Edit tour

Windows Analysis Report
RE_ NCSA for Stoncor Middle East Trading.eml

Overview

General Information

Sample name:	RE_ NCSA for Stoncor Middle East Trading.eml
Analysis ID:	1504859
MD5:	a83b2b420716fcac565dd41061eff1aa
SHA1:	3cc73dfcf3622c1960b6c10de33a04409637ffc3
SHA256:	9bcbd71dc30132f915f01700bfd7e3ac6f98e926e0d93efc3904b047be1ffb18
Infos:

Detection

Score:	2
Range:	0 - 100
Whitelisted:	false
Confidence:	80%

Signatures

IP address seen in connection with other malware

Queries the volume information (name, serial number etc) of a device

Sigma detected: Office Autorun Keys Modification

Uses a known web browser user agent for HTTP communication

Classification

Process Tree

System is w10x64_ra

OUTLOOK.EXE (PID: 7144 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\RE_ NCSA for Stoncor Middle East Trading.eml" MD5: 91A5292942864110ED734005B7E005C0)

ai.exe (PID: 512 cmdline: "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "BF4E55BD-D7C9-494D-AFCD-03576F9FB608" "FE5FDB2E-DBCA-4806-996B-6932E75CAB93" "7144" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx" MD5: EC652BEDD90E089D9406AFED89A8A8BD)

Acrobat.exe (PID: 2736 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\FLKRI7V1\NCSOC-GPG-Kleoptra-snt2.pdf" MD5: 24EAD1C46A47022347DC0F05F6EFBB8C)

AcroCEF.exe (PID: 2972 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)

AcroCEF.exe (PID: 656 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2276 --field-trial-handle=1564,i,16594438828922420294,520252352787094824,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)

cleanup

Sigma Signatures

Sigma detected: Office Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE, ProcessId: 7144, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Addins\OneNote.OutlookAddin\1

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: Joe Sandbox View

IP Address: 104.118.8.172 104.118.8.172

Source: global traffic

HTTP traffic detected: GET /onboarding/smskillreader.txt HTTP/1.1Host: armmf.adobe.comConnection: keep-aliveAccept-Language: en-US,en;q=0.9User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) ReaderServices/23.6.20320 Chrome/105.0.0.0 Safari/537.36Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brIf-None-Match: "78-5faa31cce96da"If-Modified-Since: Mon, 01 May 2023 15:02:33 GMT

Source: unknown	TCP traffic detected without corresponding DNS query: 104.118.8.172
Source: unknown	TCP traffic detected without corresponding DNS query: 104.118.8.172
Source: unknown	TCP traffic detected without corresponding DNS query: 104.118.8.172
Source: unknown	TCP traffic detected without corresponding DNS query: 104.118.8.172
Source: unknown	TCP traffic detected without corresponding DNS query: 104.118.8.172
Source: unknown	TCP traffic detected without corresponding DNS query: 104.118.8.172
Source: unknown	TCP traffic detected without corresponding DNS query: 104.118.8.172
Source: unknown	TCP traffic detected without corresponding DNS query: 104.118.8.172
Source: unknown	TCP traffic detected without corresponding DNS query: 104.118.8.172
Source: unknown	TCP traffic detected without corresponding DNS query: 104.118.8.172
Source: unknown	TCP traffic detected without corresponding DNS query: 104.118.8.172
Source: unknown	TCP traffic detected without corresponding DNS query: 104.118.8.172
Source: unknown	TCP traffic detected without corresponding DNS query: 104.118.8.172

Source: global traffic

Source: E0F5C59F9FA661F6F4C50B87FEF3A15A0.6.dr	String found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: http://b.c2r.ts.cdn.office.net/pr
Source: 77EC63BDA74BD0D0E0426DC8F80085060.6.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: http://weather.service.msn.com/data.aspx
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/app/acquisitionlogging
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/app/download
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/authenticated
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticated
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/orgid/appinstall/authenticated
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/apps/remove
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/commerce/query
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/entitlement/query
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/orgid/apps/remove
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/orgid/entitlement/query
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://analysis.windows.net/powerbi/api
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://api.aadrm.com
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://api.aadrm.com/
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://api.addins.omex.office.net/api/addins/search
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://api.addins.store.office.com/addinstemplate
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://api.addins.store.office.com/app/query
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://api.addins.store.officeppe.com/addinstemplate
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://api.cortana.ai
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://api.diagnostics.office.com
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://api.diagnosticssdf.office.com
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://api.diagnosticssdf.office.com/v2/feedback
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://api.diagnosticssdf.office.com/v2/file
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://api.microsoftstream.com
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://api.microsoftstream.com/api/
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://api.office.net
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://api.officescripts.microsoftusercontent.com/api
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://api.onedrive.com
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/imports
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://api.scheduler.
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://apis.live.net/v5.0/
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://apis.mobile.m365.svc.cloud.microsoft
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://app.powerbi.com
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://arc.msn.com/v4/api/selection
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://augloop.office.com
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://augloop.office.com/v2
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://autodiscover-s.outlook.com/
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://canary.designerapp.
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://cdn.designerapp.osi.office.net
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://cdn.designerapp.osi.office.net/designer-mobile
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/fonts
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/mobile-assets
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/mobile-dynamic-strings
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/mobile-home-screen
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://cdn.entity.
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://cdn.hubblecontent.osi.office.net/
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://cdn.int.designerapp.osi.office.net/fonts
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://clients.config.office.net
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://clients.config.office.net/
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://clients.config.office.net/c2r/v1.0/DeltaAdvisory
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://clients.config.office.net/c2r/v1.0/InteractiveInstallation
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://config.edge.skype.com
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://consent.config.office.com/consentcheckin/v1.0/consents
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://consent.config.office.com/consentweb/v1.0/consents
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://cortana.ai
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://cortana.ai/api
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://cr.office.com
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://d.docs.live.net
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://dataservice.o365filtering.com
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://dataservice.o365filtering.com/
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://designerapp.azurewebsites.net
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://dev.cortana.ai
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://devnull.onenote.com
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://directory.services.
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://ecs.office.com
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://ecs.office.com/config/v1/Designer
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://ecs.office.com/config/v2/Office
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://edge.skype.com/registrar/prod
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://edge.skype.com/rps
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://enrichment.osi.office.net/
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Refresh/v1
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Resolve/v1
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Search/v1
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/StockHistory/v1
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/ipcheck/v1
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/v2.1601652342626
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/metadata.json
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/desktop/main.cshtml
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/web/main.cshtml
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://entitlement.diagnostics.office.com
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: RE_ NCSA for Stoncor Middle East Trading.eml, ~WRS{9609CEBB-96F5-4252-9C0B-D5D0E3E9606C}.tmp.0.dr	String found in binary or memory: https://flowcrete.ae/
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://fpastorage.cdn.office.net/%s
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://fpastorage.cdn.office.net/firstpartyapp/addins.xml
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://globaldisco.crm.dynamics.com
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://graph.ppe.windows.net
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://graph.ppe.windows.net/
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://graph.windows.net
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://graph.windows.net/
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/pivots/
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?secureurl=1
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://ic3.teams.office.com
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://incidents.diagnostics.office.com
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://inclient.store.office.com/gyro/client
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://inclient.store.office.com/gyro/clientstore
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://invites.office.com/
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://lifecycle.office.com
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://login.microsoftonline.com
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://login.microsoftonline.com/
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://login.microsoftonline.com/organizations
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://login.windows.local
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://make.powerautomate.com
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://management.azure.com
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://management.azure.com/
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://messagebroker.mobile.m365.svc.cloud.microsoft
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://messaging.action.office.com/
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://messaging.action.office.com/setcampaignaction
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://messaging.action.office.com/setuseraction16
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://messaging.engagement.office.com/
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://messaging.engagement.office.com/campaignmetadataaggregator
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://messaging.lifecycle.office.com/
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://messaging.lifecycle.office.com/getcustommessage16
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://messaging.office.com/
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://metadata.templates.cdn.office.net/client/log
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://my.microsoftpersonalcontent.com
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://ncus.contentsync.
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://ncus.pagecontentsync.
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://ods-diagnostics-ppe.trafficmanager.net
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://officeapps.live.com
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://officeci.azurewebsites.net/api/
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://officepyservice.office.net/
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://officepyservice.office.net/service.functionality
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentities
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentitiesupdated
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://onedrive.live.com
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://onedrive.live.com/embed?
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://otelrules.azureedge.net
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://otelrules.svc.static.microsoft
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://outlook.office.com
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://outlook.office.com/
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://outlook.office365.com
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://outlook.office365.com/
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://outlook.office365.com/connectors
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://pages.store.office.com/review/query
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://powerlift-frontdesk.acompli.net
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://powerlift.acompli.net
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://prod.mds.office.com/mds/api/v1.0/clientmodeldirectory
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://pushchannel.1drv.ms
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://res.cdn.office.net
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://res.cdn.office.net/mro1cdnstorage/fonts/prod/4.40
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://res.cdn.office.net/polymer/models
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://safelinks.protection.outlook.com/api/GetPolicy
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://service.officepy.microsoftusercontent.com/
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://service.powerapps.com
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://settings.outlook.com
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://shell.suite.office.com:1443
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://skyapi.live.net/Activity/
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://staging.cortana.ai
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://store.office.cn/addinstemplate
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://store.office.de/addinstemplate
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://substrate.office.com
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://substrate.office.com/Notes-Internal.ReadWrite
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://substrate.office.com/search/api/v1/SearchHistory
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://substrate.office.com/search/api/v2/init
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://tasks.office.com
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://templatesmetadata.office.net/
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: RE_ NCSA for Stoncor Middle East Trading.eml	String found in binary or memory: https://urldefense.proofpoint.com/v2/url?u=3Dhtt=
Source: RE_ NCSA for Stoncor Middle East Trading.eml	String found in binary or memory: https://urldefense.proofpoint.com/v2/url?u=3Dhttp-3A__stoncor.com_&amp=
Source: RE_ NCSA for Stoncor Middle East Trading.eml	String found in binary or memory: https://urldefense.proofpoint.com/v2/url?u=3Dhttps-3A__flo=
Source: RE_ NCSA for Stoncor Middle East Trading.eml	String found in binary or memory: https://urldefense.proofpoint.com/v2/url?u=3Dhttps-3A__flowcrete.=
Source: RE_ NCSA for Stoncor Middle East Trading.eml	String found in binary or memory: https://urldefense.proofpoint.com/v2/url?u=3Dhttps-3A__www.fiber=
Source: RE_ NCSA for Stoncor Middle East Trading.eml	String found in binary or memory: https://urldefense.proofpoint.com/v2/url?u=3Dhttps-3A__www.stoncor-2Dme=
Source: ~WRS{9609CEBB-96F5-4252-9C0B-D5D0E3E9606C}.tmp.0.dr	String found in binary or memory: https://urldefense.proofpoint.com/v2/url?u=http-3A__stoncor.com_&d=DwMF-g&c=4zVgJgBD7romUrcVghkpnCDy
Source: ~WRS{9609CEBB-96F5-4252-9C0B-D5D0E3E9606C}.tmp.0.dr	String found in binary or memory: https://urldefense.proofpoint.com/v2/url?u=https-3A__flowcrete.ae_&d=DwMF-g&c=4zVgJgBD7romUrcVghkpnC
Source: ~WRS{9609CEBB-96F5-4252-9C0B-D5D0E3E9606C}.tmp.0.dr	String found in binary or memory: https://urldefense.proofpoint.com/v2/url?u=https-3A__www.carboline.com_&d=DwMF-g&c=4zVgJgBD7romUrcVg
Source: ~WRS{9609CEBB-96F5-4252-9C0B-D5D0E3E9606C}.tmp.0.dr	String found in binary or memory: https://urldefense.proofpoint.com/v2/url?u=https-3A__www.fibergrate.com_&d=DwMF-g&c=4zVgJgBD7romUrcV
Source: ~WRS{9609CEBB-96F5-4252-9C0B-D5D0E3E9606C}.tmp.0.dr	String found in binary or memory: https://urldefense.proofpoint.com/v2/url?u=https-3A__www.stoncor-2Dme.com_&d=DwMF-g&c=4zVgJgBD7romUr
Source: RE_ NCSA for Stoncor Middle East Trading.eml	String found in binary or memory: https://urldefense.proofpoint=
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://useraudit.o365auditrealtimeingestion.manage.office.com
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://web.microsoftstream.com/video/
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://webshell.suite.office.com
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://word-edit.officeapps.live.com/we/rrdiscovery.ashx
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://wus2.contentsync.
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://wus2.pagecontentsync.
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: RE_ NCSA for Stoncor Middle East Trading.eml, ~WRS{9609CEBB-96F5-4252-9C0B-D5D0E3E9606C}.tmp.0.dr	String found in binary or memory: https://www.carboline.com/
Source: RE_ NCSA for Stoncor Middle East Trading.eml, ~WRS{9609CEBB-96F5-4252-9C0B-D5D0E3E9606C}.tmp.0.dr	String found in binary or memory: https://www.fibergrate.com/
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://www.odwebp.svc.ms
Source: RE_ NCSA for Stoncor Middle East Trading.eml	String found in binary or memory: https://www.stoncor-me.com/
Source: 8E276809-F546-41BA-A0D2-86F879163739.0.dr	String found in binary or memory: https://www.yammer.com

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443

Source: classification engine

Classification label: clean2.winEML@20/69@0/2

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

File created: C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmp

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

File created: C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20240905T0830410335-7144.etl

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: unknown	Process created: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\RE_ NCSA for Stoncor Middle East Trading.eml"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "BF4E55BD-D7C9-494D-AFCD-03576F9FB608" "FE5FDB2E-DBCA-4806-996B-6932E75CAB93" "7144" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\FLKRI7V1\NCSOC-GPG-Kleoptra-snt2.pdf"
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2276 --field-trial-handle=1564,i,16594438828922420294,520252352787094824,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "BF4E55BD-D7C9-494D-AFCD-03576F9FB608" "FE5FDB2E-DBCA-4806-996B-6932E75CAB93" "7144" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\FLKRI7V1\NCSOC-GPG-Kleoptra-snt2.pdf"	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2276 --field-trial-handle=1564,i,16594438828922420294,520252352787094824,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: c2r64.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: gpapi.dll	Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{F959DBBB-3867-41F2-8E5F-3B8BEFAA81B3}\InprocServer32

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

Window found: window name: SysTabControl32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common

Jump to behavior

Source: RE_ NCSA for Stoncor Middle East Trading.eml

Static file information: File size 4373309 > 1048576

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

File Volume queried: C:\Windows\SysWOW64 FullSizeInformation

Jump to behavior

Source: RE_ NCSA for Stoncor Middle East Trading.eml	Binary or memory string: Y0bpBQAAACpQemuXdoICGi7tjxmlFwAAAKhA6a1d2gkKaLi0P2aUXgAAAKACpbd2aScooOHS/phR
Source: RE_ NCSA for Stoncor Middle East Trading.eml	Binary or memory string: H+/W+GV60fU58W2qEmuxB4E0+NbBrtlBkY4Bre12xjvtKmR1BIUkGs/wV/yAU+tbl7/x5Tf7hq68
Source: RE_ NCSA for Stoncor Middle East Trading.eml	Binary or memory string: 7GR5rGGRzlmQEmuY8Q6hq19rMei6LcC1lC+ZLORkqv0oa15QWqudfRXNaVcahpN6mnatei7eRdyT
Source: RE_ NCSA for Stoncor Middle East Trading.eml	Binary or memory string: 7nhve8a12l9q/CxNQ3+jb12uyikdDs66F6Jk7ZVhJHJ4ULxQEMU9yxXPc6tliNo9NLG/B7as5a7/
Source: Outlook Data File - NoEmail.pst.0.dr, ~Outlook Data File - NoEmail.pst.tmp.0.dr	Binary or memory string: hqeMU
Source: RE_ NCSA for Stoncor Middle East Trading.eml	Binary or memory string: 48kTD10PVw8nB4wLl/IZjLu3rwcmiEDugDQgAYgjUZLigCye3FHIHVMcIJj/3h76r/i9AHeqduyF
Source: RE_ NCSA for Stoncor Middle East Trading.eml	Binary or memory string: 6Gqaa3JTT2CiiikMKKKKACmyRpLGySKGVhgg96VmCIWPQDJrP0vW7TVzOLUsfIco+Rjmi1w21LNr
Source: RE_ NCSA for Stoncor Middle East Trading.eml	Binary or memory string: azuYqqWYKoyT0qSS2mizvjYAHBNam23tPI8u3WXzedz54+lTXNuJi5WNS/mHqeMU1htHrqJ4r3lp
Source: RE_ NCSA for Stoncor Middle East Trading.eml	Binary or memory string: vPG7d7bs2ldTd+JvDY2XVKVXv7527Tqgn2vXvr6qSr3U2PC3E3U1+3Zteed3y34ze/qEMUmDo4wB
Source: RE_ NCSA for Stoncor Middle East Trading.eml	Binary or memory string: AECQqwGLPm4tOrdm0alTspMurkWbJ1EsCgAAJcWz6N7MouuxKAAAQEMuF1p0WV2LNlGiWBQAAErK
Source: NCSOC-GPG-Kleoptra-snt2.pdf.0.dr, olk382D.tmp.0.dr, NCSOC-GPG-Kleoptra-snt2 (002).pdf.0.dr	Binary or memory string: Ix1%qeMU=C}

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe

Queries volume information: C:\Program Files (x86)\Microsoft Office\root\Office16\AI\WordCombinedFloatieLreOnline.onnx VolumeInformation

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 Process Injection	1 Masquerading	OS Credential Dumping	1 Security Software Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Process Injection	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 DLL Side-Loading	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	12 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	14 System Information Discovery	Distributed Component Object Model	Input Capture	1 Ingress Tool Transfer	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
https://designerapp.azurewebsites.net	0%	URL Reputation	safe
https://canary.designerapp.	0%	URL Reputation	safe
https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize	0%	Avira URL Cloud	safe
https://autodiscover-s.outlook.com/	0%	Avira URL Cloud	safe
https://urldefense.proofpoint.com/v2/url?u=https-3A__flowcrete.ae_&d=DwMF-g&c=4zVgJgBD7romUrcVghkpnC	0%	Avira URL Cloud	safe
https://outlook.office365.com/connectors	0%	Avira URL Cloud	safe
https://urldefense.proofpoint.com/v2/url?u=3Dhttps-3A__flowcrete.=	0%	Avira URL Cloud	safe
https://login.microsoftonline.com/	0%	Avira URL Cloud	safe
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr	0%	Avira URL Cloud	safe
https://shell.suite.office.com:1443	0%	Avira URL Cloud	safe
https://api.diagnosticssdf.office.com	0%	Avira URL Cloud	safe
https://useraudit.o365auditrealtimeingestion.manage.office.com	0%	Avira URL Cloud	safe
https://cdn.entity.	0%	Avira URL Cloud	safe
https://clients.config.office.net/user/v1.0/tenantassociationkey	0%	Avira URL Cloud	safe
https://api.addins.omex.office.net/appinfo/query	0%	Avira URL Cloud	safe
https://rpsticket.partnerservices.getmicrosoftkey.com	0%	Avira URL Cloud	safe
https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/	0%	Avira URL Cloud	safe
https://powerlift.acompli.net	0%	Avira URL Cloud	safe
https://lookup.onenote.com/lookup/geolocation/v1	0%	Avira URL Cloud	safe
https://urldefense.proofpoint.com/v2/url?u=http-3A__stoncor.com_&d=DwMF-g&c=4zVgJgBD7romUrcVghkpnCDy	0%	Avira URL Cloud	safe
https://cortana.ai	0%	Avira URL Cloud	safe
https://urldefense.proofpoint=	0%	Avira URL Cloud	safe
https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	0%	Avira URL Cloud	safe
https://urldefense.proofpoint.com/v2/url?u=https-3A__www.stoncor-2Dme.com_&d=DwMF-g&c=4zVgJgBD7romUr	0%	Avira URL Cloud	safe
https://api.powerbi.com/v1.0/myorg/imports	0%	Avira URL Cloud	safe
https://ofcrecsvcapi-int.azurewebsites.net/	0%	Avira URL Cloud	safe
https://cloudfiles.onenote.com/upload.aspx	0%	Avira URL Cloud	safe
https://ic3.teams.office.com	0%	Avira URL Cloud	safe
https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile	0%	Avira URL Cloud	safe
https://entitlement.diagnosticssdf.office.com	0%	Avira URL Cloud	safe
https://www.yammer.com	0%	Avira URL Cloud	safe
https://api.aadrm.com/	0%	Avira URL Cloud	safe
https://urldefense.proofpoint.com/v2/url?u=3Dhtt=	0%	Avira URL Cloud	safe
https://api.microsoftstream.com/api/	0%	Avira URL Cloud	safe
https://cr.office.com	0%	Avira URL Cloud	safe
https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies	0%	Avira URL Cloud	safe
https://messagebroker.mobile.m365.svc.cloud.microsoft	0%	Avira URL Cloud	safe
https://otelrules.svc.static.microsoft	0%	Avira URL Cloud	safe
https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive	0%	Avira URL Cloud	safe
https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h	0%	Avira URL Cloud	safe
https://portal.office.com/account/?ref=ClientMeControl	0%	Avira URL Cloud	safe
https://clients.config.office.net/c2r/v1.0/DeltaAdvisory	0%	Avira URL Cloud	safe
https://edge.skype.com/registrar/prod	0%	Avira URL Cloud	safe
https://graph.ppe.windows.net	0%	Avira URL Cloud	safe
https://res.getmicrosoftkey.com/api/redemptionevents	0%	Avira URL Cloud	safe
https://tasks.office.com	0%	Avira URL Cloud	safe
https://powerlift-frontdesk.acompli.net	0%	Avira URL Cloud	safe
https://officeci.azurewebsites.net/api/	0%	Avira URL Cloud	safe
https://sr.outlook.office.net/ws/speech/recognize/assistant/work	0%	Avira URL Cloud	safe
https://api.scheduler.	0%	Avira URL Cloud	safe
https://my.microsoftpersonalcontent.com	0%	Avira URL Cloud	safe
https://store.office.cn/addinstemplate	0%	Avira URL Cloud	safe
https://www.fibergrate.com/	0%	Avira URL Cloud	safe
https://edge.skype.com/rps	0%	Avira URL Cloud	safe
https://api.aadrm.com	0%	Avira URL Cloud	safe
https://outlook.office.com/autosuggest/api/v1/init?cvid=	0%	Avira URL Cloud	safe
https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	0%	Avira URL Cloud	safe
https://messaging.engagement.office.com/	0%	Avira URL Cloud	safe
https://globaldisco.crm.dynamics.com	0%	Avira URL Cloud	safe
https://www.odwebp.svc.ms	0%	Avira URL Cloud	safe
https://dev0-api.acompli.net/autodetect	0%	Avira URL Cloud	safe
https://api.diagnosticssdf.office.com/v2/feedback	0%	Avira URL Cloud	safe
https://api.powerbi.com/v1.0/myorg/groups	0%	Avira URL Cloud	safe
https://api.addins.store.officeppe.com/addinstemplate	0%	Avira URL Cloud	safe
https://web.microsoftstream.com/video/	0%	Avira URL Cloud	safe
https://dataservice.o365filtering.com/	0%	Avira URL Cloud	safe
https://officesetup.getmicrosoftkey.com	0%	Avira URL Cloud	safe
https://substrate.office.com	0%	Avira URL Cloud	safe
https://graph.windows.net	0%	Avira URL Cloud	safe
https://analysis.windows.net/powerbi/api	0%	Avira URL Cloud	safe
https://prod-global-autodetect.acompli.net/autodetect	0%	Avira URL Cloud	safe
https://outlook.office365.com/autodiscover/autodiscover.json	0%	Avira URL Cloud	safe
https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios	0%	Avira URL Cloud	safe
https://consent.config.office.com/consentcheckin/v1.0/consents	0%	Avira URL Cloud	safe
https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	0%	Avira URL Cloud	safe
https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices	0%	Avira URL Cloud	safe
https://d.docs.live.net	0%	Avira URL Cloud	safe
https://ncus.contentsync.	0%	Avira URL Cloud	safe
https://safelinks.protection.outlook.com/api/GetPolicy	0%	Avira URL Cloud	safe
https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json	0%	Avira URL Cloud	safe
https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false	0%	Avira URL Cloud	safe
http://weather.service.msn.com/data.aspx	0%	Avira URL Cloud	safe
https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/	0%	Avira URL Cloud	safe
https://officepyservice.office.net/service.functionality	0%	Avira URL Cloud	safe
https://apis.live.net/v5.0/	0%	Avira URL Cloud	safe
https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks	0%	Avira URL Cloud	safe
https://templatesmetadata.office.net/	0%	Avira URL Cloud	safe
https://messaging.lifecycle.office.com/	0%	Avira URL Cloud	safe
https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios	0%	Avira URL Cloud	safe
https://flowcrete.ae/	0%	Avira URL Cloud	safe
https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml	0%	Avira URL Cloud	safe
https://pushchannel.1drv.ms	0%	Avira URL Cloud	safe
https://management.azure.com	0%	Avira URL Cloud	safe
https://urldefense.proofpoint.com/v2/url?u=3Dhttp-3A__stoncor.com_&amp=	0%	Avira URL Cloud	safe
https://outlook.office365.com	0%	Avira URL Cloud	safe
https://wus2.contentsync.	0%	Avira URL Cloud	safe
https://urldefense.proofpoint.com/v2/url?u=3Dhttps-3A__flo=	0%	Avira URL Cloud	safe
https://make.powerautomate.com	0%	Avira URL Cloud	safe
https://incidents.diagnostics.office.com	0%	Avira URL Cloud	safe
https://clients.config.office.net/user/v1.0/ios	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
bg.microsoft.map.fastly.net	199.232.214.172	true	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://api.diagnosticssdf.office.com	8E276809-F546-41BA-A0D2-86F879163739.0.dr	false	Avira URL Cloud: safe	unknown
https://login.microsoftonline.com/	8E276809-F546-41BA-A0D2-86F879163739.0.dr	false	Avira URL Cloud: safe	unknown
https://shell.suite.office.com:1443	8E276809-F546-41BA-A0D2-86F879163739.0.dr	false	Avira URL Cloud: safe	unknown
https://urldefense.proofpoint.com/v2/url?u=3Dhttps-3A__flowcrete.=	RE_ NCSA for Stoncor Middle East Trading.eml	false	Avira URL Cloud: safe	unknown
https://designerapp.azurewebsites.net	8E276809-F546-41BA-A0D2-86F879163739.0.dr	false	URL Reputation: safe	unknown
https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize	8E276809-F546-41BA-A0D2-86F879163739.0.dr	false	Avira URL Cloud: safe	unknown
https://autodiscover-s.outlook.com/	8E276809-F546-41BA-A0D2-86F879163739.0.dr	false	Avira URL Cloud: safe	unknown
https://useraudit.o365auditrealtimeingestion.manage.office.com	8E276809-F546-41BA-A0D2-86F879163739.0.dr	false	Avira URL Cloud: safe	unknown
https://urldefense.proofpoint.com/v2/url?u=https-3A__flowcrete.ae_&d=DwMF-g&c=4zVgJgBD7romUrcVghkpnC	~WRS{9609CEBB-96F5-4252-9C0B-D5D0E3E9606C}.tmp.0.dr	false	Avira URL Cloud: safe	unknown
https://outlook.office365.com/connectors	8E276809-F546-41BA-A0D2-86F879163739.0.dr	false	Avira URL Cloud: safe	unknown
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr	8E276809-F546-41BA-A0D2-86F879163739.0.dr	false	Avira URL Cloud: safe	unknown
https://cdn.entity.	8E276809-F546-41BA-A0D2-86F879163739.0.dr	false	Avira URL Cloud: safe	unknown
https://api.addins.omex.office.net/appinfo/query	8E276809-F546-41BA-A0D2-86F879163739.0.dr	false	Avira URL Cloud: safe	unknown
https://clients.config.office.net/user/v1.0/tenantassociationkey	8E276809-F546-41BA-A0D2-86F879163739.0.dr	false	Avira URL Cloud: safe	unknown
https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/	8E276809-F546-41BA-A0D2-86F879163739.0.dr	false	Avira URL Cloud: safe	unknown
https://powerlift.acompli.net	8E276809-F546-41BA-A0D2-86F879163739.0.dr	false	Avira URL Cloud: safe	unknown
https://rpsticket.partnerservices.getmicrosoftkey.com	8E276809-F546-41BA-A0D2-86F879163739.0.dr	false	Avira URL Cloud: safe	unknown
https://urldefense.proofpoint.com/v2/url?u=http-3A__stoncor.com_&d=DwMF-g&c=4zVgJgBD7romUrcVghkpnCDy	~WRS{9609CEBB-96F5-4252-9C0B-D5D0E3E9606C}.tmp.0.dr	false	Avira URL Cloud: safe	unknown
https://lookup.onenote.com/lookup/geolocation/v1	8E276809-F546-41BA-A0D2-86F879163739.0.dr	false	Avira URL Cloud: safe	unknown
https://cortana.ai	8E276809-F546-41BA-A0D2-86F879163739.0.dr	false	Avira URL Cloud: safe	unknown
https://urldefense.proofpoint=	RE_ NCSA for Stoncor Middle East Trading.eml	false	Avira URL Cloud: safe	unknown
https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	8E276809-F546-41BA-A0D2-86F879163739.0.dr	false	Avira URL Cloud: safe	unknown
https://urldefense.proofpoint.com/v2/url?u=https-3A__www.stoncor-2Dme.com_&d=DwMF-g&c=4zVgJgBD7romUr	~WRS{9609CEBB-96F5-4252-9C0B-D5D0E3E9606C}.tmp.0.dr	false	Avira URL Cloud: safe	unknown
https://api.powerbi.com/v1.0/myorg/imports	8E276809-F546-41BA-A0D2-86F879163739.0.dr	false	Avira URL Cloud: safe	unknown
https://cloudfiles.onenote.com/upload.aspx	8E276809-F546-41BA-A0D2-86F879163739.0.dr	false	Avira URL Cloud: safe	unknown
https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile	8E276809-F546-41BA-A0D2-86F879163739.0.dr	false	Avira URL Cloud: safe	unknown
https://entitlement.diagnosticssdf.office.com	8E276809-F546-41BA-A0D2-86F879163739.0.dr	false	Avira URL Cloud: safe	unknown
https://api.aadrm.com/	8E276809-F546-41BA-A0D2-86F879163739.0.dr	false	Avira URL Cloud: safe	unknown
https://ofcrecsvcapi-int.azurewebsites.net/	8E276809-F546-41BA-A0D2-86F879163739.0.dr	false	Avira URL Cloud: safe	unknown
https://canary.designerapp.	8E276809-F546-41BA-A0D2-86F879163739.0.dr	false	URL Reputation: safe	unknown
https://ic3.teams.office.com	8E276809-F546-41BA-A0D2-86F879163739.0.dr	false	Avira URL Cloud: safe	unknown
https://www.yammer.com	8E276809-F546-41BA-A0D2-86F879163739.0.dr	false	Avira URL Cloud: safe	unknown
https://urldefense.proofpoint.com/v2/url?u=3Dhtt=	RE_ NCSA for Stoncor Middle East Trading.eml	false	Avira URL Cloud: safe	unknown
https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies	8E276809-F546-41BA-A0D2-86F879163739.0.dr	false	Avira URL Cloud: safe	unknown
https://api.microsoftstream.com/api/	8E276809-F546-41BA-A0D2-86F879163739.0.dr	false	Avira URL Cloud: safe	unknown
https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive	8E276809-F546-41BA-A0D2-86F879163739.0.dr	false	Avira URL Cloud: safe	unknown
https://cr.office.com	8E276809-F546-41BA-A0D2-86F879163739.0.dr	false	Avira URL Cloud: safe	unknown
https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h	8E276809-F546-41BA-A0D2-86F879163739.0.dr	false	Avira URL Cloud: safe	unknown
https://messagebroker.mobile.m365.svc.cloud.microsoft	8E276809-F546-41BA-A0D2-86F879163739.0.dr	false	Avira URL Cloud: safe	unknown
https://otelrules.svc.static.microsoft	8E276809-F546-41BA-A0D2-86F879163739.0.dr	false	Avira URL Cloud: safe	unknown
https://portal.office.com/account/?ref=ClientMeControl	8E276809-F546-41BA-A0D2-86F879163739.0.dr	false	Avira URL Cloud: safe	unknown
https://clients.config.office.net/c2r/v1.0/DeltaAdvisory	8E276809-F546-41BA-A0D2-86F879163739.0.dr	false	Avira URL Cloud: safe	unknown
https://edge.skype.com/registrar/prod	8E276809-F546-41BA-A0D2-86F879163739.0.dr	false	Avira URL Cloud: safe	unknown
https://graph.ppe.windows.net	8E276809-F546-41BA-A0D2-86F879163739.0.dr	false	Avira URL Cloud: safe	unknown
https://res.getmicrosoftkey.com/api/redemptionevents	8E276809-F546-41BA-A0D2-86F879163739.0.dr	false	Avira URL Cloud: safe	unknown
https://powerlift-frontdesk.acompli.net	8E276809-F546-41BA-A0D2-86F879163739.0.dr	false	Avira URL Cloud: safe	unknown
https://tasks.office.com	8E276809-F546-41BA-A0D2-86F879163739.0.dr	false	Avira URL Cloud: safe	unknown
https://officeci.azurewebsites.net/api/	8E276809-F546-41BA-A0D2-86F879163739.0.dr	false	Avira URL Cloud: safe	unknown
https://sr.outlook.office.net/ws/speech/recognize/assistant/work	8E276809-F546-41BA-A0D2-86F879163739.0.dr	false	Avira URL Cloud: safe	unknown
https://api.scheduler.	8E276809-F546-41BA-A0D2-86F879163739.0.dr	false	Avira URL Cloud: safe	unknown
https://my.microsoftpersonalcontent.com	8E276809-F546-41BA-A0D2-86F879163739.0.dr	false	Avira URL Cloud: safe	unknown
https://store.office.cn/addinstemplate	8E276809-F546-41BA-A0D2-86F879163739.0.dr	false	Avira URL Cloud: safe	unknown
https://www.fibergrate.com/	RE_ NCSA for Stoncor Middle East Trading.eml, ~WRS{9609CEBB-96F5-4252-9C0B-D5D0E3E9606C}.tmp.0.dr	false	Avira URL Cloud: safe	unknown
https://api.aadrm.com	8E276809-F546-41BA-A0D2-86F879163739.0.dr	false	Avira URL Cloud: safe	unknown
https://edge.skype.com/rps	8E276809-F546-41BA-A0D2-86F879163739.0.dr	false	Avira URL Cloud: safe	unknown
https://outlook.office.com/autosuggest/api/v1/init?cvid=	8E276809-F546-41BA-A0D2-86F879163739.0.dr	false	Avira URL Cloud: safe	unknown
https://globaldisco.crm.dynamics.com	8E276809-F546-41BA-A0D2-86F879163739.0.dr	false	Avira URL Cloud: safe	unknown
https://messaging.engagement.office.com/	8E276809-F546-41BA-A0D2-86F879163739.0.dr	false	Avira URL Cloud: safe	unknown
https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	8E276809-F546-41BA-A0D2-86F879163739.0.dr	false	Avira URL Cloud: safe	unknown
https://dev0-api.acompli.net/autodetect	8E276809-F546-41BA-A0D2-86F879163739.0.dr	false	Avira URL Cloud: safe	unknown
https://www.odwebp.svc.ms	8E276809-F546-41BA-A0D2-86F879163739.0.dr	false	Avira URL Cloud: safe	unknown
https://api.diagnosticssdf.office.com/v2/feedback	8E276809-F546-41BA-A0D2-86F879163739.0.dr	false	Avira URL Cloud: safe	unknown
https://api.powerbi.com/v1.0/myorg/groups	8E276809-F546-41BA-A0D2-86F879163739.0.dr	false	Avira URL Cloud: safe	unknown
https://web.microsoftstream.com/video/	8E276809-F546-41BA-A0D2-86F879163739.0.dr	false	Avira URL Cloud: safe	unknown
https://api.addins.store.officeppe.com/addinstemplate	8E276809-F546-41BA-A0D2-86F879163739.0.dr	false	Avira URL Cloud: safe	unknown
https://graph.windows.net	8E276809-F546-41BA-A0D2-86F879163739.0.dr	false	Avira URL Cloud: safe	unknown
https://dataservice.o365filtering.com/	8E276809-F546-41BA-A0D2-86F879163739.0.dr	false	Avira URL Cloud: safe	unknown
https://officesetup.getmicrosoftkey.com	8E276809-F546-41BA-A0D2-86F879163739.0.dr	false	Avira URL Cloud: safe	unknown
https://analysis.windows.net/powerbi/api	8E276809-F546-41BA-A0D2-86F879163739.0.dr	false	Avira URL Cloud: safe	unknown
https://prod-global-autodetect.acompli.net/autodetect	8E276809-F546-41BA-A0D2-86F879163739.0.dr	false	Avira URL Cloud: safe	unknown
https://substrate.office.com	8E276809-F546-41BA-A0D2-86F879163739.0.dr	false	Avira URL Cloud: safe	unknown
https://outlook.office365.com/autodiscover/autodiscover.json	8E276809-F546-41BA-A0D2-86F879163739.0.dr	false	Avira URL Cloud: safe	unknown
https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios	8E276809-F546-41BA-A0D2-86F879163739.0.dr	false	Avira URL Cloud: safe	unknown
https://consent.config.office.com/consentcheckin/v1.0/consents	8E276809-F546-41BA-A0D2-86F879163739.0.dr	false	Avira URL Cloud: safe	unknown
https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	8E276809-F546-41BA-A0D2-86F879163739.0.dr	false	Avira URL Cloud: safe	unknown
https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices	8E276809-F546-41BA-A0D2-86F879163739.0.dr	false	Avira URL Cloud: safe	unknown
https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json	8E276809-F546-41BA-A0D2-86F879163739.0.dr	false	Avira URL Cloud: safe	unknown
https://d.docs.live.net	8E276809-F546-41BA-A0D2-86F879163739.0.dr	false	Avira URL Cloud: safe	unknown
https://safelinks.protection.outlook.com/api/GetPolicy	8E276809-F546-41BA-A0D2-86F879163739.0.dr	false	Avira URL Cloud: safe	unknown
https://ncus.contentsync.	8E276809-F546-41BA-A0D2-86F879163739.0.dr	false	Avira URL Cloud: safe	unknown
https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false	8E276809-F546-41BA-A0D2-86F879163739.0.dr	false	Avira URL Cloud: safe	unknown
https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/	8E276809-F546-41BA-A0D2-86F879163739.0.dr	false	Avira URL Cloud: safe	unknown
http://weather.service.msn.com/data.aspx	8E276809-F546-41BA-A0D2-86F879163739.0.dr	false	Avira URL Cloud: safe	unknown
https://apis.live.net/v5.0/	8E276809-F546-41BA-A0D2-86F879163739.0.dr	false	Avira URL Cloud: safe	unknown
https://officepyservice.office.net/service.functionality	8E276809-F546-41BA-A0D2-86F879163739.0.dr	false	Avira URL Cloud: safe	unknown
https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks	8E276809-F546-41BA-A0D2-86F879163739.0.dr	false	Avira URL Cloud: safe	unknown
https://templatesmetadata.office.net/	8E276809-F546-41BA-A0D2-86F879163739.0.dr	false	Avira URL Cloud: safe	unknown
https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios	8E276809-F546-41BA-A0D2-86F879163739.0.dr	false	Avira URL Cloud: safe	unknown
https://messaging.lifecycle.office.com/	8E276809-F546-41BA-A0D2-86F879163739.0.dr	false	Avira URL Cloud: safe	unknown
https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml	8E276809-F546-41BA-A0D2-86F879163739.0.dr	false	Avira URL Cloud: safe	unknown
https://flowcrete.ae/	RE_ NCSA for Stoncor Middle East Trading.eml, ~WRS{9609CEBB-96F5-4252-9C0B-D5D0E3E9606C}.tmp.0.dr	false	Avira URL Cloud: safe	unknown
https://pushchannel.1drv.ms	8E276809-F546-41BA-A0D2-86F879163739.0.dr	false	Avira URL Cloud: safe	unknown
https://management.azure.com	8E276809-F546-41BA-A0D2-86F879163739.0.dr	false	Avira URL Cloud: safe	unknown
https://outlook.office365.com	8E276809-F546-41BA-A0D2-86F879163739.0.dr	false	Avira URL Cloud: safe	unknown
https://urldefense.proofpoint.com/v2/url?u=3Dhttp-3A__stoncor.com_&amp=	RE_ NCSA for Stoncor Middle East Trading.eml	false	Avira URL Cloud: safe	unknown
https://urldefense.proofpoint.com/v2/url?u=3Dhttps-3A__flo=	RE_ NCSA for Stoncor Middle East Trading.eml	false	Avira URL Cloud: safe	unknown
https://wus2.contentsync.	8E276809-F546-41BA-A0D2-86F879163739.0.dr	false	Avira URL Cloud: safe	unknown
https://incidents.diagnostics.office.com	8E276809-F546-41BA-A0D2-86F879163739.0.dr	false	Avira URL Cloud: safe	unknown
https://clients.config.office.net/user/v1.0/ios	8E276809-F546-41BA-A0D2-86F879163739.0.dr	false	Avira URL Cloud: safe	unknown
https://make.powerautomate.com	8E276809-F546-41BA-A0D2-86F879163739.0.dr	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.118.8.172	unknown	United States		16625	AKAMAI-ASUS	false

Private

IP
192.168.2.4

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1504859
Start date and time:	2024-09-05 14:29:30 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 57s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsinteractivecookbook.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	18
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	RE_ NCSA for Stoncor Middle East Trading.eml
Detection:	CLEAN
Classification:	clean2.winEML@20/69@0/2
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .eml

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, RuntimeBroker.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, TextInputHost.exe
Excluded IPs from analysis (whitelisted): 52.109.28.46, 52.113.194.132, 52.109.76.243, 2.19.126.160, 2.19.126.151, 52.109.32.38, 52.109.32.47, 52.109.32.46, 52.109.32.39, 20.42.65.88, 52.109.28.48, 184.28.88.176, 107.22.247.231, 18.207.85.246, 34.193.227.236, 54.144.73.197, 162.159.61.3, 172.64.41.3, 2.19.126.149, 2.19.126.143, 2.16.202.123, 95.101.54.195, 199.232.214.172, 93.184.221.240, 2.16.164.107, 2.16.164.115, 2.16.164.121, 2.16.164.35, 2.16.164.19, 2.16.164.11, 2.16.164.105, 2.16.164.113, 2.16.164.75
Excluded domains from analysis (whitelisted): osiprod-uks-bronze-azsc-000.uksouth.cloudapp.azure.com, odc.officeapps.live.com, acroipm2.adobe.com, mobile.events.data.microsoft.com, a1952.dscq.akamai.net, ocsp.digicert.com, login.live.com, ssl-delivery.adobe.com.edgekey.net, a122.dscd.akamai.net, hlb.apr-52dd2-0.edgecastdns.net, officeclient.microsoft.com, apps.identrust.com, wu-b-net.trafficmanager.net, a1864.dscd.akamai.net, www.bing.com, ecs.office.com, identrust.edgesuite.net, acroipm2.adobe.com.edgesuite.net, prod.roaming1.live.com.akadns.net, s-0005-office.config.skype.com, uks-azsc-000.odc.officeapps.live.com, nleditor.osi.office.net, s-0005.s-msedge.net, osiprod-neu-buff-azsc-000.northeurope.cloudapp.azure.com, ecs.office.trafficmanager.net, geo2.adobe.com, europe.configsvc1.live.com.akadns.net, mobile.events.data.trafficmanager.net, omex.cdn.office.net, e4578.dscg.akamaiedge.net, chrome.cloudflare-dns.com, europe.odcsm1.live.com.akadns.net, eur.roaming1.live.com.akadns.net, wu.azureedge.net, neu-azsc-
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Report size getting too big, too many NtSetInformationFile calls found.
Report size getting too big, too many NtSetValueKey calls found.
VT rate limit hit for: RE_ NCSA for Stoncor Middle East Trading.eml

Simulations

Behavior and APIs

Time	Type	Description
08:31:33	API Interceptor	2x Sleep call for process: AcroCEF.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
104.118.8.172	GHGprotocol_Scope12-Guidance_191114.pdf	Get hash	malicious	Unknown	Browse
	Secured Doc-[wSP-29072].pdf	Get hash	malicious	Unknown	Browse
	CorporateCare(13) 07.12.2024.pdf	Get hash	malicious	Unknown	Browse
	One_Docx 1.pdf	Get hash	malicious	HTMLPhisher	Browse
	Contracts Along DocSign-3.pdf	Get hash	malicious	HTMLPhisher	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
bg.microsoft.map.fastly.net	http://beonlineboo.com	Get hash	malicious	Unknown	Browse	199.232.214.172
	New Order Inquiry Maiden Med Sept 2024 #287772.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	199.232.210.172
	http://cdn.btmessage.com	Get hash	malicious	HTMLPhisher	Browse	199.232.214.172
	https://inboxsender.gxsearch.club/redir5/serial.php	Get hash	malicious	Unknown	Browse	199.232.214.172
	66ba1a1880f9e_crypta.exe	Get hash	malicious	Stealc	Browse	199.232.214.172
	x.exe	Get hash	malicious	XWorm	Browse	199.232.210.172
	https://app.edu.buncee.com/buncee/67041126b8c5429abf86de62d6aaa0d9	Get hash	malicious	Unknown	Browse	199.232.210.172
	https://rf-190.squarespace.com/sharepoint?e=ben.ly@wic.vic.gov.au	Get hash	malicious	HTMLPhisher	Browse	199.232.210.172
	https://email.dependent.best/maintenance.html?book=py.kim@hdel.co.kr	Get hash	malicious	Unknown	Browse	199.232.214.172
	RANGLANDLAW.xlsx	Get hash	malicious	Unknown	Browse	199.232.214.172

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AKAMAI-ASUS	SecuriteInfo.com.Linux.Siggen.9999.21530.5221.elf	Get hash	malicious	Mirai	Browse	23.10.77.236
	https://buysuhagra.shop/ePFcjxsx	Get hash	malicious	HTMLPhisher	Browse	23.38.98.96
	Fatura_200393871.pdf	Get hash	malicious	Unknown	Browse	23.38.98.122
	https://1drv.ms/o/s!Ajq9zC5M8q4HgQZYMFwoYdIgQ7Uc?e=V7cJrH	Get hash	malicious	Unknown	Browse	2.16.185.204
	Inspection Notice.msg	Get hash	malicious	HTMLPhisher	Browse	2.19.126.151
	Rechnung.pdf	Get hash	malicious	Unknown	Browse	23.38.98.86
	https://acrobat.adobe.com/id/urn:aaid:sc:VA6C2:626535c6-68da-4729-b016-6e974989fb70	Get hash	malicious	LummaC Stealer	Browse	2.19.126.211
	https://www.decisionmodels.com/FastExcelV4_Install.htm	Get hash	malicious	Unknown	Browse	184.28.90.27
	https://acrobat.adobe.com/id/urn:aaid:sc:US:4a1d4a71-0ecb-4b97-81ac-6d37886bcc89	Get hash	malicious	LummaC Stealer	Browse	2.19.126.211
	https://acrobat.adobe.com/id/urn:aaid:sc:US:6b473b2a-bd40-4154-8733-c1bbca42e1c1	Get hash	malicious	LummaC Stealer	Browse	2.19.126.211

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	294
Entropy (8bit):	5.212963086017743
Encrypted:	false
SSDEEP:	6:PmxQyq2PsHO2nKuAl9OmbnIFUt82mrcnG1Zmw+2mOYQRkwOsHO2nKuAl9OmbjLJ:P8QyvkHVHAahFUt82mcng/+2fYQR51HY
MD5:	81479A79E938DD1208DA50BF03B37ED1
SHA1:	6A27D2274AC867FE79394770FF31F637BCBA8D85
SHA-256:	5C65FA5C2C661CFCB1C4D42301BBE3D661AA0E74A1E672F9B27CAF4843F38CB2
SHA-512:	F2CA52A6E8FC550501FDCA2C71D7AF9E9A1F86AD14E5DE2B4007B60D43DA232CEFBB40F919C362A04F94C0F3808DB160FBC5277D5A4B1048F8EEEFE72684E465
Malicious:	false
Reputation:	low
Preview:	2024/09/05-08:31:20.782 1690 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/MANIFEST-000001.2024/09/05-08:31:20.785 1690 Recovering log #3.2024/09/05-08:31:20.786 1690 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/000003.log .

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	data
Category:	dropped
Size (bytes):	231348
Entropy (8bit):	4.3767829222528105
Encrypted:	false
SSDEEP:	3072:zIgw8jgNmiGu2TCqoQsrt0Fv4DLJRotYW:zn0mi2T/mLJRot1
MD5:	961CCF4F7BAE9BEBCF116E96990B1EEF
SHA1:	21E2397AE8CADE46F938C6BDD18737D2B990D60F
SHA-256:	684157715FAD5899A305C4C7AF3F446771D9989E37BBABE541A66EEADCEF446E
SHA-512:	8B0F562F3711C515AFCE1AD2A029323466E9FE89AA42FA2AA0376B82402BDCA51F32231F689014722B1EA09EBE8C651E1887A646A53F045D988D9FE12A47799C
Malicious:	false
Preview:	TH02...... .@.`J........SM01X...,...p>PJ............IPM.Activity...........h...............h............H..h,........_xy...h........0...H..h\tor ...AppD...h.L..0..........h.F.............h........_`.k...h.Y..@...I.+w...h....H...8..k...0....T...............d.........2h...............k..............!h.............. h..^...........#h....8.........$h0.......8....."h..............'h..............1h.F..<.........0h....4.....k../h....h......kH..h....p...,.....-h ............+h_G...... ................... ..............F7..............FIPM.Activity....Form....Standard....Journal Entry...IPM.Microsoft.FolderDesign.FormsDescription................F.k..........1122110020000000....Microsoft...This form is used to create journal entries.........kf...... ..........&...........(.......(... ...@.....................................................................................................................fffffffff........wwwwwwww.p....pp..............p...............pw..............pw..DDDDO..

File type:	ASCII text, with CRLF line terminators
Entropy (8bit):	6.035128149888016
TrID:
File name:	RE_ NCSA for Stoncor Middle East Trading.eml
File size:	4'373'309 bytes
MD5:	a83b2b420716fcac565dd41061eff1aa
SHA1:	3cc73dfcf3622c1960b6c10de33a04409637ffc3
SHA256:	9bcbd71dc30132f915f01700bfd7e3ac6f98e926e0d93efc3904b047be1ffb18
SHA512:	75984b9f737d9827ec034a40b7fab8232ed5977ec23fb18cbca0feb86825e99811e7e5465adbb6bcc968068c45a0be2935f4ba629218bad62d284617b3894c81
SSDEEP:	49152:OqPp4DbqeSnZXlASaWm3IH6qKjMAYYwOSVaP5QL0iKvT3xlvFxfSM2:j
TLSH:	9F16F131D6775EAA06521AEF190772C0AC7CB7B786DCC1F731A29B63F0B68B2C618550
File Content Preview:	Authentication-Results: relay.mimecast.com;...dkim=pass header.d=ncsa.gov.qa header.s=selector20210613 header.b=VMr9jG9y;...dmarc=pass (policy=quarantine) header.from=ncsa.gov.qa;...spf=pass (relay.mimecast.com: domain of ncsoc@ncsa.gov.qa designates 78.1

Subject:	RE: NCSA for Stoncor Middle East Trading
From:	NCSOC <NCSOC@ncsa.gov.qa>
To:	Mary Grace Dimaano <marygrace.dimaano@stoncor-me.com>
Cc:	Pritam Chaudhari <Pritam.Chaudhari@stoncor-me.com>, NCSOC <NCSOC@ncsa.gov.qa>
BCC:	Pritam Chaudhari <Pritam.Chaudhari@stoncor-me.com>, NCSOC <NCSOC@ncsa.gov.qa>
Date:	Thu, 05 Sep 2024 06:13:21 +0000
Communications:	Dear StonCor Middle East, This is the National Cyber Security Agency from the state of Qatar, we have a report that needs to be shared with you. To keep the report confidential, kindly share with us your PGP public encryption key to encrypt the report. If you do not have encryption keys, then please follow the attached guidelines to create them and share the public key with us. Best regards, NCSOC National Cyber Security Agency Hotline: 16555 \| Email: NCSOC@ncsa.gov.qa<mailto:NCSOC@ncsa.gov.qa> PO Box 24100, Wadi Al Sail Street, Doha State of Qatar [cid:image009.png@01D92121.B06CFBB0] From: Mary Grace Dimaano <marygrace.dimaano@stoncor-me.com> Sent: Wednesday, September 4, 2024 2:48 PM To: NCSOC <NCSOC@ncsa.gov.qa> Cc: Pritam Chaudhari <Pritam.Chaudhari@stoncor-me.com> Subject: NCSA for Stoncor Middle East Trading CAUTION: This Email is from an EXTERNAL source. Ensure you trust this sender before clicking on any links or attachments. Dear Mr. Pritam, Reference to our conversation, we received a call from your team regarding cyber security information for Stoncor Trading and they gave us an email to contact them for further details as per below. Email: ncsoc@ncsa.gov.qa<mailto:ncsoc@ncsa.gov.qa> Contact number: 40466337 Please advise how to proceed. Thanks. Best Regards, Grace Dimaano-Mendoza\| Sales Administrator-Qatar StonCor Middle East Trading O: 974 4009 4606 \| C: 974 4009 4606 \| E: marygrace.dimaano@stoncor-me.com<https://urldefense.proofpoint.com/v2/url?u=http-3A__stoncor.com_&d=DwMF-g&c=4zVgJgBD7romUrcVghkpnCDy-1--2IZEdf9hvdGxrOw&r=LmBKIfrivLB4hZedRYtjshVhSRMKYW6Paji5lykz5tg&m=odbsiyhuwkmRmP62BOBNDCkbnm58ZEEA0z1vV2MeXwLLWqu6j7V2k-u1FFDi42W1&s=rrAxvYupaxtaOLnwni7OUHD6gWfUNqApq0BlzXj6y8A&e=> https://www.carboline.com/<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.carboline.com_&d=DwMF-g&c=4zVgJgBD7romUrcVghkpnCDy-1--2IZEdf9hvdGxrOw&r=LmBKIfrivLB4hZedRYtjshVhSRMKYW6Paji5lykz5tg&m=odbsiyhuwkmRmP62BOBNDCkbnm58ZEEA0z1vV2MeXwLLWqu6j7V2k-u1FFDi42W1&s=u11MQ2QjANM_BQJsWDWf3n5IneZ3l2YEfPjOneClngo&e=> \| https://www.fibergrate.com/<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.fibergrate.com_&d=DwMF-g&c=4zVgJgBD7romUrcVghkpnCDy-1--2IZEdf9hvdGxrOw&r=LmBKIfrivLB4hZedRYtjshVhSRMKYW6Paji5lykz5tg&m=odbsiyhuwkmRmP62BOBNDCkbnm58ZEEA0z1vV2MeXwLLWqu6j7V2k-u1FFDi42W1&s=e3gbqlGtilqAmFVc3qOZWnVUNUA7JIoDLjnZLNAjA74&e=> \| https://flowcrete.ae/<https://urldefense.proofpoint.com/v2/url?u=https-3A__flowcrete.ae_&d=DwMF-g&c=4zVgJgBD7romUrcVghkpnCDy-1--2IZEdf9hvdGxrOw&r=LmBKIfrivLB4hZedRYtjshVhSRMKYW6Paji5lykz5tg&m=odbsiyhuwkmRmP62BOBNDCkbnm58ZEEA0z1vV2MeXwLLWqu6j7V2k-u1FFDi42W1&s=o2SnSvTK2yAFZkLIoYPPEScS1rvpB8qWFE9iCfEIsmk&e=> \| https://www.stoncor-me.com/<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.stoncor-2Dme.com_&d=DwMF-g&c=4zVgJgBD7romUrcVghkpnCDy-1--2IZEdf9hvdGxrOw&r=LmBKIfrivLB4hZedRYtjshVhSRMKYW6Paji5lykz5tg&m=odbsiyhuwkmRmP62BOBNDCkbnm58ZEEA0z1vV2MeXwLLWqu6j7V2k-u1FFDi42W1&s=02HlSQk3t6-glPOGUjd17dqzWpLJzDBEfEfKAryLeO0&e=> [cid:image006.png@01DAFF73.D7CA4410] [cid:image007.png@01DAFF73.D7CA4410] BE VIGILANT: Our banking details remain unchanged ====================================================================== : . . . . . . Disclaimer: The information in this email, including attachments, may contain information that is confidential, protected by intellectual property rights, and may be legally privileged. It is intended solely for the addressee(s). Any access, use, disclosure, copying, or distribution of the information contained herein by persons other than the designated addressee is unauthorized and may be unlawful. If you are not the intended recipient, you should delete this message immediately from your system. If you believe that you have received this email in error, please contact the sender or National Cyber Security Agency. Any views expressed in this email or its attachments are those of the individual sender except where the sender, expressly and with authority, states them to be the views of National Cyber Security Agency
Attachments:	NCSOC-GPG-Kleoptra-snt2.pdf

Key	Value
Authentication-Results	relay.mimecast.com; dkim=pass header.d=ncsa.gov.qa header.s=selector20210613 header.b=VMr9jG9y; dmarc=pass (policy=quarantine) header.from=ncsa.gov.qa; spf=pass (relay.mimecast.com: domain of ncsoc@ncsa.gov.qa designates 78.100.112.205 as permitted sender) smtp.mailfrom=ncsoc@ncsa.gov.qa
Received	Messaging Servers
X-MC-Unique	F7GKLergMr-fzyrD2z7XgA-1
DKIM-Signature	v=1; a=rsa-sha256; c=relaxed/relaxed; d=ncsa.gov.qa; h=cc : content-type : date : from : in-reply-to : message-id : mime-version : references : subject : to; s=selector20210613; bh=TDEl108VjESWIOGwhKTV+F+SVvHwgNQH4duyx/drJFk=; b=VMr9jG9yn2QAWDQUBVH02FaUJyaQw2y11zO2ID9npwUt7A45by4cmQagKvg+89JDmaoD eMTkZl1jNnwZFvEszoZIh/DJeDLRhHScw9yqJlg2x3WP0AdizH9oqQr5YL1w0C5HS71j HgX2nonhg1BBkV8F+Y3uwZi+1jaY4GsVZrDTqEx7x/oQ7Zf8nHNAAShZEXKCb973Ov4n uCwfwSv5c2JGtJdo5XdHz7tmu8hY3BXiK9RTTTrtrhORVzAwcV4VJukztkSLOEQK5yiA qfvwBhJRqrsowLyrqbQOFjktyVWUju1IbRZMGTBrnGuJYy48xZ7AVbmV40sc3J+BBsxH Gw==
From	NCSOC <NCSOC@ncsa.gov.qa>
To	Mary Grace Dimaano <marygrace.dimaano@stoncor-me.com>
CC	Pritam Chaudhari <Pritam.Chaudhari@stoncor-me.com>, NCSOC <NCSOC@ncsa.gov.qa>
Subject	RE: NCSA for Stoncor Middle East Trading
Thread-Topic	NCSA for Stoncor Middle East Trading
Thread-Index	AQHa/qj13TYkEudZy0eV5RHM4R6S3bJIt2bA
Date	Thu, 05 Sep 2024 06:13:21 +0000
Message-ID	<828c477fdedb482980d7e50162590ff8@ncsa.gov.qa>
References	<BY3PR18MB4689502AEE3E9C1C623E91BED29C2@BY3PR18MB4689.namprd18.prod.outlook.com>
In-Reply-To	<BY3PR18MB4689502AEE3E9C1C623E91BED29C2@BY3PR18MB4689.namprd18.prod.outlook.com>
Accept-Language	en-US
X-MS-Has-Attach	yes
X-MS-TNEF-Correlator
x-ms-exchange-messagesentrepresentingtype	1
x-originating-ip	[10.12.30.73]
x-ms-exchange-sharedmailbox-routingagent-processed	True
x-c2processedorg	07431b5f-577f-412c-bc9b-61591cd10198
MIME-Version	1.0
X-Proofpoint-ORIG-GUID	DeqarkRaqpN49B3bb0emSrpronNHJq0n
X-Proofpoint-GUID	DeqarkRaqpN49B3bb0emSrpronNHJq0n
X-Proofpoint-Virus-Version	vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1039,Hydra:6.0.680,FMLib:17.12.60.29 definitions=2024-09-05_04,2024-09-04_01,2024-09-02_01
X-Proofpoint-Spam-Details	rule=outbound_notspam policy=outbound score=0 phishscore=0 mlxlogscore=494 suspectscore=0 malwarescore=0 spamscore=0 mlxscore=0 lowpriorityscore=0 adultscore=0 bulkscore=0 classifier=scan_limit adjust=0 reason=mlx scancount=1 engine=8.12.0-2407110000 definitions=main-2409050043
X-Mimecast-Spam-Score	-4
Content-Language	en-US
Content-Type	multipart/mixed; boundary="_008_828c477fdedb482980d7e50162590ff8ncsagovqa_"

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 5, 2024 14:31:33.612752914 CEST	49738	443	192.168.2.17	104.118.8.172
Sep 5, 2024 14:31:33.612797022 CEST	443	49738	104.118.8.172	192.168.2.17
Sep 5, 2024 14:31:33.612884045 CEST	49738	443	192.168.2.17	104.118.8.172
Sep 5, 2024 14:31:33.613054037 CEST	49738	443	192.168.2.17	104.118.8.172
Sep 5, 2024 14:31:33.613068104 CEST	443	49738	104.118.8.172	192.168.2.17
Sep 5, 2024 14:31:34.172966003 CEST	443	49738	104.118.8.172	192.168.2.17
Sep 5, 2024 14:31:34.173285961 CEST	49738	443	192.168.2.17	104.118.8.172
Sep 5, 2024 14:31:34.173316002 CEST	443	49738	104.118.8.172	192.168.2.17
Sep 5, 2024 14:31:34.174810886 CEST	443	49738	104.118.8.172	192.168.2.17
Sep 5, 2024 14:31:34.174891949 CEST	49738	443	192.168.2.17	104.118.8.172
Sep 5, 2024 14:31:34.176673889 CEST	49738	443	192.168.2.17	104.118.8.172
Sep 5, 2024 14:31:34.176789045 CEST	443	49738	104.118.8.172	192.168.2.17
Sep 5, 2024 14:31:34.176858902 CEST	49738	443	192.168.2.17	104.118.8.172
Sep 5, 2024 14:31:34.220510960 CEST	443	49738	104.118.8.172	192.168.2.17
Sep 5, 2024 14:31:34.221307993 CEST	49738	443	192.168.2.17	104.118.8.172
Sep 5, 2024 14:31:34.221334934 CEST	443	49738	104.118.8.172	192.168.2.17
Sep 5, 2024 14:31:34.269294977 CEST	49738	443	192.168.2.17	104.118.8.172
Sep 5, 2024 14:31:34.274221897 CEST	443	49738	104.118.8.172	192.168.2.17
Sep 5, 2024 14:31:34.274415970 CEST	443	49738	104.118.8.172	192.168.2.17
Sep 5, 2024 14:31:34.274476051 CEST	49738	443	192.168.2.17	104.118.8.172
Sep 5, 2024 14:31:34.274909973 CEST	49738	443	192.168.2.17	104.118.8.172
Sep 5, 2024 14:31:34.274933100 CEST	443	49738	104.118.8.172	192.168.2.17
Sep 5, 2024 14:31:34.274943113 CEST	49738	443	192.168.2.17	104.118.8.172
Sep 5, 2024 14:31:34.274981976 CEST	49738	443	192.168.2.17	104.118.8.172

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Sep 5, 2024 14:31:34.176035881 CEST	1.1.1.1	192.168.2.17	0x950	No error (0)	bg.microsoft.map.fastly.net	199.232.214.172	A (IP address)	IN (0x0001)	false
Sep 5, 2024 14:31:34.176035881 CEST	1.1.1.1	192.168.2.17	0x950	No error (0)	bg.microsoft.map.fastly.net	199.232.210.172	A (IP address)	IN (0x0001)	false
Sep 5, 2024 14:32:21.429270983 CEST	1.1.1.1	192.168.2.17	0xd6b8	No error (0)	bg.microsoft.map.fastly.net	199.232.214.172	A (IP address)	IN (0x0001)	false
Sep 5, 2024 14:32:21.429270983 CEST	1.1.1.1	192.168.2.17	0xd6b8	No error (0)	bg.microsoft.map.fastly.net	199.232.210.172	A (IP address)	IN (0x0001)	false
Sep 5, 2024 14:32:45.515840054 CEST	1.1.1.1	192.168.2.17	0x5337	No error (0)	bg.microsoft.map.fastly.net	199.232.214.172	A (IP address)	IN (0x0001)	false
Sep 5, 2024 14:32:45.515840054 CEST	1.1.1.1	192.168.2.17	0x5337	No error (0)	bg.microsoft.map.fastly.net	199.232.210.172	A (IP address)	IN (0x0001)	false

Timestamp	Bytes transferred	Direction	Data
2024-09-05 12:31:34 UTC	475	OUT	GET /onboarding/smskillreader.txt HTTP/1.1 Host: armmf.adobe.com Connection: keep-alive Accept-Language: en-US,en;q=0.9 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) ReaderServices/23.6.20320 Chrome/105.0.0.0 Safari/537.36 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty Accept-Encoding: gzip, deflate, br If-None-Match: "78-5faa31cce96da" If-Modified-Since: Mon, 01 May 2023 15:02:33 GMT
2024-09-05 12:31:34 UTC	198	IN	HTTP/1.1 304 Not Modified Content-Type: text/plain; charset=UTF-8 Last-Modified: Mon, 01 May 2023 15:02:33 GMT ETag: "78-5faa31cce96da" Date: Thu, 05 Sep 2024 12:31:34 GMT Connection: close

Target ID:	0
Start time:	08:30:41
Start date:	05/09/2024
Path:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\RE_ NCSA for Stoncor Middle East Trading.eml"
Imagebase:	0xc60000
File size:	34'446'744 bytes
MD5 hash:	91A5292942864110ED734005B7E005C0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Target ID:	3
Start time:	08:30:44
Start date:	05/09/2024
Path:	C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "BF4E55BD-D7C9-494D-AFCD-03576F9FB608" "FE5FDB2E-DBCA-4806-996B-6932E75CAB93" "7144" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
Imagebase:	0x7ff60c640000
File size:	710'048 bytes
MD5 hash:	EC652BEDD90E089D9406AFED89A8A8BD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Target ID:	5
Start time:	08:31:18
Start date:	05/09/2024
Path:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\FLKRI7V1\NCSOC-GPG-Kleoptra-snt2.pdf"
Imagebase:	0x7ff7bb350000
File size:	5'641'176 bytes
MD5 hash:	24EAD1C46A47022347DC0F05F6EFBB8C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Target ID:	6
Start time:	08:31:19
Start date:	05/09/2024
Path:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
Imagebase:	0x7ff77bfa0000
File size:	3'581'912 bytes
MD5 hash:	9B38E8E8B6DD9622D24B53E095C5D9BE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Target ID:	7
Start time:	08:31:20
Start date:	05/09/2024
Path:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2276 --field-trial-handle=1564,i,16594438828922420294,520252352787094824,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
Imagebase:	0x7ff77bfa0000
File size:	3'581'912 bytes
MD5 hash:	9B38E8E8B6DD9622D24B53E095C5D9BE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report RE_ NCSA for Stoncor Middle East Trading.eml

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

Networking

System Summary

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old (copy)

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG.old (copy)

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\4079fc41-7ba6-484e-9de5-f6e61a3db43c.tmp

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\Network Persistent State (copy)

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\000003.log

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG.old (copy)

C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ConnectorIcons\icon-240905123124Z-171.bmp

C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages-journal

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0F5C59F9FA661F6F4C50B87FEF3A15A

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\ACROBAT_READER_MASTER_SURFACEID

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_FirstMile_Home_View_Surface

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_FirstMile_Right_Sec_Surface

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_READER_LAUNCH_CARD

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Convert_LHP_Banner

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Disc_LHP_Banner

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Disc_LHP_Retention

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Edit_LHP_Banner

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Home_LHP_Trial_Banner

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_More_LHP_Banner

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Banner

Windows Analysis Report
RE_ NCSA for Stoncor Middle East Trading.eml

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre