Edit tour

Windows Analysis Report
[EXTERNAL] Redbrick Communications Request For Proposal .eml

Overview

General Information

Sample name:	[EXTERNAL] Redbrick Communications Request For Proposal .eml
Analysis ID:	1538796
MD5:	444c20f8162f2d53fd9c0c87e1ce97e5
SHA1:	0e375d16441994421c68b95f339ae7b32fb98194
SHA256:	aca675ed79973dc7edcedd2558a3affa929b2777afb107195864c7d6370f1552
Infos:

Detection

Score:	68
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

AI detected phishing page

AI detected landing page (webpage, office document or email)

AI detected potential phishing Email

HTML page contains obfuscated javascript

Phishing site detected (based on favicon image match)

Phishing site detected (based on image similarity)

Creates a window with clipboard capturing capabilities

Detected clear text password fields (password is not hidden)

HTML body contains low number of good links

HTML page contains hidden javascript code

HTML title does not match URL

Invalid 'forgot password' link found

Invalid 'sign-in options' or 'sign-up' link found

Invalid T&C link found

Queries the volume information (name, serial number etc) of a device

Sigma detected: Office Autorun Keys Modification

Sigma detected: Outlook Security Settings Updated - Registry

Stores files to the Windows start menu directory

Classification

Process Tree

System is w10x64_ra

OUTLOOK.EXE (PID: 6668 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\[EXTERNAL] Redbrick Communications Request For Proposal .eml" MD5: 91A5292942864110ED734005B7E005C0)

ai.exe (PID: 6916 cmdline: "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "C893188F-B547-495B-A163-D0C4FA4A6C44" "C6D3235E-0B00-4E43-8169-199264D12382" "6668" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx" MD5: EC652BEDD90E089D9406AFED89A8A8BD)

Acrobat.exe (PID: 7068 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\FE4HG9BK\Redbrick Communications (RFP) ID#19994.pdf" MD5: 24EAD1C46A47022347DC0F05F6EFBB8C)

AcroCEF.exe (PID: 3284 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)

AcroCEF.exe (PID: 3424 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=1748 --field-trial-handle=1604,i,12233105341430411722,14371217641438827000,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)

chrome.exe (PID: 7608 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://rb003.revillajimenezasoc.com//@ MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 7808 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 --field-trial-handle=1812,i,15778528327472951222,3276190338158914891,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 7744 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://rb003.revillajimenezasoc.com//@ MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 3960 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2144 --field-trial-handle=1932,i,13640797076422111405,4577157427694876214,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

cleanup

Sigma Signatures

Sigma detected: Office Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE, ProcessId: 6668, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Addins\OneNote.OutlookAddin\1

Sigma detected: Outlook Security Settings Updated - Registry

Source: Registry Key set

Author: frack113: Data: Details: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\FE4HG9BK\, EventID: 13, EventType: SetValue, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE, ProcessId: 6668, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Security\OutlookSecureTempFolder

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Phishing

AI detected phishing page

Source: https://p4enterprises.com/yyhu.html	LLM: Score: 7 Reasons: The brand 'Microsoft OneDrive' is well-known and typically associated with the domain 'onedrive.live.com'., The provided URL 'p4enterprises.com' does not match the legitimate domain for Microsoft OneDrive., The URL 'p4enterprises.com' does not contain any recognizable elements related to Microsoft or OneDrive., The URL appears to be a generic domain name with no clear association to the brand 'Microsoft OneDrive'., The presence of a generic input field labeled 'Enter rfp' does not align with typical Microsoft OneDrive functionality. DOM: 1.0.pages.csv
Source: https://bespoke.global-constructions.ca/&redirect=5b8053b9dea0f7c6b78c93cf3713f2d1sec&uid=f253efe302d32ab264a76e0ce65be76967168ea4b1a64	LLM: Score: 9 Reasons: The brand 'Microsoft' is well-known and typically associated with the domain 'microsoft.com'., The URL 'bespoke.global-constructions.ca' does not match the legitimate domain for Microsoft., The domain 'global-constructions.ca' does not have any known association with Microsoft., The presence of a password input field on a non-Microsoft domain is suspicious., The URL structure with 'bespoke' and 'global-constructions' suggests a potential phishing attempt as it does not align with Microsoft's typical domain structure. DOM: 4.11.pages.csv

HTML page contains obfuscated javascript

Source: https://bespoke.global-constructions.ca/&redirect=2f820ca3d02493e0c64659894e20b8d1405b23abmain&uid=f253efe302d32ab264a76e0ce65be76967168e8e60e49	HTTP Parser: function a0_0x2715(){var _0x50fd02=['send','3400551lUpwmh','querySelectorAll','src','textConte
Source: https://bespoke.global-constructions.ca/&redirect=5b8053b9dea0f7c6b78c93cf3713f2d1sec&uid=f253efe302d32ab264a76e0ce65be76967168ea4b1a64	HTTP Parser: var a0_0x2ac5b1=a0_0x3f7d;(function(_0x2f86b4,_0xdc976b){var _0x2b9367=a0_0x3f7d,_0x22a028=_0x2
Source: https://bespoke.global-constructions.ca/js2_/67168ea5e8b89-9d7acd36bcda926e6106a0741706a8c1	HTTP Parser: const a0_0x51e51a=a0_0x1fd5;function a0_0x1fd5(_0x5ed4ce,_0x323b12){const _0x449c60=a0_0x170e();retu

Phishing site detected (based on favicon image match)

Source: https://bespoke.global-constructions.ca/&redirect=2f820ca3d02493e0c64659894e20b8d1405b23abmain&uid=f253efe302d32ab264a76e0ce65be76967168e8e60e49

Matcher: Template: microsoft matched with high similarity

Phishing site detected (based on image similarity)

Source: https://bespoke.global-constructions.ca/&redirect=2f820ca3d02493e0c64659894e20b8d1405b23abmain&uid=f253efe302d32ab264a76e0ce65be76967168e8e60e49

Matcher: Found strong image similarity, brand: MICROSOFT

Source: https://p4enterprises.com/yyhu.html

HTTP Parser: <input type="text"... for password input

Source: https://p4enterprises.com/yyhu.html	HTTP Parser: Number of links: 0
Source: https://bespoke.global-constructions.ca/	HTTP Parser: Number of links: 0
Source: https://bespoke.global-constructions.ca/&redirect=2f820ca3d02493e0c64659894e20b8d1405b23abmain&uid=f253efe302d32ab264a76e0ce65be76967168e8e60e49	HTTP Parser: Number of links: 0
Source: https://bespoke.global-constructions.ca/&redirect=5b8053b9dea0f7c6b78c93cf3713f2d1sec&uid=f253efe302d32ab264a76e0ce65be76967168ea4b1a64	HTTP Parser: Number of links: 0

Source: https://p4enterprises.com/yyhu.html

HTTP Parser: Base64 decoded: <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 640 512"><path d="M38.8 5.1C28.4-3.1 13.3-1.2 5.1 9...

Source: https://p4enterprises.com/yyhu.html	HTTP Parser: Title: PDF Document does not match URL
Source: https://bespoke.global-constructions.ca/	HTTP Parser: Title: Sign in to your account does not match URL
Source: https://bespoke.global-constructions.ca/&redirect=2f820ca3d02493e0c64659894e20b8d1405b23abmain&uid=f253efe302d32ab264a76e0ce65be76967168e8e60e49	HTTP Parser: Title: Sign in to your account does not match URL
Source: https://bespoke.global-constructions.ca/&redirect=5b8053b9dea0f7c6b78c93cf3713f2d1sec&uid=f253efe302d32ab264a76e0ce65be76967168ea4b1a64	HTTP Parser: Title: Sign in to your account does not match URL

Source: https://bespoke.global-constructions.ca/&redirect=5b8053b9dea0f7c6b78c93cf3713f2d1sec&uid=f253efe302d32ab264a76e0ce65be76967168ea4b1a64

HTTP Parser: Invalid link: reset it now.

Source: https://bespoke.global-constructions.ca/&redirect=2f820ca3d02493e0c64659894e20b8d1405b23abmain&uid=f253efe302d32ab264a76e0ce65be76967168e8e60e49

HTTP Parser: Invalid link: get a new Microsoft account

Source: https://bespoke.global-constructions.ca/&redirect=2f820ca3d02493e0c64659894e20b8d1405b23abmain&uid=f253efe302d32ab264a76e0ce65be76967168e8e60e49	HTTP Parser: Invalid link: Terms of use
Source: https://bespoke.global-constructions.ca/&redirect=2f820ca3d02493e0c64659894e20b8d1405b23abmain&uid=f253efe302d32ab264a76e0ce65be76967168e8e60e49	HTTP Parser: Invalid link: Privacy & cookies
Source: https://bespoke.global-constructions.ca/&redirect=5b8053b9dea0f7c6b78c93cf3713f2d1sec&uid=f253efe302d32ab264a76e0ce65be76967168ea4b1a64	HTTP Parser: Invalid link: Terms of use
Source: https://bespoke.global-constructions.ca/&redirect=5b8053b9dea0f7c6b78c93cf3713f2d1sec&uid=f253efe302d32ab264a76e0ce65be76967168ea4b1a64	HTTP Parser: Invalid link: Privacy & cookies

Source: https://p4enterprises.com/yyhu.html	HTTP Parser: <input type="password" .../> found
Source: https://bespoke.global-constructions.ca/&redirect=5b8053b9dea0f7c6b78c93cf3713f2d1sec&uid=f253efe302d32ab264a76e0ce65be76967168ea4b1a64	HTTP Parser: <input type="password" .../> found

Source: https://p4enterprises.com/yyhu.html	HTTP Parser: No favicon
Source: https://p4enterprises.com/yyhu.html	HTTP Parser: No favicon
Source: https://p4enterprises.com/yyhu.html	HTTP Parser: No favicon
Source: https://bespoke.global-constructions.ca/&redirect=5b8053b9dea0f7c6b78c93cf3713f2d1sec&uid=f253efe302d32ab264a76e0ce65be76967168ea4b1a64	HTTP Parser: No favicon

Source: https://p4enterprises.com/yyhu.html	HTTP Parser: No <meta name="author".. found
Source: https://p4enterprises.com/yyhu.html	HTTP Parser: No <meta name="author".. found
Source: https://bespoke.global-constructions.ca/	HTTP Parser: No <meta name="author".. found
Source: https://bespoke.global-constructions.ca/	HTTP Parser: No <meta name="author".. found
Source: https://bespoke.global-constructions.ca/	HTTP Parser: No <meta name="author".. found
Source: https://bespoke.global-constructions.ca/&redirect=2f820ca3d02493e0c64659894e20b8d1405b23abmain&uid=f253efe302d32ab264a76e0ce65be76967168e8e60e49	HTTP Parser: No <meta name="author".. found
Source: https://bespoke.global-constructions.ca/&redirect=5b8053b9dea0f7c6b78c93cf3713f2d1sec&uid=f253efe302d32ab264a76e0ce65be76967168ea4b1a64	HTTP Parser: No <meta name="author".. found

Source: https://p4enterprises.com/yyhu.html	HTTP Parser: No <meta name="copyright".. found
Source: https://p4enterprises.com/yyhu.html	HTTP Parser: No <meta name="copyright".. found
Source: https://bespoke.global-constructions.ca/	HTTP Parser: No <meta name="copyright".. found
Source: https://bespoke.global-constructions.ca/	HTTP Parser: No <meta name="copyright".. found
Source: https://bespoke.global-constructions.ca/	HTTP Parser: No <meta name="copyright".. found
Source: https://bespoke.global-constructions.ca/&redirect=2f820ca3d02493e0c64659894e20b8d1405b23abmain&uid=f253efe302d32ab264a76e0ce65be76967168e8e60e49	HTTP Parser: No <meta name="copyright".. found
Source: https://bespoke.global-constructions.ca/&redirect=5b8053b9dea0f7c6b78c93cf3713f2d1sec&uid=f253efe302d32ab264a76e0ce65be76967168ea4b1a64	HTTP Parser: No <meta name="copyright".. found

Source: unknown	HTTPS traffic detected: 4.245.163.56:443 -> 192.168.2.16:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 2.23.209.131:443 -> 192.168.2.16:49825 version: TLS 1.2

Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 144.217.158.133
Source: unknown	TCP traffic detected without corresponding DNS query: 144.217.158.133
Source: unknown	TCP traffic detected without corresponding DNS query: 144.217.158.133
Source: unknown	TCP traffic detected without corresponding DNS query: 144.217.158.133
Source: unknown	TCP traffic detected without corresponding DNS query: 144.217.158.133
Source: unknown	TCP traffic detected without corresponding DNS query: 144.217.158.133
Source: unknown	TCP traffic detected without corresponding DNS query: 144.217.158.133
Source: unknown	TCP traffic detected without corresponding DNS query: 144.217.158.133
Source: unknown	TCP traffic detected without corresponding DNS query: 144.217.158.133
Source: unknown	TCP traffic detected without corresponding DNS query: 144.217.158.133
Source: unknown	TCP traffic detected without corresponding DNS query: 144.217.158.133
Source: unknown	TCP traffic detected without corresponding DNS query: 144.217.158.133
Source: unknown	TCP traffic detected without corresponding DNS query: 144.217.158.133
Source: unknown	TCP traffic detected without corresponding DNS query: 144.217.158.133
Source: unknown	TCP traffic detected without corresponding DNS query: 144.217.158.133
Source: unknown	TCP traffic detected without corresponding DNS query: 144.217.158.133
Source: unknown	TCP traffic detected without corresponding DNS query: 144.217.158.133
Source: unknown	TCP traffic detected without corresponding DNS query: 144.217.158.133
Source: unknown	TCP traffic detected without corresponding DNS query: 144.217.158.133
Source: unknown	TCP traffic detected without corresponding DNS query: 144.217.158.133
Source: unknown	TCP traffic detected without corresponding DNS query: 144.217.158.133
Source: unknown	TCP traffic detected without corresponding DNS query: 144.217.158.133
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknown	TCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknown	TCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknown	TCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknown	TCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknown	TCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknown	TCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknown	TCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknown	TCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknown	TCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknown	TCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknown	TCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknown	TCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	DNS traffic detected: DNS query: p4enterprises.com
Source: global traffic	DNS traffic detected: DNS query: a.nel.cloudflare.com
Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: x1.i.lencr.org
Source: global traffic	DNS traffic detected: DNS query: bespoke.global-constructions.ca
Source: global traffic	DNS traffic detected: DNS query: code.jquery.com
Source: global traffic	DNS traffic detected: DNS query: challenges.cloudflare.com
Source: global traffic	DNS traffic detected: DNS query: aadcdn.msauthimages.net

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49865
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 49817 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49864
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49863
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49862
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49860
Source: unknown	Network traffic detected: HTTP traffic on port 49789 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49800 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49875 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49852 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49795 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49859
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49858
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49857
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49856
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49855
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 49841 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49854
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49853
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49852
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49851
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49850
Source: unknown	Network traffic detected: HTTP traffic on port 49812 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49858 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49806 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49823 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49849
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49848
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49847
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49846
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 49790 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49845
Source: unknown	Network traffic detected: HTTP traffic on port 49869 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49844
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49843
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49842
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49841
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49840
Source: unknown	Network traffic detected: HTTP traffic on port 49834 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49828 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49805 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49839
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49838
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49837
Source: unknown	Network traffic detected: HTTP traffic on port 49847 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49836
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49835
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49834
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49833
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49832
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49830
Source: unknown	Network traffic detected: HTTP traffic on port 49839 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49864 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49822 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49870 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49853 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49796 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49829
Source: unknown	Network traffic detected: HTTP traffic on port 49811 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49828
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49827
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49826
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49825
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49824
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49823
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49822
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49788
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49787
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49786
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown	Network traffic detected: HTTP traffic on port 49813 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown	Network traffic detected: HTTP traffic on port 49836 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49785 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49807 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49845 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49791 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49868 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49779
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 49862 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49802 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49851 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49830 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 49863 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49840 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49857 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49797 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49801 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49824 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49876
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49875
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49874
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49873
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49872
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49871
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49870
Source: unknown	Network traffic detected: HTTP traffic on port 49835 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49786 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49874 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49829 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 49846 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49869
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 49792 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49868
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49867
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49866
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49781 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49803 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49826 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49849 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49866 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49820 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49837 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49872 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49855 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49798 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49819 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49844 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49873 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49787 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49793 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49850 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49782 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49799
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49798
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49797
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49796
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49795
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49794
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49793
Source: unknown	Network traffic detected: HTTP traffic on port 49814 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49792
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49791
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49790
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49856 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49825 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49808 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49867 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49789
Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49821
Source: unknown	Network traffic detected: HTTP traffic on port 49865 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49820
Source: unknown	Network traffic detected: HTTP traffic on port 49842 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49859 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49871 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49833 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49819
Source: unknown	Network traffic detected: HTTP traffic on port 49799 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49810 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49817
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49816
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49815
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49814
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49813
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49812
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49811
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49810
Source: unknown	Network traffic detected: HTTP traffic on port 49816 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49788 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49794 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49827 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49876 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49809
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49808
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49807
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49806
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49805
Source: unknown	Network traffic detected: HTTP traffic on port 49848 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49804
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49803
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49802
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49801
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49800
Source: unknown	Network traffic detected: HTTP traffic on port 49783 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49838 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49678 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49821 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49815 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49854 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49809 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49860 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49843 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49804 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49832 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443

Source: unknown	HTTPS traffic detected: 4.245.163.56:443 -> 192.168.2.16:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 2.23.209.131:443 -> 192.168.2.16:49825 version: TLS 1.2

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

Window created: window name: CLIPBRDWNDCLASS

Source: classification engine

Classification label: mal68.phis.winEML@49/92@27/224

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

File created: C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmp

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

File created: C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20241021T1323590703-6668.etl

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

File read: C:\Users\desktop.ini

Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Source: unknown	Process created: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\[EXTERNAL] Redbrick Communications Request For Proposal .eml"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "C893188F-B547-495B-A163-D0C4FA4A6C44" "C6D3235E-0B00-4E43-8169-199264D12382" "6668" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\FE4HG9BK\Redbrick Communications (RFP) ID#19994.pdf"
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=1748 --field-trial-handle=1604,i,12233105341430411722,14371217641438827000,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://rb003.revillajimenezasoc.com//@
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://rb003.revillajimenezasoc.com//@
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 --field-trial-handle=1812,i,15778528327472951222,3276190338158914891,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2144 --field-trial-handle=1932,i,13640797076422111405,4577157427694876214,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\System32\msiexec.exe C:\Windows\System32\MsiExec.exe -Embedding 656097F4474E5D3D60577B82C0867787
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "C893188F-B547-495B-A163-D0C4FA4A6C44" "C6D3235E-0B00-4E43-8169-199264D12382" "6668" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\FE4HG9BK\Redbrick Communications (RFP) ID#19994.pdf"
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: unknown unknown
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=1748 --field-trial-handle=1604,i,12233105341430411722,14371217641438827000,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://rb003.revillajimenezasoc.com//@
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://rb003.revillajimenezasoc.com//@
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 --field-trial-handle=1812,i,15778528327472951222,3276190338158914891,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2144 --field-trial-handle=1932,i,13640797076422111405,4577157427694876214,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown

Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: apphelp.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: c2r64.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: userenv.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: msasn1.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: gpapi.dll

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{F959DBBB-3867-41F2-8E5F-3B8BEFAA81B3}\InprocServer32

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

Window found: window name: SysTabControl32

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common

Persistence and Installation Behavior

AI detected landing page (webpage, office document or email)

Source: PDF document	LLM: Page contains button: 'View PDF' Source: 'PDF document'
Source: PDF document	LLM: PDF document contains prominent button: 'view pdf'
Source: https://p4enterprises.com/yyhu.html	LLM: Page contains button: 'VIEW PDF' Source: '1.0.pages.csv'
Source: https://bespoke.global-constructions.ca/	LLM: Page contains button: 'Verify you are human' Source: '2.7.pages.csv'

AI detected potential phishing Email

Source: Email

JoeBoxAI: Detected potential phishing email: The email claims to have an attached RFP, but no attachment is mentioned in the JSON data

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

File Volume queried: C:\Windows\SysWOW64 FullSizeInformation

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

Process information queried: ProcessInformation

Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe

Queries volume information: C:\Program Files (x86)\Microsoft Office\root\Office16\AI\WordCombinedFloatieLreOnline.onnx VolumeInformation

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	2 Browser Extensions	1 Process Injection	1 Masquerading	OS Credential Dumping	1 Process Discovery	Remote Services	1 Clipboard Data	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 DLL Side-Loading	1 Process Injection	LSASS Memory	1 File and Directory Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 Registry Run Keys / Startup Folder	1 Registry Run Keys / Startup Folder	1 DLL Side-Loading	Security Account Manager	14 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact

Name	IP	Active	Malicious	Reputation
p4enterprises.com	188.114.97.3	true	true	unknown
a.nel.cloudflare.com	35.190.80.1	true	false	unknown
code.jquery.com	151.101.130.137	true	false	unknown
sni1gl.wpc.upsiloncdn.net	152.199.21.175	true	false	unknown
challenges.cloudflare.com	104.18.94.41	true	false	unknown
bespoke.global-constructions.ca	188.114.97.3	true	true	unknown
www.google.com	142.250.186.68	true	false	unknown
aadcdn.msauthimages.net	unknown	unknown	false	unknown
x1.i.lencr.org	unknown	unknown	false	unknown

Contacted URLs

Name	Malicious	Reputation
https://bespoke.global-constructions.ca/	true	unknown
https://bespoke.global-constructions.ca/&redirect=2f820ca3d02493e0c64659894e20b8d1405b23abmain&uid=f253efe302d32ab264a76e0ce65be76967168e8e60e49	true	unknown
https://bespoke.global-constructions.ca/&redirect=5b8053b9dea0f7c6b78c93cf3713f2d1sec&uid=f253efe302d32ab264a76e0ce65be76967168ea4b1a64	true	unknown
https://p4enterprises.com/yyhu.html	true	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
142.250.186.68	www.google.com	United States	15169	GOOGLEUS	false
144.217.158.133	unknown	Canada	16276	OVHFR	false
184.28.88.176	unknown	United States	16625	AKAMAI-ASUS	false
20.189.173.5	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
104.18.94.41	challenges.cloudflare.com	United States	13335	CLOUDFLARENETUS	false
151.101.130.137	code.jquery.com	United States	54113	FASTLYUS	false
162.159.61.3	unknown	United States	13335	CLOUDFLARENETUS	false
52.109.32.97	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
2.19.126.160	unknown	European Union	16625	AKAMAI-ASUS	false
142.250.186.131	unknown	United States	15169	GOOGLEUS	false
142.250.186.110	unknown	United States	15169	GOOGLEUS	false
35.190.80.1	a.nel.cloudflare.com	United States	15169	GOOGLEUS	false
107.22.247.231	unknown	United States	14618	AMAZON-AESUS	false
52.113.194.132	unknown	United States	8068	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
142.250.184.195	unknown	United States	15169	GOOGLEUS	false
172.217.16.202	unknown	United States	15169	GOOGLEUS	false
1.1.1.1	unknown	Australia	13335	CLOUDFLARENETUS	false
108.177.15.84	unknown	United States	15169	GOOGLEUS	false
172.217.16.206	unknown	United States	15169	GOOGLEUS	false
52.109.68.130	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
104.18.95.41	unknown	United States	13335	CLOUDFLARENETUS	false
151.101.2.137	unknown	United States	54113	FASTLYUS	false
142.250.185.170	unknown	United States	15169	GOOGLEUS	false
142.250.186.106	unknown	United States	15169	GOOGLEUS	false
2.23.197.184	unknown	European Union	1273	CWVodafoneGroupPLCEU	false
88.221.110.91	unknown	European Union	20940	AKAMAI-ASN1EU	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
188.114.97.3	p4enterprises.com	European Union	13335	CLOUDFLARENETUS	true
52.109.28.47	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
188.114.96.3	unknown	European Union	13335	CLOUDFLARENETUS	false
152.199.21.175	sni1gl.wpc.upsiloncdn.net	United States	15133	EDGECASTUS	false

Private

IP
192.168.2.16

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1538796
Start date and time:	2024-10-21 19:23:25 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsinteractivecookbook.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	25
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	EGA enabled
Analysis Mode:	stream
Analysis stop reason:	Timeout
Sample name:	[EXTERNAL] Redbrick Communications Request For Proposal .eml
Detection:	MAL
Classification:	mal68.phis.winEML@49/92@27/224
Cookbook Comments:	Found application associated with file extension: .eml

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, SgrmBroker.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.109.32.97, 52.113.194.132, 52.109.28.47, 2.19.126.160, 2.19.126.151, 52.109.68.130, 20.189.173.5
Excluded domains from analysis (whitelisted): fs.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetValueKey calls found.
VT rate limit hit for: [EXTERNAL] Redbrick Communications Request For Proposal .eml

LLM Input / Output

Input	Output
URL: Model: claude-3-5-sonnet-20240620	{ "explanation": [ "The email claims to have an attached RFP, but no attachment is mentioned in the JSON data", "The 'To' field is set to 'Undisclosed recipients:;', which is unusual for a legitimate business communication", "The email includes a file pass key, which is often used in phishing attempts to add a sense of urgency or importance" ], "phishing": true, "confidence": 8 }
Is this email content a phishing attempt? Please respond only in valid JSON format: Email content converted to JSON: { "date": "Mon, 21 Oct 2024 16:54:55 +0000", "subject": "[EXTERNAL] Redbrick Communications Request For Proposal ", "communications": [ "Some people who received this message don't often get email from montgomery@redbrick.ca. Learn why this is important<https://aka.ms/LearnAboutSenderIdentification>\n\nGood Day,\n\n\nPlease find attached an important RFP(Request For Proposal) from Redbrick Communications that requires your attention.\n\nFile Pass key: rfp\n\n[RFP ID #19994] Issued: 21st of October 2024\n\nSubmission deadline: 21st of November 2024\n\nThanks,\n\n\n\nAndrea Montgomery, APR, Prosci\n\nVice President, Redbrick Communications\n\nwww.redbrick.ca<http://www.redbrick.ca/>\n\n\n\nMy work day may look different from yours. Please do not feel the need to respond outside of your regular working hours.\n\n\n" ], "from": "Andrea Montgomery <montgomery@redbrick.ca>", "to": "Undisclosed recipients:;" }
URL: Email Model: claude-3-haiku-20240307	```json { "contains_trigger_text": true, "trigger_text": "Please find attached an important RFP(Request For Proposal) from Redbrick Communications that requires your attention.", "prominent_button_name": "unknown", "text_input_field_labels": [ "File Pass key:" ], "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": true, "has_visible_qrcode": false }

URL: PDF document Model: claude-3-haiku-20240307	```json { "contains_trigger_text": true, "trigger_text": "This PDF document has been encrypted by Redbrick Communications.", "prominent_button_name": "View PDF", "text_input_field_labels": "unknown", "pdf_icon_visible": true, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false }

URL: PDF document Model: claude-3-haiku-20240307	```json { "brands": [ "Microsoft 365" ] }
	```json { "brands": [ "Microsoft 365" ] }
URL: Email Model: claude-3-haiku-20240307	```json { "brands": [ "Redbrick Communications" ] }
	```json { "brands": [ "Redbrick Communications" ] }
URL: https://p4enterprises.com/yyhu.html Model: claude-3-haiku-20240307	```json { "contains_trigger_text": true, "trigger_text": "Type in 'rfp' to access on Microsoft OneDrive.", "prominent_button_name": "VIEW PDF", "text_input_field_labels": [ "Enter 'rfp'" ], "pdf_icon_visible": true, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false }

URL: https://p4enterprises.com/yyhu.html Model: claude-3-haiku-20240307	```json { "brands": [ "Microsoft OneDrive" ] }
	```json { "brands": [ "Microsoft OneDrive" ] }
URL: https://p4enterprises.com/yyhu.html Model: gpt-4o	```json{ "legit_domain": "onedrive.live.com", "classification": "wellknown", "reasons": [ "The brand 'Microsoft OneDrive' is well-known and typically associated with the domain 'onedrive.live.com'.", "The provided URL 'p4enterprises.com' does not match the legitimate domain for Microsoft OneDrive.", "The URL 'p4enterprises.com' does not contain any recognizable elements related to Microsoft or OneDrive.", "The URL appears to be a generic domain name with no clear association to the brand 'Microsoft OneDrive'.", "The presence of a generic input field labeled 'Enter rfp' does not align with typical Microsoft OneDrive functionality." ], "riskscore": 9} Google indexed: True
URL: p4enterprises.com Brands: Microsoft OneDrive Input Fields: Enter 'rfp'
URL: https://bespoke.global-constructions.ca/ Model: claude-3-haiku-20240307	```json { "contains_trigger_text": true, "trigger_text": "Verify you are human", "prominent_button_name": "Verify you are human", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": true, "has_urgent_text": false, "has_visible_qrcode": false }

URL: https://bespoke.global-constructions.ca/ Model: claude-3-haiku-20240307	```json { "brands": [ "Cloudflare", "Microsoft" ] }
	```json { "brands": [ "Cloudflare", "Microsoft" ] }
URL: https://bespoke.global-constructions.ca/&redirect=2f820ca3d02493e0c64659894e20b8d1405b23abmain&uid=f253efe302d32ab264a76e0ce65be76967168e8e60e49 Model: claude-3-haiku-20240307	```json { "contains_trigger_text": true, "trigger_text": "Can't access your account?", "prominent_button_name": "Create one!", "text_input_field_labels": [ "Email or phone" ], "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false }

URL: https://bespoke.global-constructions.ca/&redirect=2f820ca3d02493e0c64659894e20b8d1405b23abmain&uid=f253efe302d32ab264a76e0ce65be76967168e8e60e49 Model: claude-3-haiku-20240307	```json { "brands": [] }
	```json { "brands": [] }
URL: https://bespoke.global-constructions.ca/&redirect=5b8053b9dea0f7c6b78c93cf3713f2d1sec&uid=f253efe302d32ab264a76e0ce65be76967168ea4b1a64 Model: claude-3-haiku-20240307	```json { "contains_trigger_text": true, "trigger_text": "Enter password", "prominent_button_name": "Sign in", "text_input_field_labels": [ "Password" ], "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false }

URL: https://bespoke.global-constructions.ca/&redirect=5b8053b9dea0f7c6b78c93cf3713f2d1sec&uid=f253efe302d32ab264a76e0ce65be76967168ea4b1a64 Model: claude-3-haiku-20240307	```json { "brands": [ "Microsoft" ] }
	```json { "brands": [ "Microsoft" ] }
URL: https://bespoke.global-constructions.ca/&redirect=5b8053b9dea0f7c6b78c93cf3713f2d1sec&uid=f253efe302d32ab264a76e0ce65be76967168ea4b1a64 Model: gpt-4o	```json{ "legit_domain": "microsoft.com", "classification": "wellknown", "reasons": [ "The brand 'Microsoft' is well-known and typically associated with the domain 'microsoft.com'.", "The URL 'bespoke.global-constructions.ca' does not match the legitimate domain for Microsoft.", "The domain 'global-constructions.ca' does not have any known association with Microsoft.", "The presence of a password input field on a non-Microsoft domain is suspicious.", "The URL structure with 'bespoke' and 'global-constructions' suggests a potential phishing attempt as it does not align with Microsoft's typical domain structure." ], "riskscore": 9} Google indexed: False
URL: bespoke.global-constructions.ca Brands: Microsoft Input Fields: Password

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	290
Entropy (8bit):	5.115429046996033
Encrypted:	false
SSDEEP:
MD5:	A3CA55D67C9F9AE10FB4E7D841F10CC6
SHA1:	B69C0AA73444128420E9D031426A0B3E4ADE520C
SHA-256:	134F6D2A1ED61741377BCBDAE30E3EF4AD2BF49530EC6802963AA3146EE9E52E
SHA-512:	2C2E034439AC542EA1BD1FB988CAFF896B82497AA2E9DBB4CEB61B5E105EC94254AA570D000D4BC8068A927AE112E16BA2E1FAE667E20A09CC25854588F39D63
Malicious:	false
Reputation:	unknown
Preview:	2024/10/21-13:24:11.033 1930 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/MANIFEST-000001.2024/10/21-13:24:11.035 1930 Recovering log #3.2024/10/21-13:24:11.035 1930 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/000003.log .

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	data
Category:	modified
Size (bytes):	231348
Entropy (8bit):	4.38278811557967
Encrypted:	false
SSDEEP:
MD5:	85754B276331539938136ED70F9A2CB2
SHA1:	59F61D4647463180F4762F84BFFA739A8A7C9019
SHA-256:	D99325FE26E1C233386E0934A462D1E9BADA8A33A3F6A2E6964F8B1D80D5B837
SHA-512:	6FD5B57BD8137C44DB7FC5F3DC7186D00E064FFC2947CAA0620FD8BE5967B79E79B36E277D717470208E8FAF4D5106B9272E464CE587F0FA098DE6AF1FB5419B
Malicious:	false
Reputation:	unknown
Preview:	TH02...... ..+...#......SM01X...,... ....#..........IPM.Activity...........h...............h............H..h..........F>...h.........n..H..h\cal ...pDat...h.h..0...`......hw.$W...........h........_`Mk...h;.$W@...I.lw...h....H...8.Rk...0....T...............d.........2h...............kU.I...........!h.............. h.0S.....x.....#h....8.........$h.n......8....."h..5.......5...'h..............1hw.$W<.........0h....4....Rk../h....h.....RkH..h.{..p.........-h .............+h..$W........................ ..............F7..............FIPM.Activity.,nwForm....Standard...hJournal Entry..hIPM.Microsoft.FolderDesign.FormsDescription................F.k..........1122110020000000....Microsoft...This form is used to create journal entries......[1.kf...... ..........&...........(.......(... ...@.....................................................................................................................fffffffff........wwwwwwww.p....pp..............p...............pw..............pw..DDDDO..

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Mon Oct 21 16:24:16 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2673
Entropy (8bit):	3.9898311565701956
Encrypted:	false
SSDEEP:
MD5:	E96BB8979EB53C7F728334B07CBC1ACF
SHA1:	3323521E325303B4BC0717C20A74E7181B1F53CC
SHA-256:	FC3E9DA9218395048F9B0673932052A139A0A2DF5F0BCF648F21054FE97B02BD
SHA-512:	471D402BDD5B914E42C26F886B5E9B3ECF28814F3209E2C44EED5226E15B6A28884359AD25E6348D28358BC77AC23CC72A9AFA2FFE17941495CC403A18A03935
Malicious:	false
Reputation:	unknown
Preview:	L..................F.@.. ...$+.,....C.f..#..N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.IUY.....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VUY......L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VUY......M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VUY............................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VUY.............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i....................C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

File type:	RFC 822 mail, Unicode text, UTF-8 (with BOM) text, with very long lines (347), with CRLF line terminators
Entropy (8bit):	6.020964205539258
TrID:	Text - UTF-8 encoded (3003/1) 100.00%
File name:	[EXTERNAL] Redbrick Communications Request For Proposal .eml
File size:	55'906 bytes
MD5:	444c20f8162f2d53fd9c0c87e1ce97e5
SHA1:	0e375d16441994421c68b95f339ae7b32fb98194
SHA256:	aca675ed79973dc7edcedd2558a3affa929b2777afb107195864c7d6370f1552
SHA512:	c813c7eca4ddbe3f56726c3f1219a1ddfb743fff897c0f5dd5361b84ac1434c75c7ec84e013b1d9c34cae6091cfaa648e356b86e9723095696b8130d70e3a044
SSDEEP:	1536:j/KliSFOBFsaijMz61To/y8Kbpkj9R2wdJo:j/CiScwFUWqHo
TLSH:	1E438017EF810D119B5B49A168CF7BFD3F3D1BCBAB62497025AB3A39064DCD286C5284
File Content Preview:	...Received: from IA1PR12MB6483.namprd12.prod.outlook.com (::1) by.. IA1PR12MB7517.namprd12.prod.outlook.com with HTTPS; Mon, 21 Oct 2024 17:01:02.. +0000..ARC-Seal: i=2; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=pass;.. b=Xvq6q3EZVweJY5+ES18B

Subject:	[EXTERNAL] Redbrick Communications Request For Proposal
From:	Andrea Montgomery <montgomery@redbrick.ca>
To:	Undisclosed recipients:;
Cc:
BCC:
Date:	Mon, 21 Oct 2024 16:54:55 +0000
Communications:	Some people who received this message don't often get email from montgomery@redbrick.ca. Learn why this is important<https://aka.ms/LearnAboutSenderIdentification> Good Day, Please find attached an important RFP(Request For Proposal) from Redbrick Communications that requires your attention. File Pass key: rfp [RFP ID #19994] Issued: 21st of October 2024 Submission deadline: 21st of November 2024 Thanks, Andrea Montgomery, APR, Prosci Vice President, Redbrick Communications www.redbrick.ca<http://www.redbrick.ca/> My work day may look different from yours. Please do not feel the need to respond outside of your regular working hours.
Attachments:	Redbrick Communications (RFP) ID#19994.pdf

Key	Value
Received	from YQBPR0101MB9855.CANPRD01.PROD.OUTLOOK.COM ([fe80::a28a:d37f:ae2f:5551]) by YQBPR0101MB9855.CANPRD01.PROD.OUTLOOK.COM ([fe80::a28a:d37f:ae2f:5551%5]) with mapi id 15.20.8069.027; Mon, 21 Oct 2024 16:54:55 +0000
ARC-Seal	i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=UwGqb+76vqv2eSlQjZHTBSQJb6GcFWIeXVhX9XG5aSVDIh7iWCYKEd6eQKG+uOEv5xW4c1enA5eLgdUZV7i/+l5iQTWvBX8DMTig6DbWI8a74O685LAX1Y8FAWQSqKpxHFEux3UcTfquaiJKdGN6DsPSndGwFPMADSp9bnOyu8nC0EpNap9Z1u0gksFwOBHxl0NGEvsO7/2l/lglnx+qEICKCpcELv1zEyN8B77B1/BqS2ahy8MzZPYHBepCZaMqFvS/aI8XJyAuDLaG3e1KGdDJ6WAjfJM0muKmNWQLRDkVXa0w4GDV1isrc7RC+jbsN06dpr/VBI2d+SAbcVvDfw==
ARC-Message-Signature	i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=nruMv/1CrnQ2lmwcvZwEGY5zmtaEggE8gf4GR96WCj8=; b=vvUP3tlTUV1+fmREKgdMFa9V6E2/5Kralz86YwK4YgTOzMF8iHpdkBOMD+jHq+IkQvo54vWg8TXIrMiMVeMWtbAGfvkr23NB09LDRhQ51EsiA18Z2CI0znLYM8H8cXSW9xwvKEVQ6M9JJnWi/Yip2FpqEDt5za/BQCq9uEeKEKOYoz2kq2vA+2T7gZc9jFKhNlj3JGRxTXHOxn2022ykiP8FRidKsqHhpzLraD+VonDpZ0b3GnzQDJ+cl3Kycp60B9aCcTOCrgxF3CtrdEOpH1fcZlHQ+E8V/v9HJac6PMf0NsKAPLuSPRxEMyM3gi15HU7CQHjaqnvX8O68/3B7nQ==
ARC-Authentication-Results	i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=redbrick.ca; dmarc=pass action=none header.from=redbrick.ca; dkim=pass header.d=redbrick.ca; arc=none
Authentication-Results	spf=pass (sender IP is 52.101.191.76) smtp.mailfrom=redbrick.ca; dkim=pass (signature was verified) header.d=redbrick.ca;dmarc=pass action=none header.from=redbrick.ca;compauth=pass reason=100
Received-SPF	Pass (protection.outlook.com: domain of redbrick.ca designates 52.101.191.76 as permitted sender) receiver=protection.outlook.com; client-ip=52.101.191.76; helo=YQZPR01CU011.outbound.protection.outlook.com; pr=C
DKIM-Signature	v=1; a=rsa-sha256; c=relaxed/relaxed; d=redbrick.ca; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=nruMv/1CrnQ2lmwcvZwEGY5zmtaEggE8gf4GR96WCj8=; b=aILQxYJ2uyYqDcnppeUEJuYMVO5+4Z5DO1JbI6RZjayhKlwnayG52t3NGz83BpYIvmeyUx+2xV4RIfwQYYPGMWDPHiCYXXfD9qU21NhMpFI46Kgr+UiIoOPEWe4MzOW9hEyJNpewez/V6S+PEa125IGxzFJs20nFBHLzaAxSWNa3sTCg2tq8XvNkPGu4PrvrevUgnfoTQY46605Uo88Cc+LmtU6qYAmvKb+cG6Dl8kYHYlc3e6hlxFU7s6l135L5UVlR9QhzkjOssrRovF7te5bx8LAGPafutwbnKAqptTIF9HajEGGC9/ukgNIvP8qZtoSINgzFRv5lYc4r3BCCHg==
From	Andrea Montgomery <montgomery@redbrick.ca>
Subject	[EXTERNAL] Redbrick Communications Request For Proposal
Thread-Index	AQHbIhu2NNBbSFix90a6MYAZFrXYPA==
Date	Mon, 21 Oct 2024 16:54:55 +0000
Message-ID	<YQBPR0101MB9855354968F0C06AAFD577DEC7412@YQBPR0101MB9855.CANPRD01.PROD.OUTLOOK.COM>
Accept-Language	en-US
Content-Language	en-US
X-MS-Has-Attach	yes
X-MS-TNEF-Correlator
msip_labels
Authentication-Results-Original	dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=redbrick.ca;
x-ms-traffictypediagnostic	YQBPR0101MB9855:EE_\|YT2PR01MB5307:EE_\|YT1PEPF00001E8D:EE_\|IA1PR12MB6483:EE_\|IA1PR12MB7517:EE_
X-MS-Office365-Filtering-Correlation-Id	d389e853-fdde-40f2-da0b-08dcf1f11872
x-ms-exchange-senderadcheck	1
x-ms-exchange-antispam-relay	0
X-Microsoft-Antispam-Untrusted	BCL:0;ARA:13230040\|376014\|7416014\|366016\|1800799024\|3613699012\|8096899003\|38070700018;
X-Microsoft-Antispam-Message-Info-Original	DDM3HziCrngxX9o4iojTWGvcqpClPRQb4w0IEqbY72YnBDl2BrUv1UkgKBAcbj9ZYSzDyyYMBlLZyoRjlPVg/A59AHZW0xC9f03C5tb68UJSmM6rjGmR+/cGge/DpcDsn2o45LLsK97fqUj9INtBJOkEGcwWlIX9ZRsT++mjUPNOlXCwIy5Whw26LVIZX8bC5Qr2kF0bvZUdwySvgi+Nha96Y83kega5mhQbsBpr0OlD+QfRdG+uoUv1fygrLgGQMO7rRrh3R6fULxMmqGIal4jqLBpKEYaxrUUrtVU8nzfU/F3djbPbqzQu+MiaLpLv/wp89bS7ByBo+Nhak2ciInIaxNbLeOjdXCdEEDv4aYO9/vLnft40+lSRzq82B1BS2EIHSDn4q0WvYwdtHaBFt/he7qkaQBO9X9qgh8bVVBtj2+E8rUYbuIJ14tR1+j+YyvbHuavVBJcT4t+RqTN6rJHRxbRS2Tjxyf39zZv+pEVV6gpXrXTRBsS51ixSSIvP1uCQ5xVuMOTpa932tx+ghOJgTxiBWZAnZccHxau6KgNqlJghW/KS5hzWcLb1Cq2rCVBAuUsIM/V3uaGpaqyu61czWPoh4F1owHL/mtq+KK+e0iLxHGqzAQGHZ5MH8vll+bgv/KwY+iacbddciF/0V9qVDU6QJBuzyK0juuxln2imLJsF1Byz1rcUHBgjUFeVP/572mpH+3ymcZdvD8JVXQr9WLGV+Q7BGdQoeNmXYwjHc5Q1RaJXWfA0AtZJtfmNzZveHY08GSwuDN0ygF8T0pRT/vGZ9xmcYS2oQwJqznxQx4CUtnODg+BQdWEmGlxbbN5QcjIhyuU53BU19tcy3rT26CEOmvsxXjGaFWOakuTUoFzsYLZaKmlmX/64OYh4FgF+r2KnnBJ/+ZhSF1elTR01r2lvl+RJS1hvjGsu4npEG9jDYnfKDLH83F2E2eyDwfImaPSN7umVvCplGS5M6p+REyFY2O6JljYciHqFWfM8He9pAyPmI5LdZOnd/JpqMwZBKTp77/Gxyg2Tdv74Cmee6wBpEz17yq0Y7sqra2gAAwVPOSD7V4UV/BkbMCPi2wWQual5kAnDZ84U4yS43eGLMFCr3rNMxeVTOy6Q78lxW4sS/z5J6U7ksehteWFSMGofRVp3lpCrJnKUQ8MhDiS0ljkbJKXibpf+npX4rFcEei+VK78ZFdUwiPw4CPGsWBb3RmbipEOnwhaDvCdgc8BQP8FcFZWTjZN9BFor9MGIpZ6vdqJuif6LvAzusUdKPd+ifFGlIZmLo1UHV2rjIM3mMZCdfPojrxGoj742Kj8=
X-Forefront-Antispam-Report-Untrusted	CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:YQBPR0101MB9855.CANPRD01.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(13230040)(376014)(7416014)(366016)(1800799024)(3613699012)(8096899003)(38070700018);DIR:OUT;SFP:1102;
X-MS-Exchange-AntiSpam-MessageData-Original-ChunkCount	1
X-MS-Exchange-AntiSpam-MessageData-Original-0	dfjZLhijCHDHaBsC9jGFzedJyBQwHa7aNAV+sTSsPSIeSkjvf8qutDGX4ziQsfD20MV2V0i+BXgSkB8ABCxk5P/QAR0Nd/e2b2+ddMCXr8Es1qMNypa1bRoW/kMDbS7AHwZXSxzFYq87C23KfGV/5E4UDXIUtEpS4EJyqQZQf2poXpycLnq59ZEGcS+AzrzZpC3xt1avtAVqJ4McZByoISe+QmPc1ePalDZ3GwI8WURDoqkEn3sw9BPOd498Mbb3x9jgUtT68eFlqeSpAEiXB/TtxIMh/A0gQAY66FNV15uiJ9RxO88bmv8m4qfI+VuircZab8lh926YDu0H7fNHi4EZFV1reXTioiLQfCqzSuaUDX78G4PNNHOy5r5pJ7iIPrcXXDbJWv89hxbH0uIlqoGrHbF0kPG34ICseoiEe2j16Jvxo6+kjN3eZxnoP6R6xwEQJI2id1vkfpn5qqp8tQEmIZPE5QIdYq0xnsCsiywGjKX/aTCkyNG319MxNoHecfOHimBkN3CPmXTMrtWah+C50zDFFQwv5KpKV7shdENQqpVqZ7VQqOcWs9Bvx/dmRYBxfD3/75WUJMNRbPtHsGzNKIeOk9EDqHXFpgIaonDHZXMhMJNUB56rkPBoyvuCa9tDCHOjAgNFWT05MK7KNot2g/7GKeJO2GIqtRttJy6DGIcgnpeQ80QJ/PVbBgEvJNHLmSowPcut/LZbqxJkv86ypJFzkNtJpjCwdlpptxB/feqz7hsNMWcVPmTLkIM/acu/JRuPnnvJfX+wfYoRHi23uYYBpDaIlpFJ+nZL+aSBEJ9AR1qeX9H9vp66o5dRSBiE3mIlSMNjl0+qCGUMuNF2VxyFCBcZXkNINuG0mgu0G5+vQn7wClcJgCbEtexLM+bx8RxdtMwf5kRrGE400NalEVbdLpsPxudaULuuGFMvrMuthHNUmWNuebBODPeaCorhgMgWK2mAUPfB97SZMMHQWPwz4ouGvR1A7mEqorYFTFSNci4w77+og8vKXO/sFrDBOG3i3dV2F0HOz+zf3OY3Ajr8f+Nuecr0JgHnmB0BKs3yg6IEpvZQY5z6VX/rSozpDqVB+Bi+Z5wpDLoX9fQv3s5MB9Bkf9t99XAj5HJNCowrYfnlBreC5hgqgTwrKyEMSXT32WCwRWRt46jAixmOtIdki7yS2P/B7+I85GlsbrRc1ih6yRIu+dqoDB+unyy0+gnOAp+p0H9ZbBk0K2+hse66pQ66e7j06/1uxp06oo3XrznQksM2mtnAnHUQK71bkBuZQ899Qav5WiHYXaheQcD4W6q3+XgB5g8j4z79sGsjgbIVhxdOqzmGwERrFXI81uWG22p0nAIbi7IbWn9QAx1xJa1SsSJzZ8vkWHH57P+mgf2r4dMHEffofVsxD0Sw/ejnMn8qlJWrq5ZwU7RoB/3Wukfe3wOe+7V2NhgUGKHxTHi16HCgfA1R4OAjfpnogn4GqRBVJ8e8cMUSFC9C9TACJ6A4kz1BSvTZJVeUh7bpAaaIPWczRKE/frg1FOlPzqri2Lw/S8tTF3zfQ+2ROQvPy/qBaFPbNw8Ois8zwmR5UJGSGJgX0byazPJQ
Content-Type	multipart/mixed; boundary="_004_YQBPR0101MB9855354968F0C06AAFD577DEC7412YQBPR0101MB9855_"
X-MS-Exchange-Transport-CrossTenantHeadersStamped	IA1PR12MB6483
To	Undisclosed recipients:;
Return-Path	montgomery@redbrick.ca
X-MS-Exchange-Organization-ExpirationStartTime	21 Oct 2024 16:54:57.9360 (UTC)
X-MS-Exchange-Organization-ExpirationStartTimeReason	OriginalSubmit
X-MS-Exchange-Organization-ExpirationInterval	1:00:00:00.0000000
X-MS-Exchange-Organization-ExpirationIntervalReason	OriginalSubmit
X-MS-Exchange-Organization-Network-Message-Id	d389e853-fdde-40f2-da0b-08dcf1f11872
X-EOPAttributedMessage	0
X-EOPTenantAttributedMessage	c868558f-a1c1-46fc-821d-aed53bb48125:0
X-MS-Exchange-Organization-MessageDirectionality	Incoming
X-MS-Exchange-Transport-CrossTenantHeadersStripped	YT1PEPF00001E8D.CANPRD01.PROD.OUTLOOK.COM
X-MS-Exchange-Transport-CrossTenantHeadersPromoted	YT1PEPF00001E8D.CANPRD01.PROD.OUTLOOK.COM
X-MS-PublicTrafficType	Email
X-MS-Exchange-Organization-AuthSource	YT1PEPF00001E8D.CANPRD01.PROD.OUTLOOK.COM
X-MS-Exchange-Organization-AuthAs	Anonymous
X-MS-Office365-Filtering-Correlation-Id-Prvs	3a9adbe2-c33f-4d9f-16ef-08dcf1f116f6
X-MS-Exchange-AtpMessageProperties	SA\|SL
X-MS-Exchange-EnableFirstContactSafetyTip	Enable
X-MS-Exchange-Organization-SCL	1
X-Microsoft-Antispam	BCL:0;ARA:13230040\|35042699022\|3613699012\|8096899003;
X-Forefront-Antispam-Report	CIP:52.101.191.76;CTRY:CA;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:YQZPR01CU011.outbound.protection.outlook.com;PTR:mail-canadaeastazon11020076.outbound.protection.outlook.com;CAT:NONE;SFTY:9.25;SFS:(13230040)(35042699022)(3613699012)(8096899003);DIR:INB;SFTY:9.25;
X-MS-Exchange-CrossTenant-OriginalArrivalTime	21 Oct 2024 16:54:57.8578 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id	d389e853-fdde-40f2-da0b-08dcf1f11872
X-MS-Exchange-CrossTenant-Id	c868558f-a1c1-46fc-821d-aed53bb48125
X-MS-Exchange-CrossTenant-AuthSource	YT1PEPF00001E8D.CANPRD01.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-AuthAs	Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader	Internet
X-MS-Exchange-Transport-EndToEndLatency	00:06:05.0123288
X-MS-Exchange-Processed-By-BccFoldering	15.20.8069.027
X-Microsoft-Antispam-Mailbox-Delivery	ucf:0;jmr:0;auth:0;dest:I;ENG:(910001)(944506478)(944626604)(920097)(930097)(140003);
X-Microsoft-Antispam-Message-Info	MGqWKh0ZieMSekolWI0cL54kUa3/uOBgL+s8YzsTVwGH8PjMZq4VI5OT42gpjxAuXnU+D6ZKenuIycz7s6yj/uvj6XPWXxKx8YmZRyL2k8HD1EWbPaN2MoGLUR4rd6CUAH7YE73UH+SVon5eKlE+wDySXIhpRGT1kWSNkvSPYQPEek6Hm3W9reuYYh9hhs9OG8vMlWieBxnPRmiVVEBfYY/gtDWkSJ+udPlQlR3E7sEnMjAQWmb92DrTbA0ADLYaCDCyA0F52fG7TdnfEtCW/hf7h+iIW8rImL9+sm/GnqsMx0sDgXB05hHB6XbD0Tad4LVQp/4xKhbxyLnyNUTcKH62rxbG/PKLxyQB/MvlJSMwDq2aXKgAh83efG0NGxo9N81B0KoZoB+L5bU+dWoV0c+R8DTUPMlT9JtR2jxwlI5syd3u90yyYMMEuMeL189dCg7Ypab2sEgU8xPioiOdiMu6SQCCvV1KnpiThNYMtGGixs1tpiLQZl8mn6iKha37CU0BzobSwVJz8/Lv82POeg0egIzR2Kq5DvOrNIhco6e4V/yD1KNpEOpBBPjLjzFE/L7jlevWpsMZxnIe4mYUYz2yrYXsWef0HLzEIvRegufv5Zg4Jn5oTzbLOVLVT7kT/bpXW0hRvDGFyPhNmSQBljhM0CYwRIl6iAZTq4IflShYnq1c5j168l70/npvLFelt8eXW1yxPmXoWhHK9b4xhAwIx7ZVTVwM9PUAb6fzMcq9mrzOfh28CiDTrABjaJTguNqq4jawinTwx5X+b2AuzPqw5LCjHEGTorV+L+LydU0kDBwDCSb0eVJZOvcnluRyTwPEQPDVfWXAtzVCkmTPNNZU9RPcNj5xxVS60XFrcKdRSVxcZUUeWUwYeWEHQHe9cAD7DxLluNxunOeRs2yaEde2AuHXXLbsXn7kHCnCJTjWmR4gME99SoCzbXEIdUX07txj7WHeAAsPx6El9u8BcHjCL/xXxDxjyw/0+hhTzpOpnRN2/lK/Ga5mWYpRn7n0y2i1jw2r87mnC4T1BlAnW8fZmqvyQuSLvhZg5TPWCOKiGkp4DsWNvPQ26gfPZGiq5wej5miB7V+alC+wSHxWKQ3xxo4up7LOltMvifJzUqGaLq7i0qEmUKhPbfwuDs6tk8kaQVWwRYKl4QJgd0kOuIiM4JxMxqA+pOeuYeNHwY8/cg6FDzaj41CzTyakTm3M7jkvirgDWavPQ30yOdPQsQew4xYX4UCX1SMSEH7qwPPrkTvcslbK/KwT9fzvPWhY0shKwJdyH46r7BwDNhSrKh9WwObSgJLGelf9Qv93NH/CZTfSjDQHaDtfjPSKvGFyeNPQcxB2BsEXUU4ZEFav1SVJMjscPvcSfqWZJ2HWvTQwVH9GlLKQwV3ghFfiVm74PgWNc64KystIkke+fe2rUTyoUlXpWdu/AGoOwiyuE+h+cIHgP/YXQbIR39XVyjQ8WPiVFXirCDmjAnt56BbbcXAdBf+LByrU0t5+a/nc+gCbCm7XieDuw7zp4ScrKw1SPNYHKRFyFMQT+1SL7x5pmcHqz+QsN55kBNwJjU3zwchrj0/PToBwmU98iAyjzd78DjXJhTmE72HjOAffHoAhFmorMZukfX2tk5JwB4H+jTk1n/VqBxzlRSYJHZxxqHLAZfpu1/bgJU9tdv93/rJExHFuDDLP8RoXibKrFAoH4YddldYEx0UU0y9N+Ol5YV+85ILFMf9HxaKoZlndIMzdoT7oNoJJB5+058I6aTzQBqN2TM/F5HzHBX7tnf0gTxx/ZZmJCodZJSMY8U+ccR9dJQ+lIfXHTiMpR3c/nYIsyPlDN03g2O/ZF7dNju5Fj1r6ETcyvUMoS9FNYDUKie/BQH8FyR/jxG5d1uZIPFd8WUoWR0pF1b5cSR2tcjUSmjCstud2jwTqZ6l4uG33HKn2qA8gI1NOmiS/jVxpJLWPgMMVYdm58D1B3DC/wZCGprPvaW7m6gF1yPAZXQjdd+J8yan+isZyzdq5brVi4hgZ+fLvIiKVGnJ1RTsdSaX7Y9ob
MIME-Version	1.0

Description:	Adversaries may abuse Internet browser extensions to establish persistent access to victim systems. Browser extensions or plugins are small programs that can add functionality and customize aspects of Internet browsers. They can be installed directly or through a browser's app store and generally have access and permissions to everything that the browser can access.
Tactics:	Persistence
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Process: Process Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report [EXTERNAL] Redbrick Communications Request For Proposal .eml

Overview

General Information

Detection

Signatures

Classification

Process Tree

Yara Signatures

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

Phishing

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

LLM Input / Output

Created / dropped Files

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\Network Persistent State (copy)

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\a255512d-83f4-44ad-aa5a-be914c7b3c97.tmp

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\000003.log

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG

C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ConnectorIcons\icon-241021172414Z-172.bmp

C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages-journal

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2D85F72862B55C4EADD9E66E06947F3D

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\2D85F72862B55C4EADD9E66E06947F3D

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeFnt23.lst.4692

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeSysFnt23.lst (copy)

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\ACROBAT_READER_MASTER_SURFACEID

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_FirstMile_Home_View_Surface

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_FirstMile_Right_Sec_Surface

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_READER_LAUNCH_CARD

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Convert_LHP_Banner

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Disc_LHP_Banner

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Disc_LHP_Retention

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Edit_LHP_Banner

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Home_LHP_Trial_Banner

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_More_LHP_Banner

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Banner

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Intent_Banner

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Retention

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Sign_LHP_Banner

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Upsell_Cards

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\Edit_InApp_Aug2020

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\TESTING

Windows Analysis Report
[EXTERNAL] Redbrick Communications Request For Proposal .eml