Of Castle Rock Open Benefits Enrollment.eml.msg	false		high
https://portal.office.com/account/?ref=ClientMeControl	001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	false		high
https://clients.config.office.net/c2r/v1.0/DeltaAdvisory	001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	false		high
https://edge.skype.com/registrar/prod	001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	false		high
https://graph.ppe.windows.net	001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	false		high
https://res.getmicrosoftkey.com/api/redemptionevents	001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	false		high
https://powerlift-frontdesk.acompli.net	001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	false		high
https://officeci.azurewebsites.net/api/	001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	false		high
https://sr.outlook.office.net/ws/speech/recognize/assistant/work	001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	false		high
https://api.scheduler.	001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	false		high
https://my.microsoftpersonalcontent.com	001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	false		high
https://store.office.cn/addinstemplate	001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	false		high
https://api.aadrm.com	001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	false		high
https://edge.skype.com/rps	001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	false		high
https://outlook.office.com/autosuggest/api/v1/init?cvid=	001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	false		high
https://globaldisco.crm.dynamics.com	001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	false		high
https://messaging.engagement.office.com/	001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	false		high
https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	false		high
https://dev0-api.acompli.net/autodetect	001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	false		high
https://www.odwebp.svc.ms	001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	false		high
https://api.diagnosticssdf.office.com/v2/feedback	001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	false		high
https://api.powerbi.com/v1.0/myorg/groups	001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	false		high
https://web.microsoftstream.com/video/	001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	false		high
https://api.addins.store.officeppe.com/addinstemplate	001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	false		high
https://graph.windows.net	001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	false		high
https://dataservice.o365filtering.com/	001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	false		high
https://officesetup.getmicrosoftkey.com	001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	false		high
https://analysis.windows.net/powerbi/api	001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	false		high
https://prod-global-autodetect.acompli.net/autodetect	001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	false		high
https://substrate.office.com	001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	false		high
https://outlook.office365.com/autodiscover/autodiscover.json	001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	false		high
https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios	001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	false		high
https://consent.config.office.com/consentcheckin/v1.0/consents	001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	false		high
https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	false		high
https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices	001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	false		high
https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json	001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	false		high
https://notification.m365.svc.cloud.microsoft/PushNotifications.Register	001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	false		high
https://d.docs.live.net	001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	false		high
https://safelinks.protection.outlook.com/api/GetPolicy	001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	false		high
https://ncus.contentsync.	001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	false		high
https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false	001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	false		high
https://syncservice.o365syncservice.com/"	001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	false		high
https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/	001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	false		high
http://weather.service.msn.com/data.aspx	001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	false		high
https://apis.live.net/v5.0/	001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	false		high
https://officepyservice.office.net/service.functionality	001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	false		high
https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks	001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	false		high
https://templatesmetadata.office.net/	001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	false		high
https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios	001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	false		high
https://messaging.lifecycle.office.com/	001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	false		high
https://planner.cloud.microsoft	001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	false		high
https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml	001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	false		high
https://mss.office.com	001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	false		high
https://pushchannel.1drv.ms	001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	false		high
https://management.azure.com	001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	false		high
https://outlook.office365.com	001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	false		high
https://wus2.contentsync.	001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	false		high
https://incidents.diagnostics.office.com	001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	false		high
https://clients.config.office.net/user/v1.0/ios	001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	false		high
https://make.powerautomate.com	001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	false		high
https://api.addins.omex.office.net/api/addins/search	001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	false		high
https://insertmedia.bing.office.net/odc/insertmedia	001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	false		high
https://outlook.office365.com/api/v1.0/me/Activities	001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	false		high
https://api.office.net	001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	false		high
https://incidents.diagnosticssdf.office.com	001A4D29-A3FB-4636-B358-6CEAD3BBFD3D.2.dr	false		high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1562551
Start date and time:	2024-11-25 17:55:27 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 0s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Town Of Castle Rock Open Benefits Enrollment.eml.msg
Detection:	SUS
Classification:	sus21.winMSG@3/21@0/0
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .msg

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.109.32.97, 52.113.194.132, 52.109.89.19, 23.32.238.27, 23.32.238.82, 20.42.73.31
Excluded domains from analysis (whitelisted): omex.cdn.office.net, slscr.update.microsoft.com, weu-azsc-000.roaming.officeapps.live.com, eur.roaming1.live.com.akadns.net, onedscolprdeus21.eastus.cloudapp.azure.com, mobile.events.data.microsoft.com, ecs-office.s-0005.s-msedge.net, roaming.officeapps.live.com, osiprod-weu-buff-azsc-000.westeurope.cloudapp.azure.com, login.live.com, officeclient.microsoft.com, ukw-azsc-config.officeapps.live.com, storeedgefd.dsx.mp.microsoft.com, a1864.dscd.akamai.net, ecs.office.com, client.wns.windows.com, prod.configsvc1.live.com.akadns.net, prod.roaming1.live.com.akadns.net, s-0005-office.config.skype.com, fe3cr.delivery.mp.microsoft.com, s-0005.s-msedge.net, config.officeapps.live.com, ecs.office.trafficmanager.net, omex.cdn.office.net.akamaized.net, europe.configsvc1.live.com.akadns.net, mobile.events.data.trafficmanager.net
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
VT rate limit hit for: Town Of Castle Rock Open Benefits Enrollment.eml.msg

Simulations

Behavior and APIs

⊘No simulations

LLM Input / Output

Input	Output
URL: email Model: Joe Sandbox AI	{ "explanation": [ "Multiple suspicious .shtml attachments which are uncommon for legitimate HR communications and could contain malicious code", "The email creates urgency and threatens loss of benefits if action not taken, a common phishing tactic", "While using official-looking branding, the email address 'HR-Benefits@crgov.com' appears suspicious for a government organization" ], "phishing": true, "confidence": 8, "generated_by_ai": false }
{ "date": "", "subject": "Open Benefits Enrollment Eligible for tray", "communications": [ "Town Of Castle Rock\n\nHuman Resources Update\n\nFriday, November 22, 2024\n\nSummary\n\nWe are excited to announce that our annual benefits open enrollment is here! Town Of Castle Rock Open Enrollment is scheduled to run from Friday, November 22nd Tuesday, November 26th.\n\nStakeholders\n\nAll Town Of Castle Rock Benefits-Eligible Employees\n\nObjective\n\nThis will be an Active enrollment which means all employees are required to review and elect each benefit.\n\nIf you fail to enroll this November, your current benefits will not roll over and you will have to wait until the next open enrollment period (November 2025).\n\nResources\n\nWe are offering multiple resources leading up to and during open enrollment so that you can learn about our offerings and make the best-informed decision for you and your family.\n\n\tOpen Enrollment Guide for 2025 will be provided no later than November 25th.\n\tThe PlanSource portal opens November 25th. Access PlanSource via Town Of Castle Rock-HR to view/complete open enrollment and access all informational material or click on the link PlanSource provides via email.\n\tWe will host live sessions via Teams to promote exciting changes for next year.\n\tWe will send multiple email reminders and provide more detailed information on how to access the platform to ensure everyone has the information they need for a successful Open Enrollment.\n\n \n\nQuestions?\n\nQuestions can be directed to Crgov-benefits.HR@crgov.com.\n\n" ], "from": "Town Of Castle Rock <HR-Benefits@crgov.com>", "to": "tray@crgov.com", "attachements": [ "Town Of Castle Rock 401k Retirement Plan.shtml", "Town Of Castle Rock Eligible Finance Insurance Benefits Open Enrollment Plan.shtml", "Town Of Castle Rock Health Insurance Benefits Open Enrollment Plan.shtml", "Town Of Castle Rock Life Insurance Benefits Open Enrollment Plan.shtml" ] }
URL: Email Model: Joe Sandbox AI	{ "contains_trigger_text": true, "trigger_text": "Open Enrollment Guide for 2025 will be provided no later than November 25th.", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false }

URL: Email Model: Joe Sandbox AI	{ "brands": [ "Town Of Castle Rock" ] }
	{ "brands": [ "Town Of Castle Rock" ] }

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Program Files (x86)\Microsoft Office\root\vfs\Common AppData\Microsoft\OFFICE\Heartbeat\HeartbeatCache.xml

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	118
Entropy (8bit):	3.5700810731231707
Encrypted:	false
SSDEEP:	3:QaklTlAlXMLLmHlIlFLlmIK/5lTn84vlJlhlXlDHlA6l3l6Als:QFulcLk04/5p8GVz6QRq
MD5:	573220372DA4ED487441611079B623CD
SHA1:	8F9D967AC6EF34640F1F0845214FBC6994C0CB80
SHA-256:	BE84B842025E4241BFE0C9F7B8F86A322E4396D893EF87EA1E29C74F47B6A22D
SHA-512:	F19FA3583668C3AF92A9CEF7010BD6ECEC7285F9C8665F2E9528DBA606F105D9AF9B1DB0CF6E7F77EF2E395943DC0D5CB37149E773319078688979E4024F9DD7
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.H.e.a.r.t.b.e.a.t.C.a.c.h.e./.>.

C:\Users\user\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	data
Category:	dropped
Size (bytes):	231348
Entropy (8bit):	4.386867597693822
Encrypted:	false
SSDEEP:	3072:MXgttrXgcmiGu2pqoQ/rt0FvtNMVgojSK:Mopmi28eMVgojS
MD5:	55565047676531A8668040D34DD83DE0
SHA1:	B4EDD34B429A052FA9100C39BAA727E8E365DE94
SHA-256:	611E9494697EE02F46F7A16CC2C1070FC31474E33885B3BB7240737A2E646000
SHA-512:	F6843CA6C0DD3F58A42AE07E8E9753D82E3918FFCB31DAC3492C4BEDA02C507A2BB2C1468E5B0E4439B7E60EFCA41115BF6D619AB0D4C4665E80995814BA1818
Malicious:	false
Reputation:	low
Preview:	TH02...... .@./.Z?......SM01X...,...`!#.Z?..........IPM.Activity...........h...............h............H..h.o............h............H..h\eng ...r\Ap...hPp..0...@.o....hQ..............h........_`.k...h....@...I.6w...h....H...8..k...0....T...............d.........2h...............k..............!h.............. hCwD.....X.o...#h....8.........$h........8....."h............'h..=...........1hQ...<.........0h....4.....k../h....h......kH..h....p....o...-h .........o...+h........o................. ..............F7..............FIPM.Activity....Form....Standard....Journal Entry...IPM.Microsoft.FolderDesign.FormsDescription................F.k..........1122110020000000.GwwMicrosoft...This form is used to create journal entries.........kf...... ..........&...........(.......(... ...@.....................................................................................................................fffffffff........wwwwwwww.p....pp..............p...............pw..............pw..DDDDO..

C:\Users\user\AppData\Local\Microsoft\Office\16.0\AddInClassifierCache\OfficeSharedEntities.bin

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	ASCII text, with very long lines (65536), with no line terminators
Category:	dropped
Size (bytes):	322260
Entropy (8bit):	4.000299760592446
Encrypted:	false
SSDEEP:	6144:dztCFLNyoAHq5Rv2SCtUTnRe4N2+A/3oKBL37GZbTSB+pMZIrh:HMLgvKz9CtgRemO3oUHi3SBSMZIl
MD5:	CC90D669144261B198DEAD45AA266572
SHA1:	EF164048A8BC8BD3A015CF63E78BDAC720071305
SHA-256:	89C701EEFF939A44F28921FD85365ECD87041935DCD0FE0BAF04957DA12C9899
SHA-512:	16F8A8A6DCBAEAEFB88C7CFF910BCCC71B76A723CF808B810F500E28E543112C2FAE2491D4D209569BD810490EDFF564A2B084709B02963BCAF6FDF1AEEC59AC
Malicious:	false
Reputation:	high, very likely benign file
Preview:	51253fe60063c31af0d295afb42228b0:v2:2:1:1590:2:8479:76bd602437550e98c9043d06a55186ab7d95dea5a0e935a599f73e62a8c9b158e0afcb19351f6c353940c06a38172b94d18c02cf92bb8a80184eccca0392b259ab3e71dae73e491c7941997cb36ad4a198661f622dad478d840f66d530a0dde78acea3367f91fff62fbb3dc18faff0c708ad30edef5bea8b22c5fd782b770d8993386eaa784fd19a3c3e1db3b537b1a94d3d4fbd46f8df8fddf6d16611969fe0a97c50e0f3ac24750c93257cf5c161184aa7385800c87d803b339632a3d8ec7fe17a0afd83ce9e9d0e3f7b8d579637928a811f1f7e6d1887df2ddc7d4f752c4d600235e426c92c7bf8a1362f95457998cc0e5d4261f0efa4fada0f866dbcefb407dacab7a2914e91c2f08200f38c2d9d621962145b1464b0f204b326118a53ecdcab22bff005fdd5257c99a6dc51ac0600a49f2ef782396987e78c08b846dad5db55e8ccefffc64863bc2c3e90b95a09d25d0814a848c98fe01a82d4e30e6682dd546e12c45ca0d280a45295ab4bd632dafb070edfdc3c9e38313d5aeb195972986f8011b66817028fd8c78b67a0ac7e780eecc3fb6a31f5a025b8a9a3db278a98c0696aeaac739b18688b0f9c7d751bba02cc5f4e41853fb119b3c0c915059aaa92971244a1989124f12881ca88e6410df70b793a2c3a736ff4

C:\Users\user\AppData\Local\Microsoft\Office\16.0\AddInClassifierCache\OfficeSharedEntitiesUpdated.bin

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	ASCII text, with no line terminators
Category:	modified
Size (bytes):	10
Entropy (8bit):	2.521928094887362
Encrypted:	false
SSDEEP:	3:Ls:Q
MD5:	01D88EB3758A674C083F326F33006109
SHA1:	8286FF676D83CE1D8157B5E5FA459C66A2CBBE27
SHA-256:	CB03BE75242E2BA7DF5C8247004B565A16E79D1B7F795E42FE6381AE1BDF754E
SHA-512:	AC510FB3B65E47BCA88713EED0AFFB9AB33F02BF0E03D436B12AF68B503041EF7F5FAD8101700DE0DDC69929BF210368EFBCB052C408BD15ABD33B1E9B577F10
Malicious:	false
Reputation:	low
Preview:	1732553821

C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\001A4D29-A3FB-4636-B358-6CEAD3BBFD3D

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	181859
Entropy (8bit):	5.295319059811725
Encrypted:	false
SSDEEP:	1536:Ti2XfRAqSbH4wglE6Le7HW8Qjj/o/NMOcAZl1p5ihs7EXXNEADpOBIa5YdGVF8St:zde7HW8Qjj/o/aXSbTx
MD5:	2D3ACC9B60105A39E1D65DD99CF8C693
SHA1:	9C50F6849B338CD114E091557481E94B465E3B92
SHA-256:	FEEB6D766971B6A896B287A56FE1E493FD29530657227C270A65927182EB0114
SHA-512:	76897F6B89D2F07BC9B6C9174C281B15ADF31B159EDC655619F98D49DE0C7CA5302C745468CECF7BC87C451D8BE31F97AC305DE5E0E0FCD46ADD4840DDAEAACF
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2024-11-25T16:56:56">.. Build: 16.0.18312.40138-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://word-edit.officeapps.live.com/we/rrdiscovery.ashx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId" o:authentication="1">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. <o:ticket o:policy="MBI_SSL_SHORT" o:idprovider="1" o:target="[MAX.AuthHost]" o:headerValue="Passport1.4 from-PP='{}&p='" />.. <o:ticket o:idprovider="3" o:headerValue="Bearer {}" o:resourceId="[

C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	SQLite 3.x database, last written using SQLite version 3034001, writer version 2, read version 2, file counter 2, database pages 1, cookie 0, schema 0, largest root page 1, unknown 0 encoding, version-valid-for 2
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.09304735440217722
Encrypted:	false
SSDEEP:	3:lSWFN3l/klslpEl9Xll:l9F8E+9
MD5:	D0DE7DB24F7B0C0FE636B34E253F1562
SHA1:	6EF2957FDEDDC3EB84974F136C22E39553287B80
SHA-256:	B6DC74E4A39FFA38ED8C93D58AADEB7E7A0674DAC1152AF413E9DA7313ADE6ED
SHA-512:	42D00510CD9771CE63D44991EA10C10C8FBCF69DF08819D60B7F8E7B0F9B1D385AE26912C847A024D1D127EC098904784147218869AE8D2050BCE9B306DB2DDE
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................K.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-journal

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	SQLite Rollback Journal
Category:	dropped
Size (bytes):	4616
Entropy (8bit):	0.1378497710305501
Encrypted:	false
SSDEEP:	3:7FEG2l+9nBntK/FllkpMRgSWbNFl/sl+ltlslN04l9Xllj:7+/lIIg9bNFlEs1E39b
MD5:	2792BE9011FA56A02060FAC3A72315F0
SHA1:	9CB15F31D1EEA991D2DC6735612DE49BE3018156
SHA-256:	0EEED93A5FCDC19DD4441D1A0A78B6EAD420908192EDB84C908E1B84CFB105CD
SHA-512:	B7EB97412186ED0B21FB3580407614275DB6472FCC270FF3F3909E350595F6627B31D04554DE3036FBEC52FFF6963263B7E7C8AB70A252E316376D4F01C289C7
Malicious:	false
Preview:	.... .c.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................SQLite format 3......@ ..........................................................................K.................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-shm

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.0445382698033491
Encrypted:	false
SSDEEP:	3:G4l2WpMarFkil4l2WpMarFkXulL9//Xlvlll1lllwlvlllglbXdbllAlldl+l:G4l2WiuPl4l2WiutL9XXPH4l942U
MD5:	07C0592AA4F06A025A063C44F77CD8C4
SHA1:	A43D8D5627E4E90F1195D7944FA6AC4C663788F8
SHA-256:	B3355869B7E14A9E8EA5B26AC70481EE3CB9AE0C10189F82806036805D687AF3
SHA-512:	651ECC2874FC6C66F0DA5324BD3F5CAE446554F954C9D282A3EB0E2E8FD6CEC20EFA5B9585A978589607E4812F7E0A56B1057C6E0A1EF7B6794A7DABC57F3E98
Malicious:	false
Preview:	..-.......................z.......9..q...:...-.......................z.......9..q...:.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-wal

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	SQLite Write-Ahead Log, version 3007000
Category:	dropped
Size (bytes):	45352
Entropy (8bit):	0.39576328728114357
Encrypted:	false
SSDEEP:	24:K4NZTv6bQMIzRDznCmill7DBtDi4kZERDFQjxqt8VtbDBtDi4kZERDza:rZTv6bQjnnJill7DYMCxO8VFDYMPa
MD5:	F5626CEB33231EB855B2D3908F0B7698
SHA1:	220AFB1BC94CCDE1B80013F95B993FE95EBE29B2
SHA-256:	EBAF089668D0C72F436897119734B9ED5A84A9B463FEC66FF1F974D0D297A734
SHA-512:	4BF9EBA257DF07010074088DCA44DE535270D6F66FA65253B205F1A8F5AF7C64CEAE6798AE300C4D70F4337B4575E258F380DE3CEAB0F9DA24BD32AE0E58E205
Malicious:	false
Preview:	7....-................9.t...0./...............9..~....5SQLite format 3......@ ..........................................................................K.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{693F42DD-6B59-4B61-9CF9-AAC5E427F02E}.tmp

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	data
Category:	dropped
Size (bytes):	2048
Entropy (8bit):	1.7850394307197839
Encrypted:	false
SSDEEP:	6:mVEEEEEEEMEEE0eXnNlqo3dlSOPEzBwAoZovfZEkrXybwRn6lPaN0s:7wYIOPoBXoZwhZAPC
MD5:	439939A1704DA2F7520A00A55D574101
SHA1:	C33ABB9F36F5F666EDC723307E3BC0C9B72C44F1
SHA-256:	7541C2EE1F2E1DF40F4195657D90B7CAF17D60A5E460D63DB1CD87C260369776
SHA-512:	3A6C3234BF4B6BB620739D6FAA6BFAA7F227D026930E4F1394E90D3BCA7AC6B8182EC00BD525B5D18821423360D303C23605B53D926147BBEF339A0765D92404
Malicious:	false
Preview:	....1.2.....1.....1.2.....1.2.....1.2.....1.2.....1.2.....1.2.....1.2.....1.2.....1.....1.....1.2.....1.2.....1.2.....1.2.....(.....(.....(.....(.....(...e.n.g.i.n.e.e.r...e....................................................................................................................................................................................................................................................................................................................................................................................... ..."...(...*...0...2...8...:...@...B...H...J...P...R...V...X...\...^...d...f...l...................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Diagnostics\OUTLOOK\App1732553811622759500_A07CAC1C-2B54-44EB-9E71-2FDAE81105D6.log

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	ASCII text, with very long lines (28765), with CRLF line terminators
Category:	dropped
Size (bytes):	20971520
Entropy (8bit):	0.17582421338981208
Encrypted:	false
SSDEEP:	1536:Tx8H5mOKTD79brPniVwUeqJE6ozEJSp0ookjZGq9UV+PHOBBg6:QmJj9bmlDuS
MD5:	F835FDC63EB6D840B9CEE49A40534C3D
SHA1:	414FA32082941C3501517BF3B92F2173B8FD69DE
SHA-256:	3FEBBF6950BA0ACF718897713483E67292BCC1827651220C8A1B783C1067C3FB
SHA-512:	EF8544A3030689E38114E844CBBDD0D4017172AEB30715C879F6F976592242E4F4A741B306440D56F039898E877DBD54A4A4A0E1713C88E55406C6F98008D29F
Malicious:	false
Preview:	Timestamp.Process.TID.Area.Category.EventID.Level.Message.Correlation..11/25/2024 16:56:51.703.OUTLOOK (0x1D04).0x1D08.Microsoft Outlook.Telemetry Event.b7vzq.Medium.SendEvent {"EventName":"Office.Text.GDIAssistant.HandleCallback","Flags":30962256044949761,"InternalSequenceNumber":23,"Time":"2024-11-25T16:56:51.703Z","Contract":"Office.System.Activity","Activity.CV":"HKx8oFQr60SecS/a6BEF1g.4.9","Activity.Duration":124,"Activity.Count":1,"Activity.AggMode":0,"Activity.Success":true,"Data.GdiFamilyName":"","Data.CloudFontStatus":6,"Data.CloudFontTypes":256}...11/25/2024 16:56:51.719.OUTLOOK (0x1D04).0x1D08.Microsoft Outlook.Telemetry Event.b7vzq.Medium.SendEvent {"EventName":"Office.Text.ResourceClient.Deserialize","Flags":30962256044949761,"InternalSequenceNumber":25,"Time":"2024-11-25T16:56:51.719Z","Contract":"Office.System.Activity","Activity.CV":"HKx8oFQr60SecS/a6BEF1g.4.10","Activity.Duration":14008,"Activity.Count":1,"Activity.AggMode":0,"Activity.Success":true,"Data.JsonFileMajor

C:\Users\user\AppData\Local\Temp\Diagnostics\OUTLOOK\App1732553811625531900_A07CAC1C-2B54-44EB-9E71-2FDAE81105D6.log

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	data
Category:	dropped
Size (bytes):	20971520
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	8F4E33F3DC3E414FF94E5FB6905CBA8C
SHA1:	9674344C90C2F0646F0B78026E127C9B86E3AD77
SHA-256:	CD52D81E25F372E6FA4DB2C0DFCEB59862C1969CAB17096DA352B34950C973CC
SHA-512:	7FB91E868F3923BBD043725818EF3A5D8D08EBF1059A18AC0FE07040D32EEBA517DA11515E6A4AFAEB29BCC5E0F1543BA2C595B0FE8E6167DDC5E6793EDEF5BB
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20241125T1156510063-7428.etl

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	data
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	4.447963197836193
Encrypted:	false
SSDEEP:	768:NX+y9lMu+8jovm3E4dNVW19A9AOuszWoXREOJAnYWeWNTWmWhFKlqxAVr:RtI4k19A9BWoXgnwiVr
MD5:	4DB26DCD79BAE15B059506DC2915E2AD
SHA1:	AD69CE55F3B6763E96DFDBB59BC1A2EA4793DF1B
SHA-256:	39334386FAF83E2759A0182A78BA1507ED5E3EA33EB6E4E4F063E15680BD2D54
SHA-512:	4801CECA4F3799473818196BC73E281644AD04C3F358A358B55C62E3278C17EB706B1575774A4863A4ED5EFA707E19861B033CBA125F5949D3710099C16BE77D
Malicious:	false
Preview:	............................................................................h...........,...[?..................eJ..............Zb..2...................................,...@.t.z.r.e.s...d.l.l.,.-.1.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.1.1.1...........................................................`..~M...........,...[?..........v.2._.O.U.T.L.O.O.K.:.1.d.0.4.:.6.1.a.a.e.1.b.3.3.3.2.d.4.d.0.a.a.5.4.d.2.9.9.a.7.4.2.8.2.4.0.8...C.:.\.U.s.e.r.s.\.e.n.g.i.n.e.e.r.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.O.u.t.l.o.o.k. .L.o.g.g.i.n.g.\.O.U.T.L.O.O.K._.1.6._.0._.1.6.8.2.7._.2.0.1.3.0.-.2.0.2.4.1.1.2.5.T.1.1.5.6.5.1.0.0.6.3.-.7.4.2.8...e.t.l.......P.P.........\|Y..[?..................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\msoCEDA.tmp

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	GIF image data, version 89a, 15 x 15
Category:	dropped
Size (bytes):	663
Entropy (8bit):	5.949125862393289
Encrypted:	false
SSDEEP:	12:PlrojAxh4bxdtT/CS3wkxWHMGBJg8E8gKVYQezuYEecp:trPsTTaWKbBCgVqSF
MD5:	ED3C1C40B68BA4F40DB15529D5443DEC
SHA1:	831AF99BB64A04617E0A42EA898756F9E0E0BCCA
SHA-256:	039FE79B74E6D3D561E32D4AF570E6CA70DB6BB3718395BE2BF278B9E601279A
SHA-512:	C7B765B9AFBB9810B6674DBC5C5064ED96A2682E78D5DFFAB384D81EDBC77D01E0004F230D4207F2B7D89CEE9008D79D5FBADC5CB486DA4BC43293B7AA878041
Malicious:	false
Preview:	GIF89a....w..!..MSOFFICE9.0.....sRGB......!..MSOFFICE9.0.....msOPMSOFFICE9.0Dn&P3.!..MSOFFICE9.0.....cmPPJCmp0712.........!.......,....................'..;..b...RQ.xx..................,+................................yy..;..b.........................qp.bb..........uv.ZZ.LL.......xw.jj.NN.A@....zz.mm.^_.........yw........yx.xw.RR.,.++............................................................................................................................................................................................................8....>.......................4567...=..../0123.....<9:.()+,-.B.@...."#$%&'....... !............C.?....A;<...HT(..;

C:\Users\user\AppData\Local\Temp\~DF23BA79452BD2008C.TMP

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF77A112E50DFE7E62.TMP

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	data
Category:	dropped
Size (bytes):	163840
Entropy (8bit):	0.34770384141446947
Encrypted:	false
SSDEEP:	192:jihlxgLesYnkwueLEGehzqmsmZ4JJNgiXHWQOoqAbAFAqwNh/:GhlGLesYnkwLA11sJsiXHOoqMu
MD5:	05A21C71D519013865AE0CE8BC0E6F1F
SHA1:	56C8E093AF75E45C82AD0F6D9C099FC46BEC9C5E
SHA-256:	A336DE6555E38B211301D267E5D119969545AA3E18DDCCB9E95539175A487888
SHA-512:	CF87955DDA486EF620A750B1E82A6DB21ADC368D2159038DC0FA182C9C112375C0749BD10F823C836CF613E1A6A86829597342A9F0831606F3FC2DA78C403FCF
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFCEDDDF296D623E86.TMP

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	0.3613836054883338
Encrypted:	false
SSDEEP:	3:YmsalTlLPltl2N81HRQjlORGt7RQ//W1XR9//3R9//3R9//:rl912N0xs+CFQXCB9Xh9Xh9X
MD5:	679672A5004E0AF50529F33DB5469699
SHA1:	427A4EC3281C9C4FAEB47A22FFBE7CA3E928AFB0
SHA-256:	205D000AA762F3A96AC3AD4B25D791B5F7FC8EFB9056B78F299F671A02B9FD21
SHA-512:	F8615C5E5CF768A94E06961C7C8BEF99BEB43E004A882A4E384F5DD56E047CA59B963A59971F78DCF4C35D1BB92D3A9BC7055BFA3A0D597635DE1A9CE06A3476
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Office\MSO3072.acl

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	data
Category:	dropped
Size (bytes):	30
Entropy (8bit):	1.2389205950315936
Encrypted:	false
SSDEEP:	3:IomZ:I
MD5:	6616491953AEAE9CBA19B0415F4E6C40
SHA1:	F4AB60E547C785AE0AA536F83874A80CBA42D41A
SHA-256:	86B915C991C85EC840DFC1542793D98012082FAF9043602A69E41A2DA3DE7D25
SHA-512:	EFAA015F5EF4340951C47AB8B6FFA52D70D77D609EE9F018428219EF6D7DEAB05364A2F4B5F2C02722DE42819FDF36AB0F8FBE1050461BE2955917BB8CA662E6
Malicious:	false
Preview:	..............................

C:\Users\user\AppData\Roaming\Microsoft\Outlook\NoEmail.srs

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	0.6704438601916132
Encrypted:	false
SSDEEP:	12:rl3baF/CqLKeTy2MyheC8T23BMyhe+S7wzQP9zNMyhe+S7xMyheCN:rGRmnq1Py961N
MD5:	E8243C76171DD4C46CC16B9F5C79DE6B
SHA1:	93A3FA40CD776AB00BA919BA1534C49D9F9B8846
SHA-256:	7C736FD1EF92964046E06217ACDC56E2F21B3FC9B0BA10850306A31A48DC351D
SHA-512:	89FC6E04116070268AC58CCCDD16466E601AF1EB8281BC9DF4909CEFA66B475E526B22259E1823C4C46C27DF000364DD884A0BB774517CA53141F211A3380DDA
Malicious:	true
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Documents\Outlook Files\Outlook Data File - NoEmail.pst

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	Microsoft Outlook email folder (>=2003)
Category:	dropped
Size (bytes):	271360
Entropy (8bit):	1.3010031291493735
Encrypted:	false
SSDEEP:	768:snQcwUsSwiv8MM+CuhpBntzhv4DQWjwDxPCGgXmaBfd8BUTIZli:B+EW1tWOxNofdeNZw
MD5:	7B3643A770107D92F8DFBA978BB169BD
SHA1:	C8067B667C117ABCFA661D7DB47E48E8CA90B647
SHA-256:	AE0A6E84E21AF2869442A35CADB89FB29767AFEF02E2C2D83EC248DEB4D8AC42
SHA-512:	2F3EC735209F3F2E38C1A98E03703F341C349F7867E373A73B58E3F34003FA8B2ED3083989EC0F89DAA0F69AB362D97F5A5139B54FE031023863F1DAA34C88AC
Malicious:	true
Preview:	!BDNL..SM......\........*......7.......T................@...........@...@...................................@...........................................................................$.......D......@%..............3...............6...........................................................................................................................................................................................................................................................................................h..........'w.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmp

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	data
Category:	dropped
Size (bytes):	131072
Entropy (8bit):	1.2184454591152476
Encrypted:	false
SSDEEP:	384:LQjTCTaexr0pS4MR0aOtiTLlGNgFzBcWTZG0yO4rMWKPQq47d1RL:L2WZQ2NG2KBfsPp2
MD5:	91102CDCE3474734431065F528A35F3C
SHA1:	CACE778F810CC63101DEF9AC688A26843ED1BCF3
SHA-256:	5EB051E615A2954823B94512ED75217AF669990E48CA4A5FB10A6DCDD4F47993
SHA-512:	C9A8FC17D70E6FB18F4D707EBE3C7779CDD1D3C85B3622B046671DC57F53F6CD62DA42C7ECFCD6B4BE9053689E083043791E7047F6709F4CE6CA86B88D16BAD0
Malicious:	true
Preview:	_..A0...a............!.[?.......B............#...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................7G....7..........C...b............!.[?....................#.!BDNL..SM......\........*......7.......T................@...........@...@...................................@...........................................................................$.......D......@%..............3...............6...............................................................................................................................................................

Static File Info

General

File type:	CDFV2 Microsoft Outlook Message
Entropy (8bit):	4.559356191931866
TrID:	Outlook Message (71009/1) 58.92% Outlook Form Template (41509/1) 34.44% Generic OLE2 / Multistream Compound File (8008/1) 6.64%
File name:	Town Of Castle Rock Open Benefits Enrollment.eml.msg
File size:	80'896 bytes
MD5:	0b7af109ab89093b3d0a010c90ee7849
SHA1:	b36459e6ed288409d10c1cfbc140c9eaffbb2393
SHA256:	ed3e6f3e0909da5e5dbbc6f1807d41072f2431f1e130af26e7d7d2e6e2348018
SHA512:	3ef6888a877f272aa779d6d75c4be550810ca0f14a166f1d474c996f2362b5219e26bc0af508dbe258799eb8fe49b4327a3b43a12e8534db587c9d5d58dd1de4
SSDEEP:	768:NmZknpTW2fJ6vPd9YIp/ipidsKQW6OqhD0YzXM2q1XMouB4U0mAFgUyhmHUJ:HnBW2fJi0Ip6pidMQWMFHmAqdh
TLSH:	5B83201136FA4105F277AF315DF190938631BD92AD25DA4F328D734E0BB1981E9B2B2B
File Content Preview:	........................>......................................................................................................................................................................................................................................

Static Mail

General

Subject:	Open Benefits Enrollment Eligible for tray
From:	Town Of Castle Rock <HR-Benefits@crgov.com>
To:	tray@crgov.com
Cc:
BCC:
Date:
Communications:	Town Of Castle Rock Human Resources Update Friday, November 22, 2024 Summary We are excited to announce that our annual benefits open enrollment is here! Town Of Castle Rock Open Enrollment is scheduled to run from Friday, November 22nd Tuesday, November 26th. Stakeholders All Town Of Castle Rock Benefits-Eligible Employees Objective This will be an Active enrollment which means all employees are required to review and elect each benefit. If you fail to enroll this November, your current benefits will not roll over and you will have to wait until the next open enrollment period (November 2025). Resources We are offering multiple resources leading up to and during open enrollment so that you can learn about our offerings and make the best-informed decision for you and your family. * Open Enrollment Guide for 2025 will be provided no later than November 25th. * The PlanSource portal opens November 25th. Access PlanSource via Town Of Castle Rock-HR to view/complete open enrollment and access all informational material or click on the link PlanSource provides via email. * We will host live sessions via Teams to promote exciting changes for next year. * We will send multiple email reminders and provide more detailed information on how to access the platform to ensure everyone has the information they need for a successful Open Enrollment. Questions? Questions can be directed to Crgov-benefits.HR@crgov.com.
Attachments:	Town Of Castle Rock 401k Retirement Plan.shtml Town Of Castle Rock Eligible Finance Insurance Benefits Open Enrollment Plan.shtml Town Of Castle Rock Health Insurance Benefits Open Enrollment Plan.shtml Town Of Castle Rock Life Insurance Benefits Open Enrollment Plan.shtml

Headers

Key	Value
Received	from d218-3.smtp-out.eu-west-2.amazonses.com (23.249.218.3) by
by PH8PR14MB7059.namprd14.prod.outlook.com with HTTPS; Saturday/November/2024 20	09 PM
17	57:46 +0000
by CY8PR14MB6924.namprd14.prod.outlook.com (2603	10b6:930:7f::15) with
2024 17	55:17 +0000
(2603	10b6:610:cc::19) with Microsoft SMTP Server (version=TLS1_2,
Transport; Saturday/November/2024 20	09 PM 17:55:17 +0000
Authentication-Results	spf=pass (sender IP is 23.249.218.3)
Received-SPF	Pass (protection.outlook.com: domain of eu-west-2.amazonses.com
via Frontend Transport; Saturday/November/2024 20	09 PM 17:55:16 +0000
DKIM-Signature	v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple;
h=From	Subject:To:Content-Type:MIME-Version:Date:Message-Id:Feedback-ID;
From	Town Of Castle Rock <HR-Benefits@crgov.com>
Subject	Open Benefits Enrollment Eligible for tray
To	tray@crgov.com
X-MS-Has-Attach	yes
X-MS-Exchange-Organization-SCL	1
X-MS-TNEF-Correlator	Date: Saturday-November-2024 20:09 PM
Message-ID	<010b0190c1d5882a-e7c982f4-43a6-4765-b6d0-5f2257217ddd-000000@eu-west-2.amazonses.com>
Feedback-ID	::1.eu-west-2.uQHn1aDxFPJetz452TvKPhpeW9UF0L3iW3vcPpMjX3k=:AmazonSES
X-SES-Outgoing	2024.07.17-23.249.218.3
Return-Path	010b0190c1d5882a-e7c982f4-43a6-4765-b6d0-5f2257217ddd-000000@eu-west-2.amazonses.com
X-MS-Exchange-Organization-Network-Message-Id	a19fa367-e956-4079-164e-08dca6899de3
X-EOPAttributedMessage	0
X-EOPTenantAttributedMessage	57d83755-4267-426c-83d0-dda81f4d4391:0
X-MS-Exchange-Organization-MessageDirectionality	Incoming
X-MS-PublicTrafficType	Email
X-MS-TrafficTypeDiagnostic	CH2PEPF0000013D:EE_\|CY8PR14MB6924:EE_\|PH8PR14MB7059:EE_
X-MS-Exchange-Organization-AuthSource	CH2PEPF0000013D.namprd02.prod.outlook.com
X-MS-Exchange-Organization-AuthAs	Anonymous
X-MS-Office365-Filtering-Correlation-Id	a19fa367-e956-4079-164e-08dca6899de3
X-MS-Exchange-AtpMessageProperties	SA\|SL
X-Microsoft-Antispam	BCL:0;ARA:13230040\|1032899013\|32142699015\|4123199012\|5073199012\|5063199012\|4073199012\|69100299015
X-Forefront-Antispam-Report	CIP:23.249.218.3;CTRY:US;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:d218-3.smtp-out.eu-west-2.amazonses.com;PTR:d218-3.smtp-out.eu-west-2.amazonses.com;CAT:NONE;SFS:(13230040)(1032899013)(32142699015)(4123199012)(5073199012)(5063199012)(4073199012)(69100299015);DIR:INB
X-MS-Exchange-CrossTenant-OriginalArrivalTime	17 Jul 2024 17:55:16.2840
X-MS-Exchange-CrossTenant-Network-Message-Id	a19fa367-e956-4079-164e-08dca6899de3
X-MS-Exchange-CrossTenant-Id	57d83755-4267-426c-83d0-dda81f4d4391
X-MS-Exchange-CrossTenant-AuthSource	CH2PEPF0000013D.namprd02.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs	Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader	Internet
X-MS-Exchange-Transport-CrossTenantHeadersStamped	CY8PR14MB6924
X-MS-Exchange-Transport-EndToEndLatency	00:02:29.8357502
X-MS-Exchange-Processed-By-BccFoldering	15.20.7762.024
X-Microsoft-Antispam-Mailbox-Delivery	ucf:0;jmr:0;auth:0;dest:I;ENG:(910001)(944506478)(944626604)(920097)(930097)(140003)(1420198)
X-Microsoft-Antispam-Message-Info	=?iso-8859-1?Q?5X9i/D7Fye23FpuI8btmuQM2T21GGHUfY+7zhQO8K+pIDzRBMHX0pXYcqR?=
MIME-Version	1.0
Content-Language	en-US
Content-Type	multipart/mixed;
date

File Icon


Icon Hash:	c4e1928eacb280a2

Network Behavior

⊘No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: OUTLOOK.EXEPID: 7428, Parent PID: 4004

General

Target ID:	2
Start time:	11:56:48
Start date:	25/11/2024
Path:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /f "C:\Users\user\Desktop\Town Of Castle Rock Open Benefits Enrollment.eml.msg"
Imagebase:	0x1a0000
File size:	34'446'744 bytes
MD5 hash:	91A5292942864110ED734005B7E005C0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Chronological Activities

Analysis Process: ai.exePID: 7968, Parent PID: 7428

General

Target ID:	6
Start time:	11:56:56
Start date:	25/11/2024
Path:	C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "CD870B45-C509-4A45-9439-56A828AB902E" "584C2ECB-F035-4585-AF1C-282443772D9D" "7428" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
Imagebase:	0x7ff721680000
File size:	710'048 bytes
MD5 hash:	EC652BEDD90E089D9406AFED89A8A8BD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly