Edit tour
Windows
Analysis Report
John Garby.eml
Overview
General Information
| Sample name: | John Garby.eml |
| Analysis ID: | 1540227 |
| MD5: | 4089c8345685b82eca6a96828e6a9f77 |
| SHA1: | 5264f43ae46f9867d0d87e744e32742d5cbfe8fc |
| SHA256: | 2e3f747cf12a29db06f0e9883fdb512185078c0088eed21370325678e19ac57c |
| Infos: |  |
 | |
Detection
| Score: | 22 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 80% |
Signatures
AI detected potential phishing Email
Queries the volume information (name, serial number etc) of a device
Sigma detected: Office Autorun Keys Modification
Sigma detected: Outlook Security Settings Updated - Registry
Stores large binary data to the registry
Classification
- System is w10x64_ra
OUTLOOK.EXE (PID: 4880 cmdline: "C:\Progra m Files (x 86)\Micros oft Office \Root\Offi ce16\OUTLO OK.EXE" /e ml "C:\Use rs\user\De sktop\John Garby.eml " MD5: 91A5292942864110ED734005B7E005C0) 
ai.exe (PID: 6580 cmdline: "C:\Progra m Files (x 86)\Micros oft Office \root\vfs\ ProgramFil esCommonX6 4\Microsof t Shared\O ffice16\ai .exe" "71E 62F43-4037 -4074-8577 -B1B23D5E6 097" "34F6 05BC-11FC- 4DA2-BEDD- E779C32D26 86" "4880" "C:\Progr am Files ( x86)\Micro soft Offic e\Root\Off ice16\OUTL OOK.EXE" " WordCombin edFloatieL reOnline.o nnx" MD5: EC652BEDD90E089D9406AFED89A8A8BD) 
Acrobat.exe (PID: 428 cmdline: "C:\Progra m Files\Ad obe\Acroba t DC\Acrob at\Acrobat .exe" "C:\ Users\user \AppData\L ocal\Micro soft\Windo ws\INetCac he\Content .Outlook\1 62Z7WQ3\Jo hnGarby.pd f" MD5: 24EAD1C46A47022347DC0F05F6EFBB8C) 
AcroCEF.exe (PID: 6912 cmdline: "C:\Progra m Files\Ad obe\Acroba t DC\Acrob at\acrocef _1\AcroCEF .exe" --ba ckgroundco lor=167772 15 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE) - AcroCEF.exe (PID: 5712 cmdline:
"C:\Progra m Files\Ad obe\Acroba t DC\Acrob at\acrocef _1\AcroCEF .exe" --ty pe=utility --utility -sub-type= network.mo jom.Networ kService - -lang=en-U S --servic e-sandbox- type=none --log-seve rity=disab le --user- agent-prod uct="Reade rServices/ 23.6.20320 Chrome/10 5.0.0.0" - -lang=en-U S --log-fi le="C:\Pro gram Files \Adobe\Acr obat DC\Ac robat\acro cef_1\debu g.log" --m ojo-platfo rm-channel -handle=22 60 --field -trial-han dle=1556,i ,174995748 0146819708 0,10624922 0831686031 72,131072 --disable- features=B ackForward Cache,Calc ulateNativ eWinOcclus ion,WinUse BrowserSpe llChecker /prefetch: 8 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)
- cleanup
⊘No configs have been found
⊘No yara matches
| Source: | Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): | ||
| Source: | Author: frack113: | ||
⊘No Suricata rule has matched
Click to jump to signature section
Show All Signature Results
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | DNS traffic detected: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Classification label: | ||
| Source: | File created: | Jump to behavior | ||
| Source: | File created: | Jump to behavior | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Key value queried: | Jump to behavior | ||
| Source: | Window found: | Jump to behavior | ||
| Source: | Window detected: | ||
| Source: | Key opened: | Jump to behavior | ||
Persistence and Installation Behavior |   |
|---|
| Source: | LLM: | ||
| Source: | Key value created or modified: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | |||
| Source: | File Volume queried: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | Process information queried: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Key value queried: | Jump to behavior | ||
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | Windows Management Instrumentation | 1 Browser Extensions | 1 Process Injection | 1 Masquerading | OS Credential Dumping | 1 Security Software Discovery | Remote Services | Data from Local System | 1 Non-Application Layer Protocol | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
| Credentials | Domains | Default Accounts | Scheduled Task/Job | 1 DLL Side-Loading | 1 DLL Side-Loading | 1 Modify Registry | LSASS Memory | 1 Process Discovery | Remote Desktop Protocol | Data from Removable Media | 1 Application Layer Protocol | Exfiltration Over Bluetooth | Network Denial of Service |
| Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 1 Process Injection | Security Account Manager | 1 File and Directory Discovery | SMB/Windows Admin Shares | Data from Network Shared Drive | Steganography | Automated Exfiltration | Data Encrypted for Impact |
| Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 1 DLL Side-Loading | NTDS | 14 System Information Discovery | Distributed Component Object Model | Input Capture | Protocol Impersonation | Traffic Duplication | Data Destruction |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe |
| Name | IP | Active | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|---|
| x1.i.lencr.org | unknown | unknown | false | unknown |
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false |
| unknown | ||
| false | unknown | |||
| false |
| unknown |
⊘No contacted IP infos
| Joe Sandbox version: | 41.0.0 Charoite |
| Analysis ID: | 1540227 |
| Start date and time: | 2024-10-23 15:25:42 +02:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 4m 20s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | defaultwindowsinteractivecookbook.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Number of analysed new started processes analysed: | 17 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | John Garby.eml |
| Detection: | SUS |
| Classification: | sus22.winEML@19/48@1/0 |
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
- Excluded IPs from analysis (whitelisted): 93.184.221.240, 184.28.90.27, 52.113.194.132, 52.109.68.129, 2.19.126.151, 2.19.126.160, 52.182.143.213, 52.109.28.48, 184.28.88.176, 52.202.204.11, 54.227.187.23, 52.5.13.197, 23.22.254.206, 162.159.61.3, 172.64.41.3, 2.23.197.184, 88.221.168.141, 2.19.126.149, 2.19.126.143, 2.19.126.137, 2.19.126.163
- Excluded domains from analysis (whitelisted): osiprod-uks-bronze-azsc-000.uksouth.cloudapp.azure.com, odc.officeapps.live.com, slscr.update.microsoft.com, a767.dspw65.akamai.net, fs-wildcard.microsoft.com.edgekey.net, acroipm2.adobe.com, onedscolprdcus16.centralus.cloudapp.azure.com, login.live.com, ssl-delivery.adobe.com.edgekey.net, e16604.g.akamaiedge.net, a122.dscd.akamai.net, hlb.apr-52dd2-0.edgecastdns.net, frc-azsc-000.roaming.officeapps.live.com, wu-b-net.trafficmanager.net, a1864.dscd.akamai.net, ecs.office.com, fs.microsoft.com, acroipm2.adobe.com.edgesuite.net, prod.roaming1.live.com.akadns.net, s-0005-office.config.skype.com, ssl.adobe.com.edgekey.net, uks-azsc-000.odc.officeapps.live.com, s-0005.s-msedge.net, ecs.office.trafficmanager.net, geo2.adobe.com, omex.cdn.office.net, e4578.dscg.akamaiedge.net, chrome.cloudflare-dns.com, e8652.dscx.akamaiedge.net, europe.odcsm1.live.com.akadns.net, e4578.dscb.akamaiedge.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, eur.roaming1.live.c
- Not all processes where analyzed, report is missing behavior information
- Report size exceeded maximum capacity and may have missing behavior information.
- Report size getting too big, too many NtQueryAttributesFile calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
- Report size getting too big, too many NtSetValueKey calls found.
- VT rate limit hit for: John Garby.eml
| Time | Type | Description |
|---|---|---|
| 09:26:56 | API Interceptor |
| Process: | C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 287 |
| Entropy (8bit): | 5.235208415638447 |
| Encrypted: | false |
| SSDEEP: | 6:SFd9+q2PRN2nKuAl9OmbnIFUt85F0VZmw+5F05VkwORN2nKuAl9OmbjLJ:44vaHAahFUt8kV/+kH5JHAaSJ |
| MD5: | 4732B928F2B0B87D56A619C119EBC74A |
| SHA1: | 1E447BE15BECFDD4196B9A1948CB571FF4BB73E5 |
| SHA-256: | EF52AB778F33BC885142DC8C8563BDCFEB6080D2D0C45A76BD66B3BC4908115A |
| SHA-512: | 07C626652E5859528E2C77E5573666F90EBF3ADB781980398D6E5B0242A1C01651365EE34B186D287EC80A48810FA782A3ABF81B28844511965D4D041E895D4B |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| Process: | C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 287 |
| Entropy (8bit): | 5.235208415638447 |
| Encrypted: | false |
| SSDEEP: | 6:SFd9+q2PRN2nKuAl9OmbnIFUt85F0VZmw+5F05VkwORN2nKuAl9OmbjLJ:44vaHAahFUt8kV/+kH5JHAaSJ |
| MD5: | 4732B928F2B0B87D56A619C119EBC74A |
| SHA1: | 1E447BE15BECFDD4196B9A1948CB571FF4BB73E5 |
| SHA-256: | EF52AB778F33BC885142DC8C8563BDCFEB6080D2D0C45A76BD66B3BC4908115A |
| SHA-512: | 07C626652E5859528E2C77E5573666F90EBF3ADB781980398D6E5B0242A1C01651365EE34B186D287EC80A48810FA782A3ABF81B28844511965D4D041E895D4B |
| Malicious: | false |
| Reputation: | low |
| Preview: |
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG
Download File
| Process: | C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 334 |
| Entropy (8bit): | 5.174189740658573 |
| Encrypted: | false |
| SSDEEP: | 6:S5dKVq2PRN2nKuAl9Ombzo2jMGIFUt850gZmw+50IkwORN2nKuAl9Ombzo2jMmLJ:zvaHAa8uFUt83/+l5JHAa8RJ |
| MD5: | EF787EB21BAE08B7A9002CB02EAE22D5 |
| SHA1: | 6B655BC9E4E6CDB21EE2DC4ED3F00EEF7DFFDFB5 |
| SHA-256: | 834E2285612E5DD00552A07D348B6AFAF75B7B4EBC7FC281CDF7837521EA0B8D |
| SHA-512: | B17CE31087CEE6A5E405242776A2D228779038ED1183B4579034C135E73C0D11C9E138C3E475FAF6BA310DA3EB6F3E6720448470693976F82FCF5FB4B726DCAB |
| Malicious: | false |
| Reputation: | low |
| Preview: |
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG.old (copy)
Download File
| Process: | C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 334 |
| Entropy (8bit): | 5.174189740658573 |
| Encrypted: | false |
| SSDEEP: | 6:S5dKVq2PRN2nKuAl9Ombzo2jMGIFUt850gZmw+50IkwORN2nKuAl9Ombzo2jMmLJ:zvaHAa8uFUt83/+l5JHAa8RJ |
| MD5: | EF787EB21BAE08B7A9002CB02EAE22D5 |
| SHA1: | 6B655BC9E4E6CDB21EE2DC4ED3F00EEF7DFFDFB5 |
| SHA-256: | 834E2285612E5DD00552A07D348B6AFAF75B7B4EBC7FC281CDF7837521EA0B8D |
| SHA-512: | B17CE31087CEE6A5E405242776A2D228779038ED1183B4579034C135E73C0D11C9E138C3E475FAF6BA310DA3EB6F3E6720448470693976F82FCF5FB4B726DCAB |
| Malicious: | false |
| Reputation: | low |
| Preview: |
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\229e5e5f-5af4-436a-918f-f8cd2f15ec81.tmp
Download File
| Process: | C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 403 |
| Entropy (8bit): | 4.953858338552356 |
| Encrypted: | false |
| SSDEEP: | 12:YHO8sq/WLksBdOg2H9caq3QYiubrP7E4T3y:YXsRJdMHM3QYhbz7nby |
| MD5: | 4C313FE514B5F4E7E89329630909F8DC |
| SHA1: | 916EED77EC8C9DC90C64FF1E5CC9D04D4674EE56 |
| SHA-256: | 1EE7C151EF264F91FCDCCB6644F62DC33E27A4E829DAAB748DA1DE4426400873 |
| SHA-512: | 1726CAFCBA0121691DFA87A7298E6610BC4C7FD900867FD1B1710811E764918585E56788E08B7CA2CEE001F5DFD110E1BE6F6BBD7C2A7B7E2FC87D3DED210205 |
| Malicious: | false |
| Reputation: | moderate, very likely benign file |
| Preview: |
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\Network Persistent State (copy)
Download File
| Process: | C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 403 |
| Entropy (8bit): | 4.953858338552356 |
| Encrypted: | false |
| SSDEEP: | 12:YHO8sq/WLksBdOg2H9caq3QYiubrP7E4T3y:YXsRJdMHM3QYhbz7nby |
| MD5: | 4C313FE514B5F4E7E89329630909F8DC |
| SHA1: | 916EED77EC8C9DC90C64FF1E5CC9D04D4674EE56 |
| SHA-256: | 1EE7C151EF264F91FCDCCB6644F62DC33E27A4E829DAAB748DA1DE4426400873 |
| SHA-512: | 1726CAFCBA0121691DFA87A7298E6610BC4C7FD900867FD1B1710811E764918585E56788E08B7CA2CEE001F5DFD110E1BE6F6BBD7C2A7B7E2FC87D3DED210205 |
| Malicious: | false |
| Preview: |
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\Network Persistent State~RF60c3e9.TMP (copy)
Download File
| Process: | C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 403 |
| Entropy (8bit): | 4.953858338552356 |
| Encrypted: | false |
| SSDEEP: | 12:YHO8sq/WLksBdOg2H9caq3QYiubrP7E4T3y:YXsRJdMHM3QYhbz7nby |
| MD5: | 4C313FE514B5F4E7E89329630909F8DC |
| SHA1: | 916EED77EC8C9DC90C64FF1E5CC9D04D4674EE56 |
| SHA-256: | 1EE7C151EF264F91FCDCCB6644F62DC33E27A4E829DAAB748DA1DE4426400873 |
| SHA-512: | 1726CAFCBA0121691DFA87A7298E6610BC4C7FD900867FD1B1710811E764918585E56788E08B7CA2CEE001F5DFD110E1BE6F6BBD7C2A7B7E2FC87D3DED210205 |
| Malicious: | false |
| Preview: |
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\e1016917-5c58-40b2-8e56-cb83e1723b39.tmp
Download File
| Process: | C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe |
| File Type: | |
| Category: | modified |
| Size (bytes): | 403 |
| Entropy (8bit): | 4.989006718295236 |
| Encrypted: | false |
| SSDEEP: | 12:YHO8sq7UxsBdOg2HtOtcaq3QYiubrP7E4T3y:YXswdMHl3QYhbz7nby |
| MD5: | E5E017D1D0E1E4B524919C863E74609D |
| SHA1: | 197D55C9A4DCC2607BF053ACB69205715BCAB640 |
| SHA-256: | D5C76B61D4B14EA719CCBF4F3E43889CEB9C05085065639B5C46DD6DE2619938 |
| SHA-512: | 26593FA847C7914F00C85F77A013E148E22ACF16F82CD5161D3F2475D00DAF53FE1787BF1B2750B54B8E8582C50DB45954550FDF31063CBC2415283FA5C3D44E |
| Malicious: | false |
| Preview: |
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\000003.log
Download File
| Process: | C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 4099 |
| Entropy (8bit): | 5.233415390247413 |
| Encrypted: | false |
| SSDEEP: | 96:OLSw0bSwIAnrRqLX2rSq1OUxu/0OZ0xRBTxekN8xeHM/Wr9m:OLT0bTIeYa51Ogu/0OZARBT8kN88s/Qs |
| MD5: | 7BDDEA1CEA094CCDDDA9A03C812BE9B8 |
| SHA1: | C4FB64B01B4984958A06A459618DD81096967B00 |
| SHA-256: | 5BEE8E266E87AAF5B9F8D1367C579D95D9C835D0DD17D494886BB2A342821381 |
| SHA-512: | F5C599FCAAFBF93ADAAF0AA012011756B18DE1B08D691F071383C6B00C40E575CE5B428B039013FA86CCE5AC8FE22132D5FB4BE63D9E3D71ABBA1E308CEAEDA9 |
| Malicious: | false |
| Preview: |
| Process: | C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 322 |
| Entropy (8bit): | 5.203524384678868 |
| Encrypted: | false |
| SSDEEP: | 6:Sy0Vq2PRN2nKuAl9OmbzNMxIFUt85TuXgZmw+5RepIkwORN2nKuAl9OmbzNMFLJ:+vaHAa8jFUt8lv/+95JHAa84J |
| MD5: | 8025F7D839906B784976613D418DE638 |
| SHA1: | D176A456703C05F8787C6D6700E3A5131831A375 |
| SHA-256: | 90D3B5BD1F5A072675AD4303FCD7C312C98533D6EDE385EB4E69F9E1FC462D25 |
| SHA-512: | 9CD315F2ED9FA87B8B64F428830258493DCFD28D20407F388623FAC4180ECF402436083FFC99E4FF27EF5299B6AEB1A4192D6EA59B66F6433A01A8E84C2772B8 |
| Malicious: | false |
| Preview: |
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG.old (copy)
Download File
| Process: | C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 322 |
| Entropy (8bit): | 5.203524384678868 |
| Encrypted: | false |
| SSDEEP: | 6:Sy0Vq2PRN2nKuAl9OmbzNMxIFUt85TuXgZmw+5RepIkwORN2nKuAl9OmbzNMFLJ:+vaHAa8jFUt8lv/+95JHAa84J |
| MD5: | 8025F7D839906B784976613D418DE638 |
| SHA1: | D176A456703C05F8787C6D6700E3A5131831A375 |
| SHA-256: | 90D3B5BD1F5A072675AD4303FCD7C312C98533D6EDE385EB4E69F9E1FC462D25 |
| SHA-512: | 9CD315F2ED9FA87B8B64F428830258493DCFD28D20407F388623FAC4180ECF402436083FFC99E4FF27EF5299B6AEB1A4192D6EA59B66F6433A01A8E84C2772B8 |
| Malicious: | false |
| Preview: |
C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ConnectorIcons\icon-241023132647Z-164.bmp
Download File
| Process: | C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 65110 |
| Entropy (8bit): | 2.4850795201206743 |
| Encrypted: | false |
| SSDEEP: | 384:WRvfez1LNN9KgeE1qKyaaZ0MLeIFVzzHMUwrPBWn6/I:CXe9cRE1hHaZ0MLeydDMr5WneI |
| MD5: | 6B3C6E0080656AFF405717A8D76CA98B |
| SHA1: | 72AA34F23DB11F913F44FB4B6D0B74701F3A9017 |
| SHA-256: | 7D83BA669A81842C6DE26C35277C37EFC423CBA4AAB10209655B8EC09D0C2A80 |
| SHA-512: | 7776360488A660C6D87BC053C3B2F489149102B701B7B2884DD11DFA99549FE41159FD0FC73779708697BEABF4FA9FB8DB146A1BA41233485E520212C1B1C158 |
| Malicious: | false |
| Preview: |
| Process: | C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 57344 |
| Entropy (8bit): | 3.291927920232006 |
| Encrypted: | false |
| SSDEEP: | 192:vedRBvVui5V4R4dcQ5V4R4RtYWtEV2UUTTchqGp8F/7/z+FP:veBci5H5FY+EUUUTTcHqFzqFP |
| MD5: | A4D5FECEFE05F21D6F81ACF4D9A788CF |
| SHA1: | 1A9AC236C80F2A2809F7DE374072E2FCCA5A775C |
| SHA-256: | 83BE4623D80FFB402FBDEC4125671DF532845A3828A1B378D99BD243A4FD8FF2 |
| SHA-512: | FF106C6B9E1EA4B1F3E3AB01FAEA21BA24A885E63DDF0C36EB0A8C3C89A9430FE676039C076C50D7C46DC4E809F6A7E35A4BFED64D9033FEBD6121AC547AA5E9 |
| Malicious: | false |
| Preview: |
| Process: | C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 16928 |
| Entropy (8bit): | 1.2157987320354984 |
| Encrypted: | false |
| SSDEEP: | 48:7MxaRqLmFTIF3XmHjBoGGR+jMz+LhPkzn:7zRf9IVXEBodRBkJkzn |
| MD5: | A00239533F04FCE7638CD3FB815A03D7 |
| SHA1: | AC80ED62FAB8896E339D24D4271A455646B5976B |
| SHA-256: | 37D176204ED0BA11635E5710411BFBCE4BAFE979FAF8E1BA7BB9E0CAB41D569C |
| SHA-512: | 19F971E9EB22568CA2BAD8869DFA21FB6B7CA311F7814C93EA10DC0E752A11D4325A4BA8F9DF054B0F35DEF7837706B39958F129D146563C3E2806014C41C879 |
| Malicious: | false |
| Preview: |
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2D85F72862B55C4EADD9E66E06947F3D
Download File
| Process: | C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 1391 |
| Entropy (8bit): | 7.705940075877404 |
| Encrypted: | false |
| SSDEEP: | 24:ooVdTH2NMU+I3E0Ulcrgdaf3sWrATrnkC4EmCUkmGMkfQo1fSZotWzD1:ooVguI3Kcx8WIzNeCUkJMmSuMX1 |
| MD5: | 0CD2F9E0DA1773E9ED864DA5E370E74E |
| SHA1: | CABD2A79A1076A31F21D253635CB039D4329A5E8 |
| SHA-256: | 96BCEC06264976F37460779ACF28C5A7CFE8A3C0AAE11A8FFCEE05C0BDDF08C6 |
| SHA-512: | 3B40F27E828323F5B91F8909883A78A21C86551761F27B38029FAAEC14AF5B7AA96FB9F9CC93EE201B5EB1D0FEF17B290747E8B839D2E49A8F36C5EBF3C7C910 |
| Malicious: | false |
| Preview: |
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 
Download File
| Process: | C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 71954 |
| Entropy (8bit): | 7.996617769952133 |
| Encrypted: | true |
| SSDEEP: | 1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ |
| MD5: | 49AEBF8CBD62D92AC215B2923FB1B9F5 |
| SHA1: | 1723BE06719828DDA65AD804298D0431F6AFF976 |
| SHA-256: | B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F |
| SHA-512: | BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B |
| Malicious: | false |
| Preview: |
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\2D85F72862B55C4EADD9E66E06947F3D
Download File
| Process: | C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 192 |
| Entropy (8bit): | 2.756901573172974 |
| Encrypted: | false |
| SSDEEP: | 3:kkFklMye7+kXfllXlE/HT8kWvNNX8RolJuRdxLlGB9lQRYwpDdt:kKVyK6T8PVNMa8RdWBwRd |
| MD5: | ECB940678B60D39E5C6BB2171DBFCA4D |
| SHA1: | 54FF23A8594D6B83498168743231EFB00CCE094F |
| SHA-256: | A98036E6A81FAAF0C1B33E8A58228E6A4F22668C515CE9CF0A8DB5ED373F0789 |
| SHA-512: | 1FACED71372D4103A1351F52D650DC6829AFBF12BCB3029EF78A1A1CFB0C951C324774766E8E5AF9BE0ACE2CE2A4ABED40060B8FDA49F871887D206F3B33C85E |
| Malicious: | false |
| Preview: |
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
Download File
| Process: | C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe |
| File Type: | |
| Category: | modified |
| Size (bytes): | 328 |
| Entropy (8bit): | 3.150184159866505 |
| Encrypted: | false |
| SSDEEP: | 6:kKr6kT9UswDLL+N+SkQlPlEGYRMY9z+4KlDA3RUebT3:2DnLNkPlE99SNxAhUe/3 |
| MD5: | 00A8202CCB63CE268072B0BB22DD2E4F |
| SHA1: | 73D5A54FC08B46BBAEBBA1EC03C37C06447A7F24 |
| SHA-256: | 165B6BA86815696454DD1F7477C80E77746F51A1B9EB11A01A414912CBA3A0E6 |
| SHA-512: | C2CF23F584EBE8B2B30ECFAFC007F830B692502D6AE89009758AD25624590DC158CD10731B34EAF0AC1E4DB6AF88C95129657819753AF80895A1907A2035FA94 |
| Malicious: | false |
| Preview: |
| Process: | C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 4 |
| Entropy (8bit): | 0.8112781244591328 |
| Encrypted: | false |
| SSDEEP: | 3:e:e |
| MD5: | DC84B0D741E5BEAE8070013ADDCC8C28 |
| SHA1: | 802F4A6A20CBF157AAF6C4E07E4301578D5936A2 |
| SHA-256: | 81FF65EFC4487853BDB4625559E69AB44F19E0F5EFBD6D5B2AF5E3AB267C8E06 |
| SHA-512: | 65D5F2A173A43ED2089E3934EB48EA02DD9CCE160D539A47D33A616F29554DBD7AF5D62672DA1637E0466333A78AAA023CBD95846A50AC994947DC888AB6AB71 |
| Malicious: | false |
| Preview: |
| Process: | C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 2145 |
| Entropy (8bit): | 5.0809801947415885 |
| Encrypted: | false |
| SSDEEP: | 48:YwAiESAuYCjWbj2CjxjZ4oijxi+0jPjrVbjBgajF:lDWP2ERaTx3y7BPBgMF |
| MD5: | 65E3D94A8ADA7EF3776AB2E7786F59EF |
| SHA1: | 7BBE21085879F57893068404ADC8DA3FBE258A61 |
| SHA-256: | 6261A48163D4754A658ECBFEACC11AB315F3894F4E141CEC060EFFA440BE61D8 |
| SHA-512: | 8543ADD5614750D74F1A92D94F23AD705BAE02E99AAD4DBA8D4DFCD09E30D799A44A58B9B5A1DF1CCFE30A12806A5358CFE9A70FA88A04F332CD16D2B4D9CC76 |
| Malicious: | false |
| Preview: |
| Process: | C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 12288 |
| Entropy (8bit): | 0.9896272906362629 |
| Encrypted: | false |
| SSDEEP: | 24:TLHRx/XYKQvGJF7urs67Y9QmQ6QewIcLESiAie4F:TVl2GL7ms67YXtr/cI8I |
| MD5: | 185EFBA54596C39AD81D874436C1ED04 |
| SHA1: | D3F9B31F382930B43C300C39421BE80CBF3BACE9 |
| SHA-256: | 906443E5DE5C000BAA4CEFA52AC83B3840E20547FB3FDBB623BC1F714D27C026 |
| SHA-512: | 25F3295E3145A6663CEB227580AB64083F67B326ABF42202E719C54F04AE653E3AC57FECD266F65040AB92AE16E28CAE2DF070C5B71FCA17D237CA7F68B2B7DD |
| Malicious: | false |
| Preview: |
| Process: | C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 8720 |
| Entropy (8bit): | 1.345312568520325 |
| Encrypted: | false |
| SSDEEP: | 24:7+tNASY9QmQ6Qew7cLESiAi0mY9QfqqLBx/XYKQvGJF7ursi:7MNlYXtrMcI8KYvqll2GL7msi |
| MD5: | 50EF01B594130CD32A745794A22EEAB5 |
| SHA1: | 031C8DCAC75003ED5EE3DCAA6276A10CB6FF4373 |
| SHA-256: | 6ABFC32F5EA05E37A640F7C0C25D4DA0A0FCFCED4B16DB94DAC248DCD1CC99DF |
| SHA-512: | 2C0140CAEDBDB2C55C530F1ABCD1AEA0CCD3397F7AEEF67B6DD581665FC6159CEEC67FC2C1EB5D8EC1370148376BB5D3CF6D18A0CA2AA6C7AD6C2E023802473A |
| Malicious: | false |
| Preview: |
| Process: | C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 231348 |
| Entropy (8bit): | 4.386717810715149 |
| Encrypted: | false |
| SSDEEP: | 1536:JIYLzYgsHsg0xwVmkgsb1NcAz79ysQqt2jpTkqoQFIrcm0FvHYNyn8bveZLpzvoR:FEgTSXgKmiGu2qqoQ6rt0Fv3AetVmPJX |
| MD5: | 560524B6AA728A438792E4C138067942 |
| SHA1: | BF4BAA1FAB8174B6EBBFFD995283762BE4061F14 |
| SHA-256: | D66EBB46A44C4072D3412C6C4EE2471D4FA6D5DF674060120641A477D289854C |
| SHA-512: | 2E0A6354CE6FB129E485CB50E3D4AF9FCA41BEB71493A8A1B1EB03636F32BFC53ABA6883247E99235F5B11D61F71796732C80575804ED20FF580331F8F94891A |
| Malicious: | false |
| Preview: |
C:\Users\user\AppData\Local\Microsoft\Office\16.0\AddInClassifierCache\OfficeSharedEntities.bin
Download File
| Process: | C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 322260 |
| Entropy (8bit): | 4.000299760592446 |
| Encrypted: | false |
| SSDEEP: | 6144:dztCFLNyoAHq5Rv2SCtUTnRe4N2+A/3oKBL37GZbTSB+pMZIrh:HMLgvKz9CtgRemO3oUHi3SBSMZIl |
| MD5: | CC90D669144261B198DEAD45AA266572 |
| SHA1: | EF164048A8BC8BD3A015CF63E78BDAC720071305 |
| SHA-256: | 89C701EEFF939A44F28921FD85365ECD87041935DCD0FE0BAF04957DA12C9899 |
| SHA-512: | 16F8A8A6DCBAEAEFB88C7CFF910BCCC71B76A723CF808B810F500E28E543112C2FAE2491D4D209569BD810490EDFF564A2B084709B02963BCAF6FDF1AEEC59AC |
| Malicious: | false |
| Preview: |
C:\Users\user\AppData\Local\Microsoft\Office\16.0\AddInClassifierCache\OfficeSharedEntitiesUpdated.bin
Download File
| Process: | C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 10 |
| Entropy (8bit): | 2.6464393446710157 |
| Encrypted: | false |
| SSDEEP: | 3:LM60:X0 |
| MD5: | F04A63857ABDE2895E55D41B7E405753 |
| SHA1: | 6E7C06165647772C3601AA862FFF131BE4379432 |
| SHA-256: | 33043C2D77A5CA4159245E4B01D6851DAF465D9DE1DD48B07D9835C066859EC9 |
| SHA-512: | 9DC36BEFBF2007F865EBD6A49478A2E6E6A5A033593C1FB9507B45FE978C54678EEB8B491F9922CAED4F3CC2E0D07C35096E90057CA34D3D9D896D7A572E818F |
| Malicious: | false |
| Preview: |
| Process: | C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 4096 |
| Entropy (8bit): | 0.09216609452072291 |
| Encrypted: | false |
| SSDEEP: | 3:lSWFN3l/klslpF/4llfll:l9F8E0/ |
| MD5: | F138A66469C10D5761C6CBB36F2163C3 |
| SHA1: | EEA136206474280549586923B7A4A3C6D5DB1E25 |
| SHA-256: | C712D6C7A60F170A0C6C5EC768D962C58B1F59A2D417E98C7C528A037C427AB6 |
| SHA-512: | 9D25F943B6137DD2981EE75D57BAF3A9E0EE27EEA2DF19591D580F02EC8520D837B8E419A8B1EB7197614A3C6D8793C56EBC848C38295ADA23C31273DAA302D9 |
| Malicious: | false |
| Preview: |
| Process: | C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 4616 |
| Entropy (8bit): | 0.13654994434077541 |
| Encrypted: | false |
| SSDEEP: | 3:7FEG2l+g1rl4/FllkpMRgSWbNFl/sl+ltlslVlllflllcn:7+/lf1Og9bNFlEs1EP/Vcn |
| MD5: | EC840D91C34480668972869EBACF91CE |
| SHA1: | D8DE3B62CEC36996284813662350BC18A61E0F03 |
| SHA-256: | CECB4ABDFCA8AC1D3376B641B58E77527F2848FC36C4BCAA3EE370797A205285 |
| SHA-512: | 2FBC62F1115DE1A537907EBE3C627D85FDE632437B2AC223157758249D1C2CCD9EC638134E4BC1CAFE049CE970FAFB5106EB18561DF84CF899299F4096A0DCB6 |
| Malicious: | false |
| Preview: |
| Process: | C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 32768 |
| Entropy (8bit): | 0.04470641479249482 |
| Encrypted: | false |
| SSDEEP: | 6:G4l21qnNvVCnl21qnNvVCt/0L9XXPH4l942U:l2g42gW/05A0 |
| MD5: | 7140BFEE6EF62B8D78472F95F672FF1D |
| SHA1: | A2CEB4B155988D272AC25582082C79C065AE7292 |
| SHA-256: | 025997677AC8CC40FBCC7092BCBFC31C2991D8392F1743A050E6E995E1BA7EB9 |
| SHA-512: | B519C348F010B21B507E3789E1113EA1BFA009BEA6D33109C3953107FE7CF52B9C25DD3ECDE97253F19003AFEA655E05D418D7E584E8366A7207C0D44FDBD1DF |
| Malicious: | false |
| Preview: |
| Process: | C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 45352 |
| Entropy (8bit): | 0.39498209005613816 |
| Encrypted: | false |
| SSDEEP: | 24:KmfzlQ3zRDMEUll7DBtDi4kZERDnAhJzqt8VtbDBtDi4kZERDKu:TfBQ1ZUll7DYMUhJzO8VFDYM |
| MD5: | 4CD38578F74C6A29CD66FF478CDC297C |
| SHA1: | 131C634DDAF073FCCA6170B70984F035A777DEC2 |
| SHA-256: | A3DD79FA699CA536BFBB96FCD00D2F6C9235E5B5A4D39A6BC3CD59F723AF93A6 |
| SHA-512: | 84C022A5BB69C765B007AA0942E1F1EFC0937E8AA4500B8BE35384CF309B462EB69548D1DC4E048B064151614E79294D9D136F7C805612E9B6C8EE9D6CCF1A56 |
| Malicious: | false |
| Preview: |
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\162Z7WQ3\JohnGarby (002).pdf
Download File
| Process: | C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 30528 |
| Entropy (8bit): | 7.840108993931288 |
| Encrypted: | false |
| SSDEEP: | 768:jOEZAmHoM1eIlLTSW+V54RWwwsaWxv84f3kpy3Src:aEfH9pN+VeswwsaCnCrc |
| MD5: | D4D4CA0B3A3E1EFE107806732794D92C |
| SHA1: | CCD39382DD780A44C182C13665E7396F2654BD41 |
| SHA-256: | 00ECC8AC401CA77EB6C4553AE765E917BD0684EA1EE2F1AE338228B89E18CB8D |
| SHA-512: | BCF5D7A04894F459179261ED4C524A68FBBD2ADBFAD43DA21FA1F4337146331DD166419615705F5A4169CEC02914025AFBAA308EBD5BB0A4303DCA509FEDB038 |
| Malicious: | false |
| Preview: |
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\162Z7WQ3\JohnGarby (002).pdf:Zone.Identifier
Download File
| Process: | C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE |
| File Type: | |
| Category: | modified |
| Size (bytes): | 26 |
| Entropy (8bit): | 3.95006375643621 |
| Encrypted: | false |
| SSDEEP: | 3:gAWY3n:qY3n |
| MD5: | FBCCF14D504B7B2DBCB5A5BDA75BD93B |
| SHA1: | D59FC84CDD5217C6CF74785703655F78DA6B582B |
| SHA-256: | EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913 |
| SHA-512: | AA1D2B1EA3C9DE3CCADB319D4E3E3276A2F27DD1A5244FE72DE2B6F94083DDDC762480482C5C2E53F803CD9E3973DDEFC68966F974E124307B5043E654443B98 |
| Malicious: | false |
| Preview: |
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\162Z7WQ3\JohnGarby.pdf
Download File
| Process: | C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 30528 |
| Entropy (8bit): | 7.840108993931288 |
| Encrypted: | false |
| SSDEEP: | 768:jOEZAmHoM1eIlLTSW+V54RWwwsaWxv84f3kpy3Src:aEfH9pN+VeswwsaCnCrc |
| MD5: | D4D4CA0B3A3E1EFE107806732794D92C |
| SHA1: | CCD39382DD780A44C182C13665E7396F2654BD41 |
| SHA-256: | 00ECC8AC401CA77EB6C4553AE765E917BD0684EA1EE2F1AE338228B89E18CB8D |
| SHA-512: | BCF5D7A04894F459179261ED4C524A68FBBD2ADBFAD43DA21FA1F4337146331DD166419615705F5A4169CEC02914025AFBAA308EBD5BB0A4303DCA509FEDB038 |
| Malicious: | false |
| Preview: |
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\162Z7WQ3\JohnGarby.pdf:Zone.Identifier
Download File
| Process: | C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 26 |
| Entropy (8bit): | 3.95006375643621 |
| Encrypted: | false |
| SSDEEP: | 3:gAWY3n:qY3n |
| MD5: | FBCCF14D504B7B2DBCB5A5BDA75BD93B |
| SHA1: | D59FC84CDD5217C6CF74785703655F78DA6B582B |
| SHA-256: | EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913 |
| SHA-512: | AA1D2B1EA3C9DE3CCADB319D4E3E3276A2F27DD1A5244FE72DE2B6F94083DDDC762480482C5C2E53F803CD9E3973DDEFC68966F974E124307B5043E654443B98 |
| Malicious: | false |
| Preview: |
C:\Users\user\AppData\Local\Temp\Diagnostics\OUTLOOK\App1729689977853137500_982F8BAF-77FF-4057-942D-69B8A9BDAF9E.log
Download File
| Process: | C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 20971520 |
| Entropy (8bit): | 0.00710516722458067 |
| Encrypted: | false |
| SSDEEP: | 192:iWaKKlcKTBLshOjVw52bsLIUWhJg4Nc0HlwBQ:iWUTTBL0OjVG2bEIUWhJgac0HlwBQ |
| MD5: | B653A9256D2F690EC15B403440D52093 |
| SHA1: | 6DF85F3DE8D421E2F9026373F70508921EDFBF03 |
| SHA-256: | DDA0BFD9A5251B1541A58008544DF6E4A5DB669A6203B68C170725091A574A67 |
| SHA-512: | E1C70B6FE97AC886213F113ED6F528B62EDDCF8E9D187F0D4049A421BA3882788365F7804EC8DA0D8A64AB1E36288E93967C362BE2341ED7FA668DC446E67318 |
| Malicious: | false |
| Preview: |
C:\Users\user\AppData\Local\Temp\Diagnostics\OUTLOOK\App1729689977853928400_982F8BAF-77FF-4057-942D-69B8A9BDAF9E.log
Download File
| Process: | C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 20971520 |
| Entropy (8bit): | 0.0 |
| Encrypted: | false |
| SSDEEP: | 3:: |
| MD5: | 8F4E33F3DC3E414FF94E5FB6905CBA8C |
| SHA1: | 9674344C90C2F0646F0B78026E127C9B86E3AD77 |
| SHA-256: | CD52D81E25F372E6FA4DB2C0DFCEB59862C1969CAB17096DA352B34950C973CC |
| SHA-512: | 7FB91E868F3923BBD043725818EF3A5D8D08EBF1059A18AC0FE07040D32EEBA517DA11515E6A4AFAEB29BCC5E0F1543BA2C595B0FE8E6167DDC5E6793EDEF5BB |
| Malicious: | false |
| Preview: |
| Process: | C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 246 |
| Entropy (8bit): | 3.5325285763919316 |
| Encrypted: | false |
| SSDEEP: | 6:Qgl946caEbiQLxuZUQu+lEbYnuoblv2K8rOlQa5YH:Qw946cPbiOxDlbYnuRKDlxYH |
| MD5: | 4329C6A183D512291DB379F877A911E2 |
| SHA1: | EB4E0BB621BAEE2A834980D58B58F1C4A80ABD10 |
| SHA-256: | 40D88D3722AD2E07699C2B1403925DC85620E0442D09F2F186CBC22B1B6BD517 |
| SHA-512: | 04279FFAA34A4D91FB016DA3E6E020C3CBB4B52285136727126BA2D505CB018130F31E44021CBDD7ADD345CD30C0FBE7C90DA6DC5765DC9FA8D19A105FDF3D14 |
| Malicious: | false |
| Preview: |
C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20241023T0926170653-4880.etl
Download File
| Process: | C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 114688 |
| Entropy (8bit): | 4.553598757016395 |
| Encrypted: | false |
| SSDEEP: | 768:Ox8bZvxvM82e8prmq4cksNS9gAJqlETQpnmXFmdbUhU7uYh6X43R7UBSpqs36via:+yv64cFNS9gAXTQ4XFuCR |
| MD5: | 353D642F15EC0C9EF58553AA7E7C7359 |
| SHA1: | 9604DC4AC5F55DCBE46F804C639718B0BF52269A |
| SHA-256: | 8BAF16D377F01AA1740052F660BA151CF48AF4203170CC52DA4EE4D08EF1D500 |
| SHA-512: | 1A55975968E84B55B2381D05306D01371B35DC16372B633729A68DD3D3CD798F2B6D713F5C5D606172139F20390406622410B247AE5E895A525A7327C339D964 |
| Malicious: | false |
| Preview: |
C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6 2024-10-23 09-26-45-080.log
Download File
| Process: | C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 16525 |
| Entropy (8bit): | 5.353642815103214 |
| Encrypted: | false |
| SSDEEP: | 384:tbxtsuP+XEWJJQbnR8L31M7HeltV+KYm3wsa2KjF4ODkr/O8r2IUHUHMWwEyZRN2:aPL |
| MD5: | 91F06491552FC977E9E8AF47786EE7C1 |
| SHA1: | 8FEB27904897FFCC2BE1A985D479D7F75F11CEFC |
| SHA-256: | 06582F9F48220653B0CB355A53A9B145DA049C536D00095C57FCB3E941BA90BB |
| SHA-512: | A63E6E0D25B88EBB6602885AB8E91167D37267B24516A11F7492F48876D3DDCAE44FFC386E146F3CF6EB4FA6AF251602143F254687B17FCFE6F00783095C5082 |
| Malicious: | false |
| Preview: |
C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6.log
Download File
| Process: | C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 15114 |
| Entropy (8bit): | 5.326398026037151 |
| Encrypted: | false |
| SSDEEP: | 384:/nJLEahBIJ8i0vhYyxA5QOqCG1Y9+rnxJCtJkY0eb9xGwh5eEdis88psxYiM3ee+:V7J |
| MD5: | C8ED474AA510413F0DCAF846105913DC |
| SHA1: | C08BD77201FB46C40EA1DB4499A18F3D63B2D791 |
| SHA-256: | 4911906780F8E620A06BD3C8C27786A45A70E570E25A07AC42194F6E3B81933D |
| SHA-512: | 06EB0C9D13F58FEBAC64C94399907D75086B47D339BCDA57E0408761F090304740308C310202414B8E3E1BCC22A61C108865D472908EB9459BD7CFE0FCEA4F6F |
| Malicious: | false |
| Preview: |
| Process: | C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 29752 |
| Entropy (8bit): | 5.423034382065854 |
| Encrypted: | false |
| SSDEEP: | 192:0cbgIhPcbocbAIlncb2cbwI/RcbNcbQIVvcbXcb2ImocbJ:fhWlA/TV5mP |
| MD5: | 199F55319E009D10D03622934421A7B5 |
| SHA1: | CFCEE8DB58C5FE60E03564489DD7B92C79DA1B43 |
| SHA-256: | 2167EAC921F436C237482D7934EAFC5D9E86E49E0FAE9C026D3E2F6EFF3C68B6 |
| SHA-512: | F615422142B7930A1CB41A8FBA1BE638F27BED39C4198BAF7414267CF1D2FF2EC2DAA7EA9C72830FABD32FB48EB4E0DD96FD16862D1EFFC3436B1F1BDE0CCF1A |
| Malicious: | false |
| Preview: |
| Process: | C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 1407294 |
| Entropy (8bit): | 7.97605879016224 |
| Encrypted: | false |
| SSDEEP: | 24576:NW7o5dpy6mlind9j2kvhsfFXpAXDgrFBU2/R07tOWLaGZ4ZwYIGNPS:RB3mlind9i4ufFXpAXkrfUs0kWLaGZ48 |
| MD5: | 9A0DB1882660D02A9C5A0EA5814705F9 |
| SHA1: | 16EECDF2569D1BA1FF8357D6585E644ACB725A3A |
| SHA-256: | 725FE3DF6DBFBCC7B760F4AD240344095A1E2BD5BE4CAAC13D34B15BAC5052DC |
| SHA-512: | 2E51F185C6B4A3D5CBF5DB4859F3A5CC4649CD6D619015D454A899843D3D1303C6E6950BB542373CE713C51E0051ED9D4E8B62E3C12BBD6A93C0AC3DC28D277D |
| Malicious: | false |
| Preview: |
| Process: | C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 1419751 |
| Entropy (8bit): | 7.976496077007677 |
| Encrypted: | false |
| SSDEEP: | 24576:/xaWL07oXGZGwYIGNPJwdpy6mlind9j2kvhsfFXpAXDgrFBU2/R07D:JaWLxXGZGwZGM3mlind9i4ufFXpAXkru |
| MD5: | 0A347312E361322436D1AF1D5145D2AB |
| SHA1: | 1D6C06A274705F8A295F62AD90CF8CA27555C226 |
| SHA-256: | 094501B3CA4E93F626ABFCAE800645C533B61409DC3D1D233F4D053CE6A124D7 |
| SHA-512: | 9856C231513B47DD996488DF19EEE44DBB320E55432984C0C041EF568B6EC5C05F5340831132890D1D162E0505CA243D579582EDB9157CF722A86EC8CE2FEAFE |
| Malicious: | false |
| Preview: |
| Process: | C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 758601 |
| Entropy (8bit): | 7.98639316555857 |
| Encrypted: | false |
| SSDEEP: | 12288:ONh3P65+Tegs6121YSWBlkipdjuv1ybxrr/IxkB1mabFhOXZ/fEa+vTJJJJv+9U0:O3Pjegf121YS8lkipdjMMNB1DofjgJJg |
| MD5: | 3A49135134665364308390AC398006F1 |
| SHA1: | 28EF4CE5690BF8A9E048AF7D30688120DAC6F126 |
| SHA-256: | D1858851B2DC86BA23C0710FE8526292F0F69E100CEBFA7F260890BD41F5F42B |
| SHA-512: | BE2C3C39CA57425B28DC36E669DA33B5FF6C7184509756B62832B5E2BFBCE46C9E62EAA88274187F7EE45474DCA98CD8084257EA2EBE6AB36932E28B857743E5 |
| Malicious: | false |
| Preview: |
| Process: | C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 386528 |
| Entropy (8bit): | 7.9736851559892425 |
| Encrypted: | false |
| SSDEEP: | 6144:8OSTJJJJEQ6T9UkRm1lBgI81ReWQ53+sQ36X/FLYVbxrr/IxktOQZ1mau4yBwsOo:sTJJJJv+9UZX+Tegs661ybxrr/IxkB1m |
| MD5: | 5C48B0AD2FEF800949466AE872E1F1E2 |
| SHA1: | 337D617AE142815EDDACB48484628C1F16692A2F |
| SHA-256: | F40E3C96D4ED2F7A299027B37B2C0C03EAEEE22CF79C6B300E5F23ACB1EB31FE |
| SHA-512: | 44210CE41F6365298BFBB14F6D850E59841FF555EBA00B51C6B024A12F458E91E43FDA3FA1A10AAC857D4BA7CA6992CCD891C02678DCA33FA1F409DE08859324 |
| Malicious: | false |
| Preview: |
| Process: | C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 30 |
| Entropy (8bit): | 1.2389205950315936 |
| Encrypted: | false |
| SSDEEP: | 3:JcklzX:Ssz |
| MD5: | E1A8E8BDB402A464456AFB38C03F1A37 |
| SHA1: | 382206D4EB38D2690E457262AE5104AC9EED3CC9 |
| SHA-256: | E236FDCD13D1B83391A641352AFD7A02D63BE41D07572BFF4D3DC8EFE3B99035 |
| SHA-512: | 821C97E472577D62B813FF63D124DF6582B639EA1B3DEDD82AE0CF6E37745C733EBE1E70B3732D6506E69AE7F622821CA1C48A6635CB6C53BCEEC83B9F2B62BB |
| Malicious: | false |
| Preview: |
| Process: | C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 16384 |
| Entropy (8bit): | 0.6701264453628039 |
| Encrypted: | false |
| SSDEEP: | 12:rl3baFsVqLKeTy2MyheC8T23BMyhe+S7wzQP9zNMyhe+S7xMyheCzjh2m:rh0mnq1Py961Pcm |
| MD5: | 3FE34A7A3298A84326FDE060340B3128 |
| SHA1: | AECB59482000533DB35864DC4F58F94BD62E3FCC |
| SHA-256: | FA7BBCB7C8267DBDD7EC5D04B2CC731B8BD2FF837E97F104384FA69DFF93258C |
| SHA-512: | 66642304C5ED689CFB98FBFC71A2B25193E1B0DBE83A183C0C95C1F6646CD4D645AAD71402DF2AA443283402055C14E79052219ECA780338C537ACF1E63BEDF4 |
| Malicious: | true |
| Preview: |
| Process: | C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 271360 |
| Entropy (8bit): | 3.560614319781914 |
| Encrypted: | false |
| SSDEEP: | 1536:5tTCVcl9tG039kMijUI1RkakSxw6gHel2M2siKiWl1uDiuUCNpL3zxHW53jEpEHF:5dtxJE1qYOLHeqBO+fNdpjmypj |
| MD5: | 1655AD2A54F51281C579B715BB0B1C7D |
| SHA1: | 471F587FC3C71264CCC08CBD37296D2F85D6DE61 |
| SHA-256: | 2BF86A7ACB64D6F28FC667E360043EFDA036FE4A224951CC1F33644515A78DDA |
| SHA-512: | 253A47259AA80CC4624F042ABA9B882D4CBFAD8C239622EB29F25B3825CB393AB001B0FD577654B1E865707FF643B7A71970ACE8D93ABDEEE59B169F56C49CC5 |
| Malicious: | true |
| Preview: |
| Process: | C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 131072 |
| Entropy (8bit): | 4.654162026862712 |
| Encrypted: | false |
| SSDEEP: | 1536:g7lTUiZR839kMipUI1RkukSxw6ZW53jEpEHPVQ10BAwrzqPKnKmU7tT:tJ+1qMOwpjh7d |
| MD5: | 6AD270014D8EE9CF95EA6F1384785322 |
| SHA1: | 3FFF4AF5A2C3E69DDCE497DE08989846EF290691 |
| SHA-256: | 073C18E589D43B2774D414EB5EBEAAA88FE2C9499149A471E1BC1DFE6965E015 |
| SHA-512: | A934B2A80B3ED61F8BB3D3083FDD203273EADD1CAE128493425C954E1EA0ACA1372E978677AB9E196DEC41022BB9031A8C85BB16120713512FA1AFF03486EB42 |
| Malicious: | true |
| Preview: |
| File type: | |
| Entropy (8bit): | 6.142718512413805 |
| TrID: |
|
| File name: | John Garby.eml |
| File size: | 54'805 bytes |
| MD5: | 4089c8345685b82eca6a96828e6a9f77 |
| SHA1: | 5264f43ae46f9867d0d87e744e32742d5cbfe8fc |
| SHA256: | 2e3f747cf12a29db06f0e9883fdb512185078c0088eed21370325678e19ac57c |
| SHA512: | ecffb402c4f87247f98e0abaca0ac66b4725ab5b7a97601772bbdbacd5ed179270484e1842a3172f70612e566313230daf92e3d50563d5de50ee0dceaadc34f4 |
| SSDEEP: | 1536:R9UH0U8AzzYZfwFDzMn+BRSAqnFFrtR/KCA:jEzl5zMnORSvbXiz |
| TLSH: | DA33D003D9000472BBB0117E9F27DC362067BD1B3DB65891356E91EE07FA7BA3B28599 |
| File Content Preview: | Received: from PH8PR09MB10363.namprd09.prod.outlook.com.. (2603:10b6:510:18f::12) by SJ0PR09MB9953.namprd09.prod.outlook.com with.. HTTPS; Wed, 23 Oct 2024 01:03:26 +0000..Received: from DM6PR09CA0007.namprd09.prod.outlook.com (2603:10b6:5:160::20).. by P |
| Subject: | John Garby |
| From: | Tivarius Bordeaux <tivariusbordeaux@gmail.com> |
| To: | "Garby, John Jr CTR (FAA)" <John.CTR.Garby-Jr@faa.gov> |
| Cc: | |
| BCC: | |
| Date: | Wed, 23 Oct 2024 01:03:17 +0000 |
| Communications: |
|
| Attachments: |
|
| Key | Value |
|---|---|
| Received | by 2002:a05:622a:7910:b0:460:9826:dae2 with HTTP; Tue, 22 Oct 2024 18:03:17 -0700 (PDT) |
| From | Tivarius Bordeaux <tivariusbordeaux@gmail.com> |
| To | "Garby, John Jr CTR (FAA)" <John.CTR.Garby-Jr@faa.gov> |
| Subject | John Garby |
| Thread-Topic | John Garby |
| Thread-Index | AQHbJOddl65ifTuUnkSXjnNXd+m3qg== |
| X-MS-Exchange-MessageSentRepresentingType | 1 |
| Date | Wed, 23 Oct 2024 01:03:17 +0000 |
| Message-ID | <CAAJaOE2Py-ppR_nTGAAWTzPgW5pB411iBnotFSEW8JiFbk5vzw@mail.gmail.com> |
| Content-Language | en-US |
| X-MS-Exchange-Organization-AuthAs | Anonymous |
| X-MS-Exchange-Organization-AuthSource | BL02EPF0001B418.namprd09.prod.outlook.com |
| X-MS-Has-Attach | yes |
| X-MS-Exchange-Organization-Network-Message-Id | 1f8df195-7645-48c0-e3a6-08dcf2fe7cb3 |
| X-MS-Exchange-Organization-SCL | 1 |
| X-MS-TNEF-Correlator | |
| X-MS-Exchange-Organization-RecordReviewCfmType | 0 |
| received-spf | Pass (relay3.faa.gov: domain of tivariusbordeaux@gmail.com designates 2607:f8b0:4864:20::831 as permitted sender) identity=mailfrom; client-ip=2607:f8b0:4864:20::831; receiver=relay3.faa.gov; envelope-from="tivariusbordeaux@gmail.com"; x-sender="tivariusbordeaux@gmail.com"; x-conformance=spf_only; x-record-type="v=spf1"; x-record-text="v=spf1 ip6:2001:4860:4000::/36 ip6:2404:6800:4000::/36 ip6:2607:f8b0:4000::/36 ip6:2800:3f0:4000::/36 ip6:2a00:1450:4000::/36 ip6:2c0f:fb50:4000::/36 ~all" |
| x-ms-publictraffictype | |
| x-ironport-anti-spam-filtered | true |
| x-ironport-av | E=Sophos;i="6.11,223,1725336000"; d="pdf'?scan'208";a="733767776" |
| authentication-results | spf=softfail (sender IP is 204.108.9.5) smtp.mailfrom=gmail.com; dkim=pass (signature was verified) header.d=gmail.com;dmarc=pass action=none header.from=gmail.com; |
| x-ms-exchange-transport-endtoendlatency | 00:00:05.5762242 |
| x-ms-traffictypediagnostic | BL02EPF0001B418:EE_|PH8PR09MB10363:EE_|SJ0PR09MB9953:EE_ |
| x-forefront-antispam-report | CIP:204.108.9.5;CTRY:US;LANG:fr;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:acyinternalrelay1.faa.gov;PTR:ErrorRetry;CAT:NONE;SFS:(13230040)(7093399012)(82310400026)(8096899003);DIR:INB; |
| x-ms-exchange-crosstenant-originalarrivaltime | 23 Oct 2024 01:03:20.6765 (UTC) |
| x-ms-exchange-crosstenant-fromentityheader | HybridOnPrem |
| x-ms-exchange-crosstenant-network-message-id | 1f8df195-7645-48c0-e3a6-08dcf2fe7cb3 |
| x-ms-exchange-transport-crosstenantheadersstamped | PH8PR09MB10363 |
| x-ms-exchange-crosstenant-id | 2b69d099-dc61-447b-84c8-001733d8be3a |
| x-ms-office365-filtering-correlation-id | 1f8df195-7645-48c0-e3a6-08dcf2fe7cb3 |
| x-microsoft-antispam | BCL:0;ARA:13230040|7093399012|82310400026|8096899003; |
| ironport-sdr | 67184b57_Hu4VDzJOtczRzY/VKRq4dwzcjesdQgcqw7QYCkufFhJb0Na 9DGwBuP8ly7xW5DgA29FwCTfBd4ixYghpkdxjvQ== |
| dkim-signature | v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1729645398; x=1730250198; darn=faa.gov; h=to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=jibiurI2Hkp55bB7UQ9P/41TTf2Rj+dRJ5P6rCMSX9A=; b=P23BaB82HiNNsfwYxiULL1QYGlb2u/oSvx6Vk6+xG6GWGFL6v2MtlUGTPgAYLpCHCD ZDb8m8JG4ai56wmHLk6r+bxvmNB1op96ag8qTRZ2WrlRzw2c9adJmFypZODqglCX+/am tb3VHTBqZAbxbCX2WunzHuykIbejP6EEs6chFdFNuBVczvAIuBlc6Q3BOqAUWw/88ULl QDqqOSOtdPwuEQ7SCG0L0detkD2DFQ3npN0o1KhH3PoDH/UkSsw+dJtgOH3XIsAv2PJb 1L6mwRM9yOH7I/1ehMdaKZb0r5Ozu1jy9nm1Y7Mz4ZBvevooru6o33iGcWRtH2iQYMIV idIg== |
| x-originatororg | usfaa.onmicrosoft.com |
| x-ms-exchange-processed-by-bccfoldering | 15.20.8069.009 |
| authentication-results-original | relay3.faa.gov; spf=Pass smtp.mailfrom=tivariusbordeaux@gmail.com; dkim=pass (signature verified) header.i=@gmail.com; dmarc=pass (p=none dis=none) d=gmail.com |
| x-eopattributedmessage | 0 |
| x-gm-message-state | AOJu0YwUjtWWdks2t1PU0FgH/bzUnmvgPvEJb5LbCvefgnwJiTx54FgX +8LPkt38yCc/F2GUNdVgfW6LSaPdRrU62o2/uTvPGAakXK8tDIBi++D9EoIbnxJkQgetTt74zr7 NsJAKVnbRx1MTU9pIrh8hxxZrBYEC+mTzCCA5 |
| x-google-smtp-source | AGHT+IFK6yd+mwy7Wkg+9bqdIl/Tw+wucd7IE61VagdB2xmpY2W7ySpfbCTjMuemXKil63IhfnHSWplfazSm5LvbrWk= |
| x-received | by 2002:ac8:5847:0:b0:461:c8b:6448 with SMTP id d75a77b69052e-4611409f751mr18370881cf.12.1729645397557; Tue, 22 Oct 2024 18:03:17 -0700 (PDT) |
| x-ms-exchange-crosstenant-originalattributedtenantconnectingip | TenantId=2b69d099-dc61-447b-84c8-001733d8be3a;Ip=[204.108.9.5];Helo=[acyinternalrelay1.faa.gov] |
| x-ms-exchange-crosstenant-authsource | BL02EPF0001B418.namprd09.prod.outlook.com |
| x-ms-exchange-crosstenant-authas | Anonymous |
| x-google-dkim-signature | v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1729645398; x=1730250198; h=to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=jibiurI2Hkp55bB7UQ9P/41TTf2Rj+dRJ5P6rCMSX9A=; b=r3k0SqqFBkC+Lo/W4CAD9QoHBhlhDapdo/pGcOeAs7b+KXvtTZVdVF8c7P/l3pPYhi /bmf0jnstMGM2TybRiYZ3sHjTGH8V5rtAApV4mt6GDpb/889IOoOmI3mpIGU8trrbJwP H+WZPpouChUM+l81/QDlyFKiye3vZtRbIcpCyENhsJ4sVZLuuxWsUXj7o36Y8FpcwBh/ 9UAdG9Kinl5k7u2LQHkERCx8FMn4XT+kFfIa58e9DUA77lg31Tj7R5mvvhVRQqMY8/xR I26iZGK4fW5Gwcq6hUPIsmtsBsFZ4I6XuzHsClHeQH5dYILZ7VtCKDe2C3Woq1IZj/sF cPsg== |
| ironport-hdrordr | A9a23:zAaCGqkUwyucn5Lp/VyDxclPinjpDfIj3DAbv31ZSRFFG/Fw9v re+sjzsCWftN9/YgBDpTntAtjifZq+z/9ICOsqTNKftWDd0QPCTL2KhrGSpwEIdReOkdK1Fp 0NT0G9MrDN5JRB4voSKTPXL+od |
| X-Microsoft-Antispam-Mailbox-Delivery | ucf:0;jmr:0;auth:0;dest:I;ENG:(910001)(944506478)(944626604)(920097)(930097)(140003); |
| X-Microsoft-Antispam-Message-Info | CrKvS3ycwRu021yN67jeqkrlglIlCeogNTsjV9BzsbClck3jigU5IDMWlLrMgGmLTbtyV7Y8tAKQ8iSq3oa+4BFkHMUv13/HAaCJFV/Fe5p8eBY/LMytm9ipcINCNJLZ1OQK3JpMmev/DQ05lcOtfsGBY5sWQ4HNfeAGSaUITxn/nI066vpTREder5koXNe/naJAUd/97fM1qOvvTzHXP0w4xbYX4w8DDR2pamiCCTbQbCJmx3ly132GCDjXoWU2CDQ6y9UxavRsVoHI+ms/cQ9M91sYbBIImccVhflMCNdyWk8bArXdO/20pRcCWHtkzzc8Cry7nvxPIiHghSCXJS9wPx6214lvDm4HikJNKg268Zhq8Vi6Y/jSLfblxGtTOChYIS2629XA0hopTQFIGf/lfiCuoWz5z8glEErbHsN+KYwMyopoKb3HkjeOTT7ZCuKrjyokVHI7ie+fNS/rImFfP402wt5Eikl3bFX3x40YEMf6QUDc1ygNj4cb91gvYuDIyX1LW2aWmZ05ntKEb02ZpKHwjLHI+cL4pYrlnz8PDC3bBUSRLfaVpgyhwUzT97tfQHzeywf3OCXD5GtR/BbewYACOgaQMsEY1OS8OLldDqj0ZhsxPmQuZlTOVNSOpH6mGmM1Mn3ZwU3i4XP2RzyGHzGqubcHEuRo7rbODj5j34kZiws/uNvEcPbvQdzTgOxqR94XP9C7dixY49Ad9lhujGc55HycFn4Tgq32zHAiFuWcPKZ3QcwYCW276fBoGTPUs9CscremAqQQupPMYZ2F4EYW4DW1t9phAvps25McyNq4h9SLmwwyHDPL4I1rwj3OFc+f0qCRCbdMHRTBN/44drhlI0t95gJlprCWDXQgjdopnUMdC+u4RVFrcfnrXgJxgNH7ChXalWwTan7eKL7dfVAsbo8qChf7uIkAietskSLkMRO/1pVygUbYsKVIyFvMg2jFg4A0lIp8RlKFUoPkjm3agoRlcVFMPq4CKL9oVwO+3X22Cw4QqEw2gtX8cwxDX9y2zMzvqRcEbbHZaidxt0MqsVydCD9gxxGNJN66D/zFSNjuiWt/NC74Tdw4SKcGNxIUgbPIrdHKg3ackAjcvqWRGv/D2oCKBn3D15FDFVJVMMVlw8MPvaijkwwNIMInD5ECtAsSISkRob96Lv2QkJm+zfPneozUGPsPF6J/Bm/w63DBuN5rktc6jjaPX18Bh1yUxoSmggGauL10jlNd01PrMzciKGQxo3kzKb82/Nkod0unmGDbsWtTI21LNbDEVBdyWdsoZBxIWpaLSxth6fFD2sGD+57DmCUGv1Yw1Wkyoc9Zb+GIc1+hK52RN7iEIcDjECXsAe58znkc/fuYCtqulSzup2ykG3T99t80HNZEkZCvFIQdhBUATrXSN9Eh1uC85qKGeCB96MaO29BgmiVHIT1fl/haBmjZWogF8FEygUYbi6ukCvrzg0De4tWTyhAVYcthTbkemeXgZdqMSo+pLZD7AqMqIAktZ59xrliTU9Sk3KKMogwsTcTze+fD86AOvygqKVvQ/Y92mjuHRmLIUuo96dk6M7jqe8vmnjDG2lnXbychrxfaolhLRFxtz5JS+ntdzh6/JW2u+k0FTmsQBWLnBp1PHMgJeNTgPC13864Yy1am4NONBuA+AEvhLXtttn+ciUb0ZO9zXLlIgheRuZ7fZ06oXxrUeS7TIGRYw99iE7X2Tlgwd5QogBTPXiZWxQpbJGyf3sVb5blHhkj7XMKLuE9QVqxQEHuJ16d70a30TYnfATJ5ohkYaLFABRFXCk9xv5YsMVcanMtu2jxaPoZB6e6G6OC9dnvG0pHVHMlShC4hrwyIun1puES3UYWmyQqU+ZkUnI3jScEmQ10qfv6/qx51+f+VriWa2etD8+a453Hi/IlJYGJm6sbNZ5SY85zZppxjOgbRv2zg0DlY1wtDYbvjFCbTXmA= |
| Content-Type | multipart/mixed; boundary="_004_CAAJaOE2PyppRnTGAAWTzPgW5pB411iBnotFSEW8JiFbk5vzwmailgm_" |
| MIME-Version | 1.0 |
 | |
| Icon Hash: | 46070c0a8e0c67d6 |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Oct 23, 2024 15:26:56.168323040 CEST | 64780 | 53 | 192.168.2.16 | 1.1.1.1 |
| Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|
| Oct 23, 2024 15:26:56.168323040 CEST | 192.168.2.16 | 1.1.1.1 | 0xe219 | Standard query (0) | A (IP address) | IN (0x0001) | false |
| Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|---|---|
| Oct 23, 2024 15:26:56.176084042 CEST | 1.1.1.1 | 192.168.2.16 | 0xe219 | No error (0) | crl.root-x1.letsencrypt.org.edgekey.net | CNAME (Canonical name) | IN (0x0001) | false |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
| Target ID: | 4 |
| Start time: | 09:26:17 |
| Start date: | 23/10/2024 |
| Path: | C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xb80000 |
| File size: | 34'446'744 bytes |
| MD5 hash: | 91A5292942864110ED734005B7E005C0 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | false |
| Target ID: | 6 |
| Start time: | 09:26:18 |
| Start date: | 23/10/2024 |
| Path: | C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff679ff0000 |
| File size: | 710'048 bytes |
| MD5 hash: | EC652BEDD90E089D9406AFED89A8A8BD |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | false |
| Target ID: | 9 |
| Start time: | 09:26:41 |
| Start date: | 23/10/2024 |
| Path: | C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff65b720000 |
| File size: | 5'641'176 bytes |
| MD5 hash: | 24EAD1C46A47022347DC0F05F6EFBB8C |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | false |
| Target ID: | 10 |
| Start time: | 09:26:42 |
| Start date: | 23/10/2024 |
| Path: | C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff74c630000 |
| File size: | 3'581'912 bytes |
| MD5 hash: | 9B38E8E8B6DD9622D24B53E095C5D9BE |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | false |
| Target ID: | 11 |
| Start time: | 09:26:43 |
| Start date: | 23/10/2024 |
| Path: | C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff74c630000 |
| File size: | 3'581'912 bytes |
| MD5 hash: | 9B38E8E8B6DD9622D24B53E095C5D9BE |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | false |
⊘No disassembly