Edit tour

Windows Analysis Report
Aunali_khokhawala-In Services.Agreement-SDYAMPA 416944 (1).rtf

Overview

General Information

Sample name:	Aunali_khokhawala-In Services.Agreement-SDYAMPA 416944 (1).rtf
Analysis ID:	1542140
MD5:	2bec31492b3a10baeead838161407a05
SHA1:	eef55d6de4c29f84e34cada848ab5ac3600f310a
SHA256:	dc0048edad4cdf10fb977ef2f6a44bf412c2c0cbb82ef9c15761968191109061
Infos:

Detection

Score:	24
Range:	0 - 100
Whitelisted:	false
Confidence:	80%

Signatures

Detected use of open redirect vulnerability

Detected suspicious crossdomain redirect

Document contains embedded VBA macros

Document misses a certain OLE stream usually present in this Microsoft Office document type

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

Sigma detected: Suspicious Office Outbound Connections

Stores files to the Windows start menu directory

Classification

Process Tree

System is w10x64_ra

WINWORD.EXE (PID: 6220 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\user\Desktop\Aunali_khokhawala-In Services.Agreement-SDYAMPA 416944 (1).rtf" /o "" MD5: 1A0C2C2E7D9C4BC18E91604E9B0C7678)

chrome.exe (PID: 7000 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://www.catapult-connect.com/home/engagement/NTEwLVdlYnNpdGV8ODRiYjQxMTgwOWZiNGZlMWE2N2E2NjFhZDhlNTBlM2R8Y29uLTk3MTYxLWVufFdlYnNpdGUBX?l=http://vh26kx.pinboarddisplaced.com/?email=#aunali_khokhawala@iamgold.com MD5: 83395EAB5B03DEA9720F8D7AC0D15CAA)

chrome.exe (PID: 6440 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 --field-trial-handle=1988,i,12616926578970350471,14776396972003459762,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 83395EAB5B03DEA9720F8D7AC0D15CAA)

cleanup

Sigma Signatures

Sigma detected: Suspicious Office Outbound Connections

Source: Network Connection

Author: X__Junior (Nextron Systems): Data: DestinationIp: 192.168.2.17, DestinationIsIpv6: false, DestinationPort: 49710, EventID: 3, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE, Initiated: true, ProcessId: 6220, Protocol: tcp, SourceIp: 52.123.243.204, SourceIsIpv6: false, SourcePort: 443

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Phishing

Detected use of open redirect vulnerability

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

HTTP traffic: Proxy from: www.catapult-connect.com/home/engagement/ntewlvdlynnpdgv8odriyjqxmtgwowzingzlmwe2n2e2njfhzdhlntblm2r8y29ultk3mtyxlwvuffdlynnpdgubx?l=http://vh26kx.pinboarddisplaced.com/?email= to http://vh26kx.pinboarddisplaced.com/?email=

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

File created: C:\Users\user\Desktop\~$nali_khokhawala-In Services.Agreement-SDYAMPA 416944 (1).rtf

Jump to behavior

Source: unknown	HTTPS traffic detected: 52.123.243.204:443 -> 192.168.2.17:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.126.31.71:443 -> 192.168.2.17:49715 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 4.175.87.197:443 -> 192.168.2.17:49716 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 4.175.87.197:443 -> 192.168.2.17:49787 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.126.31.71:443 -> 192.168.2.17:49788 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.5.88:443 -> 192.168.2.17:49789 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 2.23.209.150:443 -> 192.168.2.17:49790 version: TLS 1.2

Source: winword.exe

Memory has grown: Private usage: 0MB later: 82MB

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

HTTP traffic: Redirect from: www.catapult-connect.com to http://vh26kx.pinboarddisplaced.com/?email=

Source: global traffic

HTTP traffic detected: GET /ab HTTP/1.1Host: evoke-windowsservices-tas.msedge.netCache-Control: no-store, no-cacheX-PHOTOS-CALLERID: 9NMPJ99VJBWVX-EVOKE-RING: X-WINNEXT-RING: PublicX-WINNEXT-TELEMETRYLEVEL: BasicX-WINNEXT-OSVERSION: 10.0.19045.0X-WINNEXT-APPVERSION: 1.23082.131.0X-WINNEXT-PLATFORM: DesktopX-WINNEXT-CANTAILOR: FalseX-MSEDGE-CLIENTID: {c1afbad7-f7da-40f2-92f9-8846a91d69bd}X-WINNEXT-PUBDEVICEID: dbfen2nYS7HW6ON4OdOknKxxv2CCI5LJBTojzDztjwI=If-None-Match: 2056388360_-1434155563Accept-Encoding: gzip, deflate, br

Source: Joe Sandbox View	IP Address: 199.59.243.227 199.59.243.227
Source: Joe Sandbox View	IP Address: 239.255.255.250 239.255.255.250

Source: Joe Sandbox View

ASN Name: AMAZON-02US AMAZON-02US

Source: Joe Sandbox View	JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
Source: Joe Sandbox View	JA3 fingerprint: 6271f898ce5be7dd52b0fc260d0662b3
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View	JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.13
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.13
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.13
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.31.71
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.31.71
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.31.71
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.13
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.31.71
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.31.71
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.31.71
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.31.71
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.31.71
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.31.71
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.31.71
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.31.71
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.31.71
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.13
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.13
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.13

Source: global traffic	HTTP traffic detected: GET /config/v2/Office/word/16.0.16827.20130/Production/CC?&EcsCanary=1&Clientid=%7b7ECC672D-85C0-448B-B1A9-729F3738F0F2%7d&Application=word&Platform=win32&Version=16.0.16827.20130&MsoVersion=16.0.16827.20130&ProcessName=winword.exe&Audience=Production&Build=ship&Architecture=x86&Language=en-US&SubscriptionLicense=false&PerpetualLicense=2019&LicenseCategory=7&LicenseSKU=ProPlus2019Retail&OsVersion=10.0&OsBuild=19045&Channel=CC&InstallType=C2R&SessionId=%7bA479818C-5078-4E2D-9335-2B0AA0E295E8%7d&LabMachine=false HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipIf-None-Match: ""User-Agent: Microsoft Office 2014DisableExperiments: falseX-ECS-Client-Last-Telemetry-Events: ecs_client_library_name=MSO,ecs_client_app_name=Office,ecs_client_version=16.0.16827.20130Host: ecs.office.com
Source: global traffic	HTTP traffic detected: GET /home/engagement/NTEwLVdlYnNpdGV8ODRiYjQxMTgwOWZiNGZlMWE2N2E2NjFhZDhlNTBlM2R8Y29uLTk3MTYxLWVufFdlYnNpdGUBX?l=http://vh26kx.pinboarddisplaced.com/?email= HTTP/1.1Host: www.catapult-connect.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=VDUrcCGC24EkDez&MD=TYG3lRtt HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=VDUrcCGC24EkDez&MD=TYG3lRtt HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /ab HTTP/1.1Host: evoke-windowsservices-tas.msedge.netCache-Control: no-store, no-cacheX-PHOTOS-CALLERID: 9NMPJ99VJBWVX-EVOKE-RING: X-WINNEXT-RING: PublicX-WINNEXT-TELEMETRYLEVEL: BasicX-WINNEXT-OSVERSION: 10.0.19045.0X-WINNEXT-APPVERSION: 1.23082.131.0X-WINNEXT-PLATFORM: DesktopX-WINNEXT-CANTAILOR: FalseX-MSEDGE-CLIENTID: {c1afbad7-f7da-40f2-92f9-8846a91d69bd}X-WINNEXT-PUBDEVICEID: dbfen2nYS7HW6ON4OdOknKxxv2CCI5LJBTojzDztjwI=If-None-Match: 2056388360_-1434155563Accept-Encoding: gzip, deflate, br
Source: global traffic	HTTP traffic detected: GET /client/config?cc=CH&setlang=en-CH HTTP/1.1X-Search-CortanaAvailableCapabilities: NoneX-Search-SafeSearch: ModerateAccept-Encoding: gzip, deflateX-Device-MachineId: {92C86F7C-DB2B-4F6A-95AD-98B4A2AE008A}X-UserAgeClass: UnknownX-BM-Market: CHX-BM-DateFormat: dd/MM/yyyyX-Device-OSSKU: 48X-BM-DTZ: -240X-DeviceID: 01000A41090080B6X-BM-WindowsFlights: FX:117B9872,FX:119E26AD,FX:11C0E96C,FX:11C6E5C2,FX:11C7EB6A,FX:11C9408A,FX:11C940DB,FX:11CB9A9F,FX:11CB9AC1,FX:11CC111C,FX:11D5BFCD,FX:11DF5B12,FX:11DF5B75,FX:1240931B,FX:124B38D0,FX:127FC878,FX:1283FFE8,FX:12840617,FX:128979F9,FX:128EBD7E,FX:129135BB,FX:129E053F,FX:12A74DB5,FX:12AB734D,FX:12B8450E,FX:12BD6E73,FX:12C3331B,FX:12C7D66EX-Search-TimeZone: Bias=300; DaylightBias=-60; TimeZoneKeyName=Eastern Standard TimeX-BM-Theme: 000000;0078d7X-Search-RPSToken: t%3DEwDoAkR8BAAUcvamItSE/vUHpyZRp3BeyOJPQDsAAa0M9Ic0NHTHpTV5L%2BPXT4eE/ihX0ma2K%2Bqxj4Z3w3vBQT%2BQd1w7InmIoonB19jv%2BH8EL2f%2BGBGd672twTsaVsx4iBtnFzng40LMP7VYZ%2BoQVs07Fehh41KEzw3CPCSXXewyB/N35ZzycMBm2wXrt9xs3E9RTjr40e881zWqF4YcF%2BLKG7S%2Bjv/hAVutQhIyxBzDUrYsDdtf7bpqJG%2BWgZiDmoQ5RzqgI0vPPFQTCFiq2SuDMVj7791fFDopBTg8fSitv8EFlsCCMi/UjF4M7jCpSc1fM9EI%2B1MhwX9k%2BBHfjYPc6gA9OKvISNU9%2B8ZoK16AU7osM/9ctsKWpn9gTrAQZgAAEN04TM5tmVYfk%2B99Y3RDfviwAeWfcpUO%2BqwshT2HBqT5Dn4/SoMfNuQUNBfoMt%2BQUB%2BrCZnyYyZgq1jo9ydvhWeVzSUpeQUpk17FOxR5BivvlZl74LucHZvaxG1e4CtJuKmKqEcaIkU3mwNvs/Ty6TXN5oIivHjlH4AmGPFduRhiANdhR7%2B0g/OoiBpNc8UZrgp2xvmxZUdqnJlAugwhXdUN22ryjRNYKZD35xe3UB5t294PrCxP4slXGNPhtVY0OVnYq7sLxq74zrhHllYVxJ04/uuruEG8rcwWX%2BhfK20TMXotdDHSANUaK6DcLE5IxQznVHRrxvWXfEK%2B/yJOZHZvOCeqnyvezpbqhu47agwIy0L9kzYmVvR3yPqFfQQQb8ENL6SiYqRFuM1M5TJpw20hYIguJi/Unzs%2BOahW%2B0yuPLGqMcJEFiDZFBcic5xNGbWUOljs5Ac%2BzoqfudUpxQWJsepYUhuAIUVDytwzYCbquFPgRQ30U0LXZ8yhMRnwmkTlksHhev8x2hksDwL5Og9o5EhBnKMiEpgmGHTFK0Yu3mS5b4dWxtg2PL9bQ6U0SmJSaHm%2BkUm/23UH922NrTF26toB%26p%3DX-Agent-DeviceId: 01000A41090080B6X-BM-CBT: 1729863419User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Cortana 1.14.7.19041; 10.0.0.0.19045.2006) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045X-Device-isOptin: falseAccept-language: en-GB, en, en-USX-Device-Touch: falseX-Device-ClientSession: 9F8D82E5B2EB4B4188C74CD24CBA5576X-Search-AppId: Microsoft.Windows.Cortana_cw5n1h2txyewy!CortanaUIHost: www.bing.comConnection: Keep-AliveCookie: SRCHUID=V=2&GUID=C4EAB6C130004333A34B5668AE4E4D10&dmnchg=1; SRCHD=AF=NOFORM; SRCHUSR=DOB=20240207; SRCHHPGUSR=SRCHLANG=en; MUID=4590362BB5CF472B95BBEDB3112D4B7B; MUIDB=4590362BB5CF472B95BBEDB3112D4B7B

Source: global traffic	DNS traffic detected: DNS query: www.catapult-connect.com
Source: global traffic	DNS traffic detected: DNS query: vh26kx.pinboarddisplaced.com
Source: global traffic	DNS traffic detected: DNS query: www.google.com

Source: unknown

HTTP traffic detected: POST /RST2.srf HTTP/1.0Connection: Keep-AliveContent-Type: application/soap+xmlAccept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 10.0; Win64; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; IDCRL 24.10.0.19045.0.0; IDCRL-cfg 16.000.29743.00; App svchost.exe, 10.0.19041.1806, {DF60E2DF-88AD-4526-AE21-83D130EF0F68})Content-Length: 4742Host: login.live.com

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49788
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49787
Source: unknown	Network traffic detected: HTTP traffic on port 49676 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49691 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49789 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49691
Source: unknown	Network traffic detected: HTTP traffic on port 49788 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 49790 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49678 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49787 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 49680 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49677 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49792
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49790
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49792 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49789

Source: unknown	HTTPS traffic detected: 52.123.243.204:443 -> 192.168.2.17:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.126.31.71:443 -> 192.168.2.17:49715 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 4.175.87.197:443 -> 192.168.2.17:49716 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 4.175.87.197:443 -> 192.168.2.17:49787 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.126.31.71:443 -> 192.168.2.17:49788 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.5.88:443 -> 192.168.2.17:49789 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 2.23.209.150:443 -> 192.168.2.17:49790 version: TLS 1.2

Source: APASixthEditionOfficeOnline.xsl.0.dr	OLE indicator, VBA macros: true
Source: gosttitle.xsl.0.dr	OLE indicator, VBA macros: true
Source: sist02.xsl.0.dr	OLE indicator, VBA macros: true
Source: iso690.xsl.0.dr	OLE indicator, VBA macros: true
Source: chicago.xsl.0.dr	OLE indicator, VBA macros: true
Source: iso690nmerical.xsl.0.dr	OLE indicator, VBA macros: true
Source: gb.xsl.0.dr	OLE indicator, VBA macros: true
Source: mlaseventheditionofficeonline.xsl.0.dr	OLE indicator, VBA macros: true
Source: harvardanglia2008officeonline.xsl.0.dr	OLE indicator, VBA macros: true
Source: turabian.xsl.0.dr	OLE indicator, VBA macros: true
Source: ieee2006officeonline.xsl.0.dr	OLE indicator, VBA macros: true
Source: gostname.xsl.0.dr	OLE indicator, VBA macros: true

Source: APASixthEditionOfficeOnline.xsl.0.dr	OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: gosttitle.xsl.0.dr	OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: sist02.xsl.0.dr	OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: iso690.xsl.0.dr	OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: chicago.xsl.0.dr	OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: iso690nmerical.xsl.0.dr	OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: gb.xsl.0.dr	OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: mlaseventheditionofficeonline.xsl.0.dr	OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: harvardanglia2008officeonline.xsl.0.dr	OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: turabian.xsl.0.dr	OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: ieee2006officeonline.xsl.0.dr	OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: gostname.xsl.0.dr	OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Source: classification engine

Classification label: sus24.phis.winRTF@20/245@6/6

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

File created: C:\Users\user\AppData\Roaming\Microsoft\Office

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\{A479818C-5078-4E2D-9335-2B0AA0E295E8} - OProcSessId.dat

Jump to behavior

Source: Equations.dotx.0.dr	OLE indicator, Word Document stream: true
Source: Text Sidebar (Annual Report Red and Black design).docx.0.dr	OLE indicator, Word Document stream: true
Source: Element design set.dotx.0.dr	OLE indicator, Word Document stream: true
Source: Insight design set.dotx.0.dr	OLE indicator, Word Document stream: true

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: unknown	Process created: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\user\Desktop\Aunali_khokhawala-In Services.Agreement-SDYAMPA 416944 (1).rtf" /o ""
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://www.catapult-connect.com/home/engagement/NTEwLVdlYnNpdGV8ODRiYjQxMTgwOWZiNGZlMWE2N2E2NjFhZDhlNTBlM2R8Y29uLTk3MTYxLWVufFdlYnNpdGUBX?l=http://vh26kx.pinboarddisplaced.com/?email=#aunali_khokhawala@iamgold.com
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 --field-trial-handle=1988,i,12616926578970350471,14776396972003459762,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 --field-trial-handle=1988,i,12616926578970350471,14776396972003459762,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Source: Aunali_khokhawala-In Services.Agreement-SDYAMPA 416944 (1).LNK.0.dr	LNK file: ..\..\..\..\..\Desktop\Aunali_khokhawala-In Services.Agreement-SDYAMPA 416944 (1).rtf
Source: Google Drive.lnk.5.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: YouTube.lnk.5.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Sheets.lnk.5.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Gmail.lnk.5.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Slides.lnk.5.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Docs.lnk.5.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: Equations.dotx.0.dr	Initial sample: OLE zip file path = word/glossary/document.xml
Source: Equations.dotx.0.dr	Initial sample: OLE zip file path = word/glossary/settings.xml
Source: Equations.dotx.0.dr	Initial sample: OLE zip file path = word/glossary/_rels/document.xml.rels
Source: Equations.dotx.0.dr	Initial sample: OLE zip file path = customXml/itemProps2.xml
Source: Equations.dotx.0.dr	Initial sample: OLE zip file path = docProps/custom.xml
Source: Equations.dotx.0.dr	Initial sample: OLE zip file path = customXml/_rels/item2.xml.rels
Source: Equations.dotx.0.dr	Initial sample: OLE zip file path = customXml/item2.xml
Source: Equations.dotx.0.dr	Initial sample: OLE zip file path = word/glossary/webSettings.xml
Source: Equations.dotx.0.dr	Initial sample: OLE zip file path = [trash]/0000.dat
Source: Equations.dotx.0.dr	Initial sample: OLE zip file path = word/glossary/styles.xml
Source: Equations.dotx.0.dr	Initial sample: OLE zip file path = word/glossary/stylesWithEffects.xml
Source: Equations.dotx.0.dr	Initial sample: OLE zip file path = word/glossary/fontTable.xml
Source: Text Sidebar (Annual Report Red and Black design).docx.0.dr	Initial sample: OLE zip file path = word/theme/_rels/theme1.xml.rels
Source: Text Sidebar (Annual Report Red and Black design).docx.0.dr	Initial sample: OLE zip file path = word/glossary/settings.xml
Source: Text Sidebar (Annual Report Red and Black design).docx.0.dr	Initial sample: OLE zip file path = word/glossary/document.xml
Source: Text Sidebar (Annual Report Red and Black design).docx.0.dr	Initial sample: OLE zip file path = word/glossary/_rels/document.xml.rels
Source: Text Sidebar (Annual Report Red and Black design).docx.0.dr	Initial sample: OLE zip file path = word/_rels/settings.xml.rels
Source: Text Sidebar (Annual Report Red and Black design).docx.0.dr	Initial sample: OLE zip file path = word/glossary/webSettings.xml
Source: Text Sidebar (Annual Report Red and Black design).docx.0.dr	Initial sample: OLE zip file path = word/glossary/fontTable.xml
Source: Text Sidebar (Annual Report Red and Black design).docx.0.dr	Initial sample: OLE zip file path = word/glossary/styles.xml
Source: Text Sidebar (Annual Report Red and Black design).docx.0.dr	Initial sample: OLE zip file path = word/glossary/stylesWithEffects.xml
Source: Text Sidebar (Annual Report Red and Black design).docx.0.dr	Initial sample: OLE zip file path = customXml/item2.xml
Source: Text Sidebar (Annual Report Red and Black design).docx.0.dr	Initial sample: OLE zip file path = customXml/_rels/item2.xml.rels
Source: Text Sidebar (Annual Report Red and Black design).docx.0.dr	Initial sample: OLE zip file path = customXml/itemProps3.xml
Source: Text Sidebar (Annual Report Red and Black design).docx.0.dr	Initial sample: OLE zip file path = customXml/item3.xml
Source: Text Sidebar (Annual Report Red and Black design).docx.0.dr	Initial sample: OLE zip file path = customXml/itemProps2.xml
Source: Text Sidebar (Annual Report Red and Black design).docx.0.dr	Initial sample: OLE zip file path = customXml/_rels/item3.xml.rels
Source: Text Sidebar (Annual Report Red and Black design).docx.0.dr	Initial sample: OLE zip file path = [trash]/0000.dat
Source: Text Sidebar (Annual Report Red and Black design).docx.0.dr	Initial sample: OLE zip file path = docProps/custom.xml
Source: Element design set.dotx.0.dr	Initial sample: OLE zip file path = word/glossary/settings.xml
Source: Element design set.dotx.0.dr	Initial sample: OLE zip file path = word/glossary/_rels/document.xml.rels
Source: Element design set.dotx.0.dr	Initial sample: OLE zip file path = word/glossary/document.xml
Source: Element design set.dotx.0.dr	Initial sample: OLE zip file path = word/glossary/fontTable.xml
Source: Element design set.dotx.0.dr	Initial sample: OLE zip file path = word/glossary/webSettings.xml
Source: Element design set.dotx.0.dr	Initial sample: OLE zip file path = word/glossary/styles.xml
Source: Element design set.dotx.0.dr	Initial sample: OLE zip file path = customXml/itemProps2.xml
Source: Element design set.dotx.0.dr	Initial sample: OLE zip file path = customXml/item2.xml
Source: Element design set.dotx.0.dr	Initial sample: OLE zip file path = customXml/_rels/item2.xml.rels
Source: Element design set.dotx.0.dr	Initial sample: OLE zip file path = [trash]/0000.dat
Source: Element design set.dotx.0.dr	Initial sample: OLE zip file path = docProps/custom.xml
Source: Insight design set.dotx.0.dr	Initial sample: OLE zip file path = word/media/image2.jpg
Source: Insight design set.dotx.0.dr	Initial sample: OLE zip file path = word/glossary/settings.xml
Source: Insight design set.dotx.0.dr	Initial sample: OLE zip file path = word/glossary/document.xml
Source: Insight design set.dotx.0.dr	Initial sample: OLE zip file path = word/glossary/_rels/document.xml.rels
Source: Insight design set.dotx.0.dr	Initial sample: OLE zip file path = word/glossary/styles.xml
Source: Insight design set.dotx.0.dr	Initial sample: OLE zip file path = word/glossary/webSettings.xml
Source: Insight design set.dotx.0.dr	Initial sample: OLE zip file path = word/glossary/fontTable.xml
Source: Insight design set.dotx.0.dr	Initial sample: OLE zip file path = word/media/image10.jpeg
Source: Insight design set.dotx.0.dr	Initial sample: OLE zip file path = customXml/itemProps2.xml
Source: Insight design set.dotx.0.dr	Initial sample: OLE zip file path = customXml/item2.xml
Source: Insight design set.dotx.0.dr	Initial sample: OLE zip file path = customXml/_rels/item2.xml.rels
Source: Insight design set.dotx.0.dr	Initial sample: OLE zip file path = [trash]/0000.dat
Source: Insight design set.dotx.0.dr	Initial sample: OLE zip file path = docProps/custom.xml

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common

Jump to behavior

Source: Equations.dotx.0.dr

Initial sample: OLE indicators vbamacros = False

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

File created: C:\Users\user\Desktop\~$nali_khokhawala-In Services.Agreement-SDYAMPA 416944 (1).rtf

Jump to behavior

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk	Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

Process information queried: ProcessInformation

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	Windows Management Instrumentation	1 Scripting	1 Process Injection	1 Masquerading	OS Credential Dumping	1 Process Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 Registry Run Keys / Startup Folder	1 Registry Run Keys / Startup Folder	1 Process Injection	LSASS Memory	1 File and Directory Discovery	Remote Desktop Protocol	Data from Removable Media	3 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Extra Window Memory Injection	1 Extra Window Memory Injection	Security Account Manager	1 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Web Protocols	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	1 Ingress Tool Transfer	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Name	IP	Active	Malicious	Reputation
svc.ms-acdc-teams.office.com	52.123.243.204	true	false	unknown
77980.bodis.com	199.59.243.227	true	false	unknown
catapult-connect.com	52.38.59.82	true	true	unknown
www.google.com	142.250.186.100	true	false	unknown
www.catapult-connect.com	unknown	unknown	true	unknown
vh26kx.pinboarddisplaced.com	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://www.catapult-connect.com/home/engagement/NTEwLVdlYnNpdGV8ODRiYjQxMTgwOWZiNGZlMWE2N2E2NjFhZDhlNTBlM2R8Y29uLTk3MTYxLWVufFdlYnNpdGUBX?l=http://vh26kx.pinboarddisplaced.com/?email=	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
199.59.243.227	77980.bodis.com	United States	395082	BODIS-NJUS	false
52.123.243.204	svc.ms-acdc-teams.office.com	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
52.38.59.82	catapult-connect.com	United States	16509	AMAZON-02US	true
142.250.186.100	www.google.com	United States	15169	GOOGLEUS	false

Private

IP
192.168.2.17

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1542140
Start date and time:	2024-10-25 15:35:28 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 19s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsinteractivecookbook.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	20
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Aunali_khokhawala-In Services.Agreement-SDYAMPA 416944 (1).rtf
Detection:	SUS
Classification:	sus24.phis.winRTF@20/245@6/6
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .rtf

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, backgroundTaskHost.exe, conhost.exe, TextInputHost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.109.28.46, 184.28.90.27, 142.250.186.163, 216.58.212.174, 74.125.206.84, 34.104.35.123, 192.229.221.95, 13.69.109.131, 142.250.74.195, 142.250.185.227, 95.101.111.168, 95.101.111.179, 2.16.164.89, 2.16.164.34, 88.221.110.227, 88.221.110.138, 142.250.185.131, 172.217.16.206
Excluded domains from analysis (whitelisted): binaries.templates.cdn.office.net.edgesuite.net, slscr.update.microsoft.com, templatesmetadata.office.net.edgekey.net, clientservices.googleapis.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1847.dscg2.akamai.net, clients2.google.com, ocsp.digicert.com, e16604.g.akamaiedge.net, update.googleapis.com, officeclient.microsoft.com, www.gstatic.com, prod.fs.microsoft.com.akadns.net, www.bing.com, clients1.google.com, ecs.office.com, self-events-data.trafficmanager.net, fs.microsoft.com, accounts.google.com, prod.configsvc1.live.com.akadns.net, self.events.data.microsoft.com, onedscolprdweu03.westeurope.cloudapp.azure.com, fe3cr.delivery.mp.microsoft.com, e26769.dscb.akamaiedge.net, edgedl.me.gvt1.com, config.officeapps.live.com, evoke-windowsservices-tas.msedge.net, metadata.templates.cdn.office.net, ecs.office.trafficmanager.net, clients.l.google.com, europe.configsvc1.live.com.akadns.net, uks-azsc-config.of
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Report size getting too big, too many NtSetInformationFile calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: Aunali_khokhawala-In Services.Agreement-SDYAMPA 416944 (1).rtf

Source	URL
Screenshot	https://www.catapult-connect.com/home/engagement/NTEwLVdlYnNpdGV8ODRiYjQxMTgwOWZiNGZlMWE2N2E2NjFhZDhlNTBlM2R8Y29uLTk3MTYxLWVufFdlYnNpdGUBX?l=http://vh26kx.pinboarddisplaced.com/?email=#aunali_khokhawala@iamgold.com

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
52.123.243.204	Wave Browser.exe	Get hash	malicious	Unknown	Browse
52.123.243.204	swift.xls	Get hash	malicious	Unknown	Browse
239.255.255.250	https://inps-conferma-dati.it/home.html	Get hash	malicious	Unknown	Browse
	https://mailengine.co/click_tracking?&redirectLink=http://embeds.beehiiv.com/d23df48a-754a-480b-9a5d-db66c2c46b92&source=email&ref=aa65ba1ae9f26d91fc495f31741706695402983&workflowInstance=65ba1aea0488580fac6abe1f&responseTemplate=630f7d144c49ff20dfe2b3c2&version=2	Get hash	malicious	Unknown	Browse
	https://realestatemania.ca/kxyNao-7Ms6e-WBJnj-uMnVb-7gZJL-v8aOp.php	Get hash	malicious	Unknown	Browse
	https://www.shareholds.com/eur/9fb868a2-97de-4fa6-bb9a-6e2bdc7c734d/99db7d04-72ba-41ea-a52e-2744d29c7f66/e845cf48-2115-4cda-904c-fc80c835df32/login?id=RDhIaE52RURnRGJHRWUzZ21seVc3R2xwMm5BK0k2NjNKbnlRYisvT3JURnNTa0p4Skp6OTRIVjNPa3VFclFOeEFTY2Jub0tIblFrbGo5SUhWb01RRCt4Q3FtaVlNeno4MU8zN2I3bmlveTF0Tm8yM0FOb1J4THRhM1RqNnhyazNHaDFNV3Zoc1RLN2VpV0ZZbUF2MDlWWGZ2Tk5STVpzUDVKaStnT0l0S1BVTlRzZ2lmcXI1Wkh6M1FheGd3Tjh2NVdaTzVOOTRQaVZrTmZrSjRIK3IvU1p4U2doYSsrYmtUOGl1RytpeGthUGFHT1g4UE4rbngvYnhpRXlJRG9oRVRWbUczdEc1ei9ESFJsT2lpZ2JyOFBLNTNoUXdzdVB0QjhVbmRBN1NSSUJYMTkrRnoxbENHSW5lYnJHczBnQytHaDlQSkRib1NTOFNJeTI2WVhCUkg5NGxNNzNMdzBmWktZenhCR2FnaFFaem5zU3FmbUV6WXowVFdOTEFjU3pGVnRjVlNFOHRtVlkvdk9WQjdibXBTNGZFcjUyb1BYTXRhQTRNNnJjbkJtcz0	Get hash	malicious	HTMLPhisher, Microsoft Phishing	Browse
	https://developmentltd.online/	Get hash	malicious	Captcha Phish	Browse
	https://developmentltd.online/	Get hash	malicious	Captcha Phish	Browse
	https://developmentltd.online/	Get hash	malicious	Captcha Phish	Browse
	https://u47839971.ct.sendgrid.net/ls/click?upn=u001.SS8YqfWjf1b3UNFf2g8-2BbyepSJ9NnVqTjg5p4PlqyZLDG-2F-2FRHUWKB7tpHO-2BD9IAzfDK69NBor6n5GDDWuKOaXjILtpHrb-2FuqosweWIwJauCFjFOIVaIDje-2BTbWeqpid-2Fe0IpJIrTIznxRC8RuWTXkcZZXZKUxIgeeMWOFH96Tjh3a3uDeIXRyoiB6ZRGKZhHD63OuPdyktyTbMDbA-2FurGQ-3D-3DGlRK_1fgoI9z-2BmeHj6kFR5jmXJyN8Vyo9ja5rNrkl1rR8UXAlmAe6PSc2-2FD85CLOIF98tpCjfsSquWpaRYnYzjD-2B-2FDF-2F8BwiwRSEwmTXwwlDUaQI3bDBZTUv-2Ffbse4A61ed6hVc-2BhhTqdpCqzpir5GY49O-2BVdqG9mHEhTR8OvRsDhxES9QAdY7ZiH-2BurXMNUWGL6VuIIVYma05ZXZK6zhQMDhjNBnJShmRWPp7Ow2IJgH96F8uRyUdyMUZ9au5PfRhmvWMnTj3B1KVxYBpNo7XRlBSlYjK74Z4HptPWz0XAvVILLp4Z5Qq7I-2BYF76YXE5ZsE-2F9hOEdmxnqZwZIEaC1BNDg2XB-2BluEEvEXRuR9ohEPc6VObquUxTQmba8bObSY0wG3oOeb2xD8hV6IKwMnr9d-2B5HbQscEqkWH5k7qnk6bAGBIHHNt95VH4uagG-2Bh74PJCdwHqpitEnC4IeAHXNdNtMkKw34-2BF8TeV7q4SmkRwe9osbefOHPWGyls7sZdEjodVX7wlBDRV2BLQlTlDkK-2FzuZ2EsHCtWTv7yrVJT-2B6p3fl4O5qZGyWAuATjn7386SmbgYFZYAIaRjabXb6J3Z9IYhB-2BBiP3zxZSMd-2BGGNtSLCQw7FqwKOUhYoEZSgG-2FLraJhb7xOSF-2FZGKBw-2FWGPQ5W16K6ZnP31akPWN-2FRy3A1tFL9-2FQXaviWuNn8VOeqLfBR9isxQ-2BqB-2Fm-2BPFRMhM4zyM42FPD-2FRIJxCXHHfAnucSqTKeA1iykI89pw6joYB-2B9v-2FXzQpkgszpTxbxZcZ7mH0xUY6S3QZDaIWpt-2F-2B0FpvTn8cArsTTKjQo1QO476bdWvqqoz32vBNn214xuFkN0blGHeazkhMWwmEzZM6r-2BTFrW2-2Fha62dTAc7eNUguY6HOm3gtrj2-2FYlAidnBTp5Y8fj3jmA-3D-3D	Get hash	malicious	Unknown	Browse
	Quarantined Messages (1).zip	Get hash	malicious	HTMLPhisher	Browse
	Play____Now_AUD__Neil.novembre.htm	Get hash	malicious	Unknown	Browse
199.59.243.227	http://scansourcce.com/	Get hash	malicious	Unknown	Browse	scansourcce.com/_tr
	mm.exe	Get hash	malicious	Unknown	Browse	www.rebel.tienda/huia/
	Invoice & Packing list For Sea Shipment.exe	Get hash	malicious	FormBook	Browse	www.9net88.net/ge07/?XRA4Dv_0=rInKjcO63u4K1THTAINFv2coOl+G9i0Xo3vzod/XDYjf3VmyXg5Nkxs22ujGcbkomNpSpJke0g==&DVld2=Ybu8dZf0
	Invoice Packing list For Sea Shipment.exe	Get hash	malicious	FormBook	Browse	www.9net88.net/ge07/?FXT8AF=2dkTOn9Hj2ox&T8itM8U=rInKjcO63u4K1THTAINFv2coOl+G9i0Xo3vzod/XDYjf3VmyXg5Nkxs22tPZEr4Tl6UO
	COMMERCAIL INVOICE AND DHL AWB TRACKING DETAIL.exe	Get hash	malicious	FormBook	Browse	www.solidarity.rocks/hezo/
	Invoice Packing list For Sea Shipment.exe	Get hash	malicious	FormBook	Browse	www.9net88.net/ge07/?Qzr=Llspyx1H8n00&anM=rInKjcO63u4K1THTAINFv2coOl+G9i0Xo3vzod/XDYjf3VmyXg5Nkxs22uj/DqErob1VpJkZnQ==
	zamowienie.exe	Get hash	malicious	GuLoader	Browse	www.gold-rates.online/rod1/
	PO1268931024 - Bank Slip.exe	Get hash	malicious	PureLog Stealer	Browse	www.rebel.tienda/7n9v/
	rHSBCBank_Paymentswiftcpy.exe	Get hash	malicious	FormBook	Browse	www.donante-de-ovulos.biz/g3wl/
	Halkbank_Ekstre_20230426_075819_154055.exe	Get hash	malicious	FormBook	Browse	www.online-dating28.xyz/xl8n/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
77980.bodis.com	Document.html	Get hash	malicious	HTMLPhisher	Browse	199.59.243.227
	jOAcln1aPL.exe	Get hash	malicious	Unknown	Browse	199.59.243.227
	jOAcln1aPL.exe	Get hash	malicious	Unknown	Browse	199.59.243.227
	http://nirothniroth.site/?p=22&fbclid=IwY2xjawFs_DdleHRuA2FlbQIxMQABHTdgZU6ok722L5RxKPR-zh7Gkm6BqZ8BcT950y1bxf6l0LKz0zslg7KJHw_aem__ldVm1UUndXAkwYRakjBzg	Get hash	malicious	Unknown	Browse	199.59.243.227
	http://music.farstream.org	Get hash	malicious	Unknown	Browse	199.59.243.227
	https://tracking.groovesell.com:443/t/1c336171327d66d10a047ef8cbabb880	Get hash	malicious	Unknown	Browse	199.59.243.227
	https://41619ec8e8407cbea965833e1fb35e027cd895bdef33c8d4bb7a06d460.pages.dev/	Get hash	malicious	Unknown	Browse	199.59.243.227
	https://b47324b31aa4ee0c39345febbbd635556bd7b07a0995b64436378baed7.pages.dev/	Get hash	malicious	Unknown	Browse	199.59.243.227
	http://f41aff2909cfd057585b1f61d87df66d8a0613f5ce2d194125c00f2c2f.pages.dev/	Get hash	malicious	Unknown	Browse	199.59.243.227
	z61SwiftCopyOfPayment.exe	Get hash	malicious	FormBook	Browse	199.59.243.227
svc.ms-acdc-teams.office.com	Seeking Assistance for Legal Assistance in a Medical Matter.msg	Get hash	malicious	Unknown	Browse	52.123.243.81
	https://1drv.ms/b/c/7bab8803aa446446/EVRHiu8efYZAkD-YFD5xQmIBzT5hMnGkyiNpwrnOj-mH_g	Get hash	malicious	HTMLPhisher	Browse	52.123.224.72
	file.exe	Get hash	malicious	Unknown	Browse	52.123.243.83
	Inspection Notice.msg	Get hash	malicious	HTMLPhisher	Browse	52.123.243.74
	file.exe	Get hash	malicious	Unknown	Browse	52.123.243.199
	Order_ 039924.docx.doc	Get hash	malicious	Unknown	Browse	52.123.243.78
	z42ordemdecomprapdf.exe	Get hash	malicious	FormBook	Browse	52.123.243.200
	Firstontario Caller VM_00_94 Seconds REF#e764f827cc206df3733c6c719eb86bc36b5f54d1 7_9_2024	Get hash	malicious	Unknown	Browse	52.123.243.81
	11fa2b48-c25d-d2a8-7e3d-327f8f3a8ace.eml	Get hash	malicious	Unknown	Browse	52.123.243.199
	Updated Handbook.docx	Get hash	malicious	Unknown	Browse	52.123.243.83

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
BODIS-NJUS	#U5831#U50f9#U8acb#U6c42 - #U6a23#U672c#U76ee#U9304.vbs	Get hash	malicious	FormBook, GuLoader	Browse	199.59.243.227
	http://scansourcce.com/	Get hash	malicious	Unknown	Browse	199.59.243.205
	mm.exe	Get hash	malicious	Unknown	Browse	199.59.243.227
	Invoice & Packing list For Sea Shipment.exe	Get hash	malicious	FormBook	Browse	199.59.243.227
	Invoice Packing list For Sea Shipment.exe	Get hash	malicious	FormBook	Browse	199.59.243.227
	6 654398.vbs	Get hash	malicious	FormBook, GuLoader	Browse	199.59.243.227
	COMMERCAIL INVOICE AND DHL AWB TRACKING DETAIL.exe	Get hash	malicious	FormBook	Browse	199.59.243.227
	Invoice Packing list For Sea Shipment.exe	Get hash	malicious	FormBook	Browse	199.59.243.227
	zamowienie.exe	Get hash	malicious	GuLoader	Browse	199.59.243.227
	PO1268931024 - Bank Slip.exe	Get hash	malicious	PureLog Stealer	Browse	199.59.243.227
MICROSOFT-CORP-MSN-AS-BLOCKUS	ALVARA-072.msi	Get hash	malicious	AteraAgent	Browse	20.101.57.9
	https://www.shareholds.com/eur/9fb868a2-97de-4fa6-bb9a-6e2bdc7c734d/99db7d04-72ba-41ea-a52e-2744d29c7f66/e845cf48-2115-4cda-904c-fc80c835df32/login?id=RDhIaE52RURnRGJHRWUzZ21seVc3R2xwMm5BK0k2NjNKbnlRYisvT3JURnNTa0p4Skp6OTRIVjNPa3VFclFOeEFTY2Jub0tIblFrbGo5SUhWb01RRCt4Q3FtaVlNeno4MU8zN2I3bmlveTF0Tm8yM0FOb1J4THRhM1RqNnhyazNHaDFNV3Zoc1RLN2VpV0ZZbUF2MDlWWGZ2Tk5STVpzUDVKaStnT0l0S1BVTlRzZ2lmcXI1Wkh6M1FheGd3Tjh2NVdaTzVOOTRQaVZrTmZrSjRIK3IvU1p4U2doYSsrYmtUOGl1RytpeGthUGFHT1g4UE4rbngvYnhpRXlJRG9oRVRWbUczdEc1ei9ESFJsT2lpZ2JyOFBLNTNoUXdzdVB0QjhVbmRBN1NSSUJYMTkrRnoxbENHSW5lYnJHczBnQytHaDlQSkRib1NTOFNJeTI2WVhCUkg5NGxNNzNMdzBmWktZenhCR2FnaFFaem5zU3FmbUV6WXowVFdOTEFjU3pGVnRjVlNFOHRtVlkvdk9WQjdibXBTNGZFcjUyb1BYTXRhQTRNNnJjbkJtcz0	Get hash	malicious	HTMLPhisher, Microsoft Phishing	Browse	13.107.253.72
	https://developmentltd.online/	Get hash	malicious	Captcha Phish	Browse	51.141.97.243
	https://developmentltd.online/	Get hash	malicious	Captcha Phish	Browse	51.141.97.243
	https://developmentltd.online/	Get hash	malicious	Captcha Phish	Browse	51.141.97.243
	https://u47839971.ct.sendgrid.net/ls/click?upn=u001.SS8YqfWjf1b3UNFf2g8-2BbyepSJ9NnVqTjg5p4PlqyZLDG-2F-2FRHUWKB7tpHO-2BD9IAzfDK69NBor6n5GDDWuKOaXjILtpHrb-2FuqosweWIwJauCFjFOIVaIDje-2BTbWeqpid-2Fe0IpJIrTIznxRC8RuWTXkcZZXZKUxIgeeMWOFH96Tjh3a3uDeIXRyoiB6ZRGKZhHD63OuPdyktyTbMDbA-2FurGQ-3D-3DGlRK_1fgoI9z-2BmeHj6kFR5jmXJyN8Vyo9ja5rNrkl1rR8UXAlmAe6PSc2-2FD85CLOIF98tpCjfsSquWpaRYnYzjD-2B-2FDF-2F8BwiwRSEwmTXwwlDUaQI3bDBZTUv-2Ffbse4A61ed6hVc-2BhhTqdpCqzpir5GY49O-2BVdqG9mHEhTR8OvRsDhxES9QAdY7ZiH-2BurXMNUWGL6VuIIVYma05ZXZK6zhQMDhjNBnJShmRWPp7Ow2IJgH96F8uRyUdyMUZ9au5PfRhmvWMnTj3B1KVxYBpNo7XRlBSlYjK74Z4HptPWz0XAvVILLp4Z5Qq7I-2BYF76YXE5ZsE-2F9hOEdmxnqZwZIEaC1BNDg2XB-2BluEEvEXRuR9ohEPc6VObquUxTQmba8bObSY0wG3oOeb2xD8hV6IKwMnr9d-2B5HbQscEqkWH5k7qnk6bAGBIHHNt95VH4uagG-2Bh74PJCdwHqpitEnC4IeAHXNdNtMkKw34-2BF8TeV7q4SmkRwe9osbefOHPWGyls7sZdEjodVX7wlBDRV2BLQlTlDkK-2FzuZ2EsHCtWTv7yrVJT-2B6p3fl4O5qZGyWAuATjn7386SmbgYFZYAIaRjabXb6J3Z9IYhB-2BBiP3zxZSMd-2BGGNtSLCQw7FqwKOUhYoEZSgG-2FLraJhb7xOSF-2FZGKBw-2FWGPQ5W16K6ZnP31akPWN-2FRy3A1tFL9-2FQXaviWuNn8VOeqLfBR9isxQ-2BqB-2Fm-2BPFRMhM4zyM42FPD-2FRIJxCXHHfAnucSqTKeA1iykI89pw6joYB-2B9v-2FXzQpkgszpTxbxZcZ7mH0xUY6S3QZDaIWpt-2F-2B0FpvTn8cArsTTKjQo1QO476bdWvqqoz32vBNn214xuFkN0blGHeazkhMWwmEzZM6r-2BTFrW2-2Fha62dTAc7eNUguY6HOm3gtrj2-2FYlAidnBTp5Y8fj3jmA-3D-3D	Get hash	malicious	Unknown	Browse	13.107.253.45
	Quarantined Messages (1).zip	Get hash	malicious	HTMLPhisher	Browse	13.107.246.44
	3WffcqLN3q.exe	Get hash	malicious	Stealc, Vidar	Browse	40.126.32.136
	la.bot.mipsel.elf	Get hash	malicious	Unknown	Browse	22.57.84.90
	la.bot.m68k.elf	Get hash	malicious	Unknown	Browse	21.233.224.110
AMAZON-02US	https://mailengine.co/click_tracking?&redirectLink=http://embeds.beehiiv.com/d23df48a-754a-480b-9a5d-db66c2c46b92&source=email&ref=aa65ba1ae9f26d91fc495f31741706695402983&workflowInstance=65ba1aea0488580fac6abe1f&responseTemplate=630f7d144c49ff20dfe2b3c2&version=2	Get hash	malicious	Unknown	Browse	54.171.3.70
	ALVARA-072.msi	Get hash	malicious	AteraAgent	Browse	13.35.58.124
	main_mpsl.elf	Get hash	malicious	Mirai	Browse	54.247.62.1
	https://realestatemania.ca/kxyNao-7Ms6e-WBJnj-uMnVb-7gZJL-v8aOp.php	Get hash	malicious	Unknown	Browse	3.164.163.115
	https://developmentltd.online/	Get hash	malicious	Captcha Phish	Browse	13.33.187.74
	https://u47839971.ct.sendgrid.net/ls/click?upn=u001.SS8YqfWjf1b3UNFf2g8-2BbyepSJ9NnVqTjg5p4PlqyZLDG-2F-2FRHUWKB7tpHO-2BD9IAzfDK69NBor6n5GDDWuKOaXjILtpHrb-2FuqosweWIwJauCFjFOIVaIDje-2BTbWeqpid-2Fe0IpJIrTIznxRC8RuWTXkcZZXZKUxIgeeMWOFH96Tjh3a3uDeIXRyoiB6ZRGKZhHD63OuPdyktyTbMDbA-2FurGQ-3D-3DGlRK_1fgoI9z-2BmeHj6kFR5jmXJyN8Vyo9ja5rNrkl1rR8UXAlmAe6PSc2-2FD85CLOIF98tpCjfsSquWpaRYnYzjD-2B-2FDF-2F8BwiwRSEwmTXwwlDUaQI3bDBZTUv-2Ffbse4A61ed6hVc-2BhhTqdpCqzpir5GY49O-2BVdqG9mHEhTR8OvRsDhxES9QAdY7ZiH-2BurXMNUWGL6VuIIVYma05ZXZK6zhQMDhjNBnJShmRWPp7Ow2IJgH96F8uRyUdyMUZ9au5PfRhmvWMnTj3B1KVxYBpNo7XRlBSlYjK74Z4HptPWz0XAvVILLp4Z5Qq7I-2BYF76YXE5ZsE-2F9hOEdmxnqZwZIEaC1BNDg2XB-2BluEEvEXRuR9ohEPc6VObquUxTQmba8bObSY0wG3oOeb2xD8hV6IKwMnr9d-2B5HbQscEqkWH5k7qnk6bAGBIHHNt95VH4uagG-2Bh74PJCdwHqpitEnC4IeAHXNdNtMkKw34-2BF8TeV7q4SmkRwe9osbefOHPWGyls7sZdEjodVX7wlBDRV2BLQlTlDkK-2FzuZ2EsHCtWTv7yrVJT-2B6p3fl4O5qZGyWAuATjn7386SmbgYFZYAIaRjabXb6J3Z9IYhB-2BBiP3zxZSMd-2BGGNtSLCQw7FqwKOUhYoEZSgG-2FLraJhb7xOSF-2FZGKBw-2FWGPQ5W16K6ZnP31akPWN-2FRy3A1tFL9-2FQXaviWuNn8VOeqLfBR9isxQ-2BqB-2Fm-2BPFRMhM4zyM42FPD-2FRIJxCXHHfAnucSqTKeA1iykI89pw6joYB-2B9v-2FXzQpkgszpTxbxZcZ7mH0xUY6S3QZDaIWpt-2F-2B0FpvTn8cArsTTKjQo1QO476bdWvqqoz32vBNn214xuFkN0blGHeazkhMWwmEzZM6r-2BTFrW2-2Fha62dTAc7eNUguY6HOm3gtrj2-2FYlAidnBTp5Y8fj3jmA-3D-3D	Get hash	malicious	Unknown	Browse	18.245.31.89
	la.bot.mipsel.elf	Get hash	malicious	Unknown	Browse	13.252.213.25
	la.bot.m68k.elf	Get hash	malicious	Unknown	Browse	3.170.36.8
	la.bot.powerpc.elf	Get hash	malicious	Unknown	Browse	208.82.222.140
	la.bot.sparc.elf	Get hash	malicious	Unknown	Browse	52.53.164.55

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
28a2c9bd18a11de089ef85a160da29e4	ubBnwUNUUr.exe	Get hash	malicious	AsyncRAT	Browse	4.175.87.197 40.126.31.71
	https://mailengine.co/click_tracking?&redirectLink=http://embeds.beehiiv.com/d23df48a-754a-480b-9a5d-db66c2c46b92&source=email&ref=aa65ba1ae9f26d91fc495f31741706695402983&workflowInstance=65ba1aea0488580fac6abe1f&responseTemplate=630f7d144c49ff20dfe2b3c2&version=2	Get hash	malicious	Unknown	Browse	4.175.87.197 40.126.31.71
	snBEoi6Tf4.exe	Get hash	malicious	AsyncRAT	Browse	4.175.87.197 40.126.31.71
	https://realestatemania.ca/kxyNao-7Ms6e-WBJnj-uMnVb-7gZJL-v8aOp.php	Get hash	malicious	Unknown	Browse	4.175.87.197 40.126.31.71
	https://www.shareholds.com/eur/9fb868a2-97de-4fa6-bb9a-6e2bdc7c734d/99db7d04-72ba-41ea-a52e-2744d29c7f66/e845cf48-2115-4cda-904c-fc80c835df32/login?id=RDhIaE52RURnRGJHRWUzZ21seVc3R2xwMm5BK0k2NjNKbnlRYisvT3JURnNTa0p4Skp6OTRIVjNPa3VFclFOeEFTY2Jub0tIblFrbGo5SUhWb01RRCt4Q3FtaVlNeno4MU8zN2I3bmlveTF0Tm8yM0FOb1J4THRhM1RqNnhyazNHaDFNV3Zoc1RLN2VpV0ZZbUF2MDlWWGZ2Tk5STVpzUDVKaStnT0l0S1BVTlRzZ2lmcXI1Wkh6M1FheGd3Tjh2NVdaTzVOOTRQaVZrTmZrSjRIK3IvU1p4U2doYSsrYmtUOGl1RytpeGthUGFHT1g4UE4rbngvYnhpRXlJRG9oRVRWbUczdEc1ei9ESFJsT2lpZ2JyOFBLNTNoUXdzdVB0QjhVbmRBN1NSSUJYMTkrRnoxbENHSW5lYnJHczBnQytHaDlQSkRib1NTOFNJeTI2WVhCUkg5NGxNNzNMdzBmWktZenhCR2FnaFFaem5zU3FmbUV6WXowVFdOTEFjU3pGVnRjVlNFOHRtVlkvdk9WQjdibXBTNGZFcjUyb1BYTXRhQTRNNnJjbkJtcz0	Get hash	malicious	HTMLPhisher, Microsoft Phishing	Browse	4.175.87.197 40.126.31.71
	Quarantined Messages (1).zip	Get hash	malicious	HTMLPhisher	Browse	4.175.87.197 40.126.31.71
	Fax_Message_04 September, 202411_21_58 AM_564308269612697.htm	Get hash	malicious	HTMLPhisher	Browse	4.175.87.197 40.126.31.71
	https://gf5q.sqpbij.shop/?c2V0aC5wZW1iZXJAYXV0b3BhcnRpbnRsLmNvbTp3NThyNg	Get hash	malicious	HTMLPhisher	Browse	4.175.87.197 40.126.31.71
	https://onedrive.live.com/redir?resid=A2C259BD24DEB977%211517&authkey=%21AMV6sdjMIZf95vs&page=View&wd=target%28Quick%20Notes.one%7C8266a05f-045a-4cc0-bddc-4debc90069bb%2FNotera%20H6TYD9J4rDFDFECZC-HUYW%7Ca949d04d-b4e2-4509-b99f-d04546199b7b%2F%29&wdorigin=NavigationUrl	Get hash	malicious	Unknown	Browse	4.175.87.197 40.126.31.71
	ES Ny kontraktsrunda.msg	Get hash	malicious	Unknown	Browse	4.175.87.197 40.126.31.71
6271f898ce5be7dd52b0fc260d0662b3	https://dl.dropboxusercontent.com/scl/fi/kzw07ghqs05mfyhu8o3ey/BestellungVRG020002.zip?rlkey=27cmmjv86s5ygdnss2oa80i1o&st=86cnbbyp&dl=0	Get hash	malicious	Unknown	Browse	2.23.209.150
	sup.logical@gmail.com.exe	Get hash	malicious	Unknown	Browse	2.23.209.150
	Credit_Details2251397102400024.xla.xlsx	Get hash	malicious	Unknown	Browse	2.23.209.150
	Pro_Inv_24102024_payment_confirmations_SWIFTFiles.xls	Get hash	malicious	Unknown	Browse	2.23.209.150
	https://docsend.com/view/44v95uq7wngs3w6t	Get hash	malicious	HTMLPhisher, HtmlDropper	Browse	2.23.209.150
	SecuriteInfo.com.Other.Malware-gen.26961.24680.xlsx	Get hash	malicious	Unknown	Browse	2.23.209.150
	https://www.yola.com/es/zendesk-sso?return_to=http://york.iwill.app.br/	Get hash	malicious	Unknown	Browse	2.23.209.150
	https://t.ly/2jKWO	Get hash	malicious	HTMLPhisher, Mamba2FA	Browse	2.23.209.150
	https://app.pandadoc.com/document/v2?token=69b8ae0059c2551a9a27ed1b65653c1a0b5ee1ff	Get hash	malicious	Unknown	Browse	2.23.209.150
	https://dca13.z4.web.core.windows.net/werrx01USAHTML/?bcda=1-877-883-8072#	Get hash	malicious	TechSupportScam	Browse	2.23.209.150
3b5074b1b5d032e5620f69f9f700ff0e	PILNE ZAPYTANIE RFQ-05567-2024.10.25.vbs	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	13.107.5.88
	Factura n#U00baB-2542.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	13.107.5.88
	QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	13.107.5.88
	https://www.shareholds.com/eur/9fb868a2-97de-4fa6-bb9a-6e2bdc7c734d/99db7d04-72ba-41ea-a52e-2744d29c7f66/e845cf48-2115-4cda-904c-fc80c835df32/login?id=RDhIaE52RURnRGJHRWUzZ21seVc3R2xwMm5BK0k2NjNKbnlRYisvT3JURnNTa0p4Skp6OTRIVjNPa3VFclFOeEFTY2Jub0tIblFrbGo5SUhWb01RRCt4Q3FtaVlNeno4MU8zN2I3bmlveTF0Tm8yM0FOb1J4THRhM1RqNnhyazNHaDFNV3Zoc1RLN2VpV0ZZbUF2MDlWWGZ2Tk5STVpzUDVKaStnT0l0S1BVTlRzZ2lmcXI1Wkh6M1FheGd3Tjh2NVdaTzVOOTRQaVZrTmZrSjRIK3IvU1p4U2doYSsrYmtUOGl1RytpeGthUGFHT1g4UE4rbngvYnhpRXlJRG9oRVRWbUczdEc1ei9ESFJsT2lpZ2JyOFBLNTNoUXdzdVB0QjhVbmRBN1NSSUJYMTkrRnoxbENHSW5lYnJHczBnQytHaDlQSkRib1NTOFNJeTI2WVhCUkg5NGxNNzNMdzBmWktZenhCR2FnaFFaem5zU3FmbUV6WXowVFdOTEFjU3pGVnRjVlNFOHRtVlkvdk9WQjdibXBTNGZFcjUyb1BYTXRhQTRNNnJjbkJtcz0	Get hash	malicious	HTMLPhisher, Microsoft Phishing	Browse	13.107.5.88
	Instruction_1928.pdf.lnk.download.lnk	Get hash	malicious	LummaC	Browse	13.107.5.88
	Agreement for YouTube cooperation.pdf.lnk.download.lnk	Get hash	malicious	LummaC	Browse	13.107.5.88
	3rd_cc_form_Oct_2024.pdf.lnk.download.lnk	Get hash	malicious	LummaC	Browse	13.107.5.88
	seethebestthingsevermeetwithgreatthingstobegood.hta	Get hash	malicious	Cobalt Strike	Browse	13.107.5.88
	greatthingswithgoodnewsgivenbygodthingsgreat.hta	Get hash	malicious	Cobalt Strike	Browse	13.107.5.88
	seethebestthingstobegoodwithhislifebestthigns.hta	Get hash	malicious	Cobalt Strike	Browse	13.107.5.88
a0e9f5d64349fb13191bc781f81f42e1	file.exe	Get hash	malicious	LummaC	Browse	52.123.243.204
	setupbatterycare.exe	Get hash	malicious	LummaC	Browse	52.123.243.204
	ldr_clp.exe	Get hash	malicious	Unknown	Browse	52.123.243.204
	Instruction_1928.pdf.lnk.download.lnk	Get hash	malicious	LummaC	Browse	52.123.243.204
	Agreement for YouTube cooperation.pdf.lnk.download.lnk	Get hash	malicious	LummaC	Browse	52.123.243.204
	ldr_clp.exe	Get hash	malicious	Unknown	Browse	52.123.243.204
	3rd_cc_form_Oct_2024.pdf.lnk.download.lnk	Get hash	malicious	LummaC	Browse	52.123.243.204
	file.exe	Get hash	malicious	LummaC	Browse	52.123.243.204
	file.exe	Get hash	malicious	LummaC	Browse	52.123.243.204
	file.exe	Get hash	malicious	LummaC	Browse	52.123.243.204

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
File Type:	JSON data
Category:	dropped
Size (bytes):	521377
Entropy (8bit):	4.9084889265453135
Encrypted:	false
SSDEEP:	3072:gdTb5Sb3F2FqSrfZm+CnQsbzxZO7aYb6f5780K2:wb5q3umBnzT
MD5:	C37972CBD8748E2CA6DA205839B16444
SHA1:	9834B46ACF560146DD7EE9086DB6019FBAC13B4E
SHA-256:	D4CFBB0E8B9D3E36ECE921B9B51BD37EF1D3195A9CFA1C4586AEA200EB3434A7
SHA-512:	02B4D134F84122B6EE9A304D79745A003E71803C354FB01BAF986BD15E3BA57BA5EF167CC444ED67B9BA5964FF5922C50E2E92A8A09862059852ECD9CEF1A900
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	{"MajorVersion":4,"MinorVersion":40,"Expiration":14,"Fonts":[{"a":[4294966911],"f":"Abadi","fam":[],"sf":[{"c":[1,0],"dn":"Abadi","fs":32696,"ful":[{"lcp":983041,"lsc":"Latn","ltx":"Abadi"}],"gn":"Abadi","id":"23643452060","p":[2,11,6,4,2,1,4,2,2,4],"sub":[],"t":"ttf","u":[2147483651,0,0,0],"v":197263,"w":26215680},{"c":[1,0],"dn":"Abadi Extra Light","fs":22180,"ful":[{"lcp":983042,"lsc":"Latn","ltx":"Abadi Extra Light"}],"gn":"Abadi Extra Light","id":"17656736728","p":[2,11,2,4,2,1,4,2,2,4],"sub":[],"t":"ttf","u":[2147483651,0,0,0],"v":197263,"w":13108480}]},{"a":[4294966911],"f":"ADLaM Display","fam":[],"sf":[{"c":[536870913,0],"dn":"ADLaM Display Regular","fs":140072,"ful":[{"lcp":983040,"lsc":"Latn","ltx":"ADLaM Display"}],"gn":"ADLaM Display","id":"31965479471","p":[2,1,0,0,0,0,0,0,0,0],"sub":[],"t":"ttf","u":[2147491951,1107296330,0,0],"v":131072,"w":26215680}]},{"a":[4294966911],"f":"Agency FB","fam":[],"sf":[{"c":[536870913,0],"dn":"Agency FB Bold","fs":54372,"ful":[{"lcp":9830

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Oct 25 12:36:13 2024, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2677
Entropy (8bit):	3.981808278408759
Encrypted:	false
SSDEEP:	48:8eLdKqTty7ZYHFidAKZdA1JehwiZUklqehTy+3:8eVQuIy
MD5:	61B477BB886333F838CD3E02C72789EC
SHA1:	883C91C9DA23826BAACC9EF70364F960ED961E66
SHA-256:	891A21D4382DBDA755F3F36096C835943F737838D5781C48188313690145A1AC
SHA-512:	480EDCB0ED281B51C2E66232F4AAD9B912801344930227D217DCFCB6D036E1499B27E540A1B6F3D401DDA1DAAC3BBA2B9C6D097661535B02C20445C4A7CE553B
Malicious:	false
Preview:	L..................F.@.. ...$+.,....Le0..&......y... w......................1....P.O. .:i.....+00.../C:\.....................1.....FWoN..PROGRA~1..t......O.IYYwl....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VYY.l....L.....................p+j.G.o.o.g.l.e.....T.1.....FW.N..Chrome..>......CW.VYY.l....M......................W..C.h.r.o.m.e.....`.1.....FW.N..APPLIC~1..H......CW.VYY.l...........................W..A.p.p.l.i.c.a.t.i.o.n.....n.2. w..BW. .CHROME~1.EXE..R......CW.VYY.l...........................3.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i.............-0.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

File type:	Rich Text Format data, version 1, ANSI, code page 1252
Entropy (8bit):	3.4550561233605013
TrID:	Rich Text Format (5005/1) 55.56% Rich Text Format (4004/1) 44.44%
File name:	Aunali_khokhawala-In Services.Agreement-SDYAMPA 416944 (1).rtf
File size:	509'907 bytes
MD5:	2bec31492b3a10baeead838161407a05
SHA1:	eef55d6de4c29f84e34cada848ab5ac3600f310a
SHA256:	dc0048edad4cdf10fb977ef2f6a44bf412c2c0cbb82ef9c15761968191109061
SHA512:	b26f8b5e367635ef7f6ff546e978ade70f2e775f61c9e22e6647ff21474be7431d0cde8e266f7aa1e701106b528e6a69a9472838af93e893fc5325908145d0e4
SSDEEP:	6144:YemoANPydpBofMCsMYwZ65H5OJfV+fCpMEVRmfvg26:YHPP70CAzf4
TLSH:	40B4DCF2442A04C1F1D6C50EA21E3FB32FA1FFA746C68A046B7DE2F15721AD24E98557
File Content Preview:	{\rtf1\ansi\ansicpg1252\uc0\stshfdbch0\stshfloch0\stshfhich0\stshfbi0\deff0\adeff0{\fonttbl{\f0\fnil\fcharset0 Times New Roman;}{\f1\fnil\fcharset0 Calibri Light;}}{\colortbl;\red42\green78\blue155;\red31\green55\blue99;\red255\green255\blue255;\red47\gre

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 25, 2024 15:36:12.046494961 CEST	58225	53	192.168.2.17	1.1.1.1
Oct 25, 2024 15:36:12.046494961 CEST	61983	53	192.168.2.17	1.1.1.1
Oct 25, 2024 15:36:12.073013067 CEST	53	61245	1.1.1.1	192.168.2.17
Oct 25, 2024 15:36:12.096972942 CEST	53	61983	1.1.1.1	192.168.2.17
Oct 25, 2024 15:36:12.100788116 CEST	53	58225	1.1.1.1	192.168.2.17
Oct 25, 2024 15:36:12.121433020 CEST	53	55728	1.1.1.1	192.168.2.17
Oct 25, 2024 15:36:13.053003073 CEST	51858	53	192.168.2.17	1.1.1.1
Oct 25, 2024 15:36:13.053252935 CEST	57653	53	192.168.2.17	1.1.1.1
Oct 25, 2024 15:36:13.292865038 CEST	53	57653	1.1.1.1	192.168.2.17
Oct 25, 2024 15:36:13.365204096 CEST	53	64259	1.1.1.1	192.168.2.17
Oct 25, 2024 15:36:13.442754030 CEST	53	51858	1.1.1.1	192.168.2.17
Oct 25, 2024 15:36:16.884638071 CEST	51370	53	192.168.2.17	1.1.1.1
Oct 25, 2024 15:36:16.884932041 CEST	60424	53	192.168.2.17	1.1.1.1
Oct 25, 2024 15:36:16.892155886 CEST	53	51370	1.1.1.1	192.168.2.17
Oct 25, 2024 15:36:16.892920971 CEST	53	60424	1.1.1.1	192.168.2.17
Oct 25, 2024 15:36:30.273601055 CEST	53	51426	1.1.1.1	192.168.2.17
Oct 25, 2024 15:36:49.339521885 CEST	53	63922	1.1.1.1	192.168.2.17
Oct 25, 2024 15:37:08.361423016 CEST	138	138	192.168.2.17	192.168.2.255
Oct 25, 2024 15:37:12.051426888 CEST	53	64024	1.1.1.1	192.168.2.17
Oct 25, 2024 15:37:12.053124905 CEST	53	62128	1.1.1.1	192.168.2.17
Oct 25, 2024 15:37:40.418339968 CEST	53	60413	1.1.1.1	192.168.2.17

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 25, 2024 15:36:10.315012932 CEST	1.1.1.1	192.168.2.17	0x2c39	No error (0)	svc.ha-teams.office.com	svc.ms-acdc-teams.office.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 25, 2024 15:36:10.315012932 CEST	1.1.1.1	192.168.2.17	0x2c39	No error (0)	svc.ms-acdc-teams.office.com		52.123.243.204	A (IP address)	IN (0x0001)	false
Oct 25, 2024 15:36:10.315012932 CEST	1.1.1.1	192.168.2.17	0x2c39	No error (0)	svc.ms-acdc-teams.office.com		52.123.243.207	A (IP address)	IN (0x0001)	false
Oct 25, 2024 15:36:10.315012932 CEST	1.1.1.1	192.168.2.17	0x2c39	No error (0)	svc.ms-acdc-teams.office.com		52.123.243.92	A (IP address)	IN (0x0001)	false
Oct 25, 2024 15:36:12.096972942 CEST	1.1.1.1	192.168.2.17	0xc6b3	No error (0)	www.catapult-connect.com	catapult-connect.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 25, 2024 15:36:12.100788116 CEST	1.1.1.1	192.168.2.17	0xfd18	No error (0)	www.catapult-connect.com	catapult-connect.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 25, 2024 15:36:12.100788116 CEST	1.1.1.1	192.168.2.17	0xfd18	No error (0)	catapult-connect.com		52.38.59.82	A (IP address)	IN (0x0001)	false
Oct 25, 2024 15:36:13.292865038 CEST	1.1.1.1	192.168.2.17	0xd114	No error (0)	vh26kx.pinboarddisplaced.com	77980.bodis.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 25, 2024 15:36:13.442754030 CEST	1.1.1.1	192.168.2.17	0xd701	No error (0)	vh26kx.pinboarddisplaced.com	77980.bodis.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 25, 2024 15:36:13.442754030 CEST	1.1.1.1	192.168.2.17	0xd701	No error (0)	77980.bodis.com		199.59.243.227	A (IP address)	IN (0x0001)	false
Oct 25, 2024 15:36:16.892155886 CEST	1.1.1.1	192.168.2.17	0xaaa7	No error (0)	www.google.com		142.250.186.100	A (IP address)	IN (0x0001)	false
Oct 25, 2024 15:36:16.892920971 CEST	1.1.1.1	192.168.2.17	0xd3df	No error (0)	www.google.com			65	IN (0x0001)	false
Oct 25, 2024 15:36:29.808196068 CEST	1.1.1.1	192.168.2.17	0x79ae	No error (0)	templatesmetadata.office.net	templatesmetadata.office.net.edgekey.net		CNAME (Canonical name)	IN (0x0001)	false

Timestamp	Bytes transferred	Direction	Data
2024-10-25 13:36:11 UTC	807	OUT	GET /config/v2/Office/word/16.0.16827.20130/Production/CC?&EcsCanary=1&Clientid=%7b7ECC672D-85C0-448B-B1A9-729F3738F0F2%7d&Application=word&Platform=win32&Version=16.0.16827.20130&MsoVersion=16.0.16827.20130&ProcessName=winword.exe&Audience=Production&Build=ship&Architecture=x86&Language=en-US&SubscriptionLicense=false&PerpetualLicense=2019&LicenseCategory=7&LicenseSKU=ProPlus2019Retail&OsVersion=10.0&OsBuild=19045&Channel=CC&InstallType=C2R&SessionId=%7bA479818C-5078-4E2D-9335-2B0AA0E295E8%7d&LabMachine=false HTTP/1.1 Connection: Keep-Alive Accept-Encoding: gzip If-None-Match: "" User-Agent: Microsoft Office 2014 DisableExperiments: false X-ECS-Client-Last-Telemetry-Events: ecs_client_library_name=MSO,ecs_client_app_name=Office,ecs_client_version=16.0.16827.20130 Host: ecs.office.com
2024-10-25 13:36:11 UTC	1181	IN	HTTP/1.1 200 OK Cache-Control: no-cache,max-age=14400 Content-Length: 153638 Content-Type: application/json Expires: Fri, 25 Oct 2024 17:36:11 GMT ETag: "0AvTeJb3gdb5WWKgvDgS19JDtVKqh5KvMVlshfsmzXk=" Server: Microsoft-IIS/10.0 request-id: 1fcec059-6c64-871f-c7b1-dc9d303cf1a7 X-BackEndHttpStatus: 200 X-Content-Type-Options: nosniff X-Frame-Options: DENY Strict-Transport-Security: max-age=31536000; includeSubDomains Report-To: {"group":"NelEcsUpload1","max_age":604800,"endpoints":[{"url":"https://ecs.nel.measure.office.net?TenantId=Office&DestinationEndpoint=MIRA-SIP-FR4&FrontEnd=MIRA"}],"include_subdomains":true} NEL: {"report_to":"NelEcsUpload1","max_age":604800,"include_subdomains":true,"failure_fraction":1.0,"success_fraction":0.01} X-Proxy-RoutingCorrectness: 1 X-MSEdge-Ref: MIRA: 1fcec059-6c64-871f-c7b1-dc9d303cf1a7 FR4P281CA0039 2024-10-25T13:36:11.558Z Alt-Svc: h3=":443";ma=2592000,h3-29=":443";ma=2592000 X-Proxy-BackendServerStatus: 200 X-FirstHopCafeEFZ: FRA X-FEProxyInfo: FR4P281CA0039.DEUP281.PROD.OUTLOOK.COM X-FEEFZInfo: FRA X-Powered-By: ASP.NET X-FEServer: FR4P281CA0039 Date: Fri, 25 Oct 2024 13:36:10 GMT Connection: close
2024-10-25 13:36:11 UTC	3354	IN	Data Raw: 7b 22 45 43 53 22 3a 7b 22 43 6f 6e 66 69 67 4c 6f 67 54 61 72 67 65 74 22 3a 22 64 65 66 61 75 6c 74 22 2c 22 63 37 32 65 61 32 38 37 2d 65 64 37 37 2d 34 66 61 36 2d 61 34 38 30 2d 33 37 31 32 34 30 36 63 33 36 37 65 22 3a 22 61 6b 61 2e 6d 73 2f 45 63 73 43 61 6e 61 72 79 22 2c 22 43 61 63 68 65 45 78 70 69 72 79 49 6e 4d 69 6e 22 3a 32 34 30 2c 22 45 6e 61 62 6c 65 53 6d 61 72 74 45 54 61 67 22 3a 31 2c 22 43 6f 6e 66 69 67 49 64 44 65 6c 69 6d 69 74 65 72 49 6e 4c 6f 67 22 3a 22 3b 22 7d 2c 22 4e 61 6e 63 79 4f 66 66 69 63 65 54 65 61 6d 22 3a 7b 22 7a 68 65 74 61 6e 34 31 32 32 30 32 31 22 3a 74 72 75 65 7d 2c 22 4f 66 66 69 63 65 5f 41 63 63 65 73 73 22 3a 7b 22 55 73 65 46 6f 72 6d 54 68 65 6d 65 49 66 4e 6f 50 61 72 65 6e 74 53 65 63 74 69 6f 6e Data Ascii: {"ECS":{"ConfigLogTarget":"default","c72ea287-ed77-4fa6-a480-3712406c367e":"aka.ms/EcsCanary","CacheExpiryInMin":240,"EnableSmartETag":1,"ConfigIdDelimiterInLog":";"},"NancyOfficeTeam":{"zhetan4122021":true},"Office_Access":{"UseFormThemeIfNoParentSection
2024-10-25 13:36:11 UTC	12336	IN	Data Raw: 71 71 69 4a 62 4f 79 34 68 36 4c 38 74 55 4f 6d 2f 4a 56 70 79 71 36 6f 59 71 2b 56 55 58 66 71 61 4c 76 56 56 46 63 46 53 32 70 6f 6d 56 56 39 46 79 53 49 6a 70 6a 56 77 4f 79 73 4a 52 37 4a 69 74 6a 6c 33 74 38 57 6b 4b 34 2f 62 6c 56 59 77 2b 33 73 32 48 6d 6e 79 54 67 2f 4c 55 54 6e 69 64 31 6c 34 41 58 6b 77 47 30 33 65 6c 6c 71 4f 59 7a 73 79 38 4b 5a 6a 75 53 41 49 79 56 2b 67 56 6f 59 77 42 4f 38 6a 55 74 68 6d 73 47 6b 75 70 64 4f 70 7a 53 41 42 77 75 36 42 4d 63 65 67 44 4e 75 71 50 50 6d 33 52 34 43 44 6f 30 75 65 6b 58 4e 46 4f 67 5a 6a 6a 55 69 6a 75 55 56 74 55 69 6d 50 30 50 6d 68 33 68 44 70 6b 4e 48 57 72 73 2f 6a 52 50 7a 2b 31 4c 30 4f 77 63 6c 59 53 76 6f 6a 36 76 72 72 6b 48 4a 6a 35 43 4a 57 45 35 38 2b 4d 38 48 62 62 62 41 4f 78 78 Data Ascii: qqiJbOy4h6L8tUOm/JVpyq6oYq+VUXfqaLvVVFcFS2pomVV9FySIjpjVwOysJR7Jitjl3t8WkK4/blVYw+3s2HmnyTg/LUTnid1l4AXkwG03ellqOYzsy8KZjuSAIyV+gVoYwBO8jUthmsGkupdOpzSABwu6BMcegDNuqPPm3R4CDo0uekXNFOgZjjUijuUVtUimP0Pmh3hDpkNHWrs/jRPz+1L0OwclYSvoj6vrrkHJj5CJWE58+M8HbbbAOxx
2024-10-25 13:36:11 UTC	16384	IN	Data Raw: 42 79 41 43 41 41 65 51 42 76 41 48 55 41 4c 67 41 41 53 68 41 43 41 52 49 45 55 77 42 31 41 48 49 41 5a 51 41 41 61 68 41 43 41 52 49 48 54 67 42 76 41 48 51 41 49 41 42 75 41 47 38 41 64 77 41 41 41 43 73 4b 41 52 41 47 41 51 6f 51 41 67 45 53 4d 45 67 41 62 77 42 33 41 43 41 41 5a 41 42 76 41 43 41 41 62 41 42 70 41 47 73 41 5a 51 41 67 41 48 51 41 61 41 42 6c 41 43 41 41 62 67 42 6c 41 48 63 41 49 41 42 73 41 47 38 41 62 77 42 72 41 43 41 41 59 51 42 75 41 47 51 41 49 41 42 6d 41 47 55 41 5a 51 42 73 41 43 41 41 62 77 42 6d 41 43 41 41 55 41 42 76 41 48 63 41 5a 51 42 79 41 46 41 41 62 77 42 70 41 47 34 41 64 41 41 2f 41 41 41 72 43 67 55 51 41 67 45 53 46 44 45 41 49 41 41 74 41 43 41 41 56 67 42 6c 41 48 49 41 65 51 41 67 41 46 55 41 62 67 42 7a 41 Data Ascii: ByACAAeQBvAHUALgAAShACARIEUwB1AHIAZQAAahACARIHTgBvAHQAIABuAG8AdwAAACsKARAGAQoQAgESMEgAbwB3ACAAZABvACAAbABpAGsAZQAgAHQAaABlACAAbgBlAHcAIABsAG8AbwBrACAAYQBuAGQAIABmAGUAZQBsACAAbwBmACAAUABvAHcAZQByAFAAbwBpAG4AdAA/AAArCgUQAgESFDEAIAAtACAAVgBlAHIAeQAgAFUAbgBzA
2024-10-25 13:36:11 UTC	16384	IN	Data Raw: 66 61 6c 73 65 2c 22 55 73 65 43 6f 6d 70 6f 6e 65 6e 74 54 79 70 65 61 73 54 61 73 6b 50 61 6e 65 22 3a 66 61 6c 73 65 2c 22 43 47 55 73 65 45 78 63 65 6c 55 64 66 48 6f 73 74 42 75 6e 64 6c 65 32 22 3a 66 61 6c 73 65 2c 22 43 68 61 6e 67 65 47 61 74 65 2e 53 65 74 54 65 61 6d 73 41 64 64 69 6e 4c 61 73 74 55 73 65 64 22 3a 66 61 6c 73 65 2c 22 43 68 61 6e 67 65 47 61 74 65 2e 53 68 61 72 65 64 52 75 6e 74 69 6d 65 46 6f 72 46 69 72 73 74 50 61 72 74 79 53 64 78 22 3a 66 61 6c 73 65 7d 2c 22 4f 66 66 69 63 65 5f 4f 66 66 69 63 65 49 6e 73 69 64 65 72 22 3a 7b 22 55 70 64 61 74 65 4e 6f 77 22 3a 74 72 75 65 7d 2c 22 4f 66 66 69 63 65 5f 4f 6e 65 4e 6f 74 65 22 3a 7b 22 47 72 6f 75 70 46 65 61 74 75 72 65 22 3a 7b 22 4e 6f 74 52 65 71 75 69 72 65 4f 4c 44 Data Ascii: false,"UseComponentTypeasTaskPane":false,"CGUseExcelUdfHostBundle2":false,"ChangeGate.SetTeamsAddinLastUsed":false,"ChangeGate.SharedRuntimeForFirstPartySdx":false},"Office_OfficeInsider":{"UpdateNow":true},"Office_OneNote":{"GroupFeature":{"NotRequireOLD
2024-10-25 13:36:12 UTC	16384	IN	Data Raw: 47 61 74 65 2e 55 70 64 61 74 65 54 61 62 6c 65 42 6f 75 6e 64 73 46 6f 72 54 79 70 69 6e 67 22 3a 66 61 6c 73 65 2c 22 47 72 61 6d 6d 61 72 43 68 65 63 6b 69 6e 67 2e 46 72 65 6e 63 68 45 6e 74 65 72 70 72 69 73 65 47 72 6f 75 70 33 22 3a 66 61 6c 73 65 2c 22 49 67 78 2e 41 63 74 69 76 61 74 65 43 6f 6e 74 65 6e 74 50 61 6e 65 46 6f 63 75 73 22 3a 66 61 6c 73 65 2c 22 47 72 61 70 68 49 6d 70 6f 72 74 5a 65 72 6f 54 65 72 6d 50 72 65 66 65 74 63 68 45 78 70 69 72 65 64 48 6f 75 72 73 22 3a 34 35 36 2c 22 41 75 74 6f 53 61 76 65 47 72 6f 75 70 50 6f 6c 69 63 79 22 3a 74 72 75 65 2c 22 47 72 61 70 68 49 6d 70 6f 72 74 53 75 72 76 65 79 22 3a 74 72 75 65 2c 22 47 72 61 70 68 49 6d 70 6f 72 74 48 65 64 77 69 67 55 58 22 3a 74 72 75 65 2c 22 47 72 61 6d 6d 61 Data Ascii: Gate.UpdateTableBoundsForTyping":false,"GrammarChecking.FrenchEnterpriseGroup3":false,"Igx.ActivateContentPaneFocus":false,"GraphImportZeroTermPrefetchExpiredHours":456,"AutoSaveGroupPolicy":true,"GraphImportSurvey":true,"GraphImportHedwigUX":true,"Gramma
2024-10-25 13:36:12 UTC	16384	IN	Data Raw: 42 57 61 63 43 68 61 74 45 6e 61 62 6c 65 64 22 3a 7b 22 45 76 65 6e 74 46 6c 61 67 22 3a 32 7d 2c 22 4d 73 6f 49 4d 53 65 72 76 69 63 65 73 53 66 43 57 61 63 43 68 61 74 45 6e 61 62 6c 65 64 22 3a 7b 22 45 76 65 6e 74 46 6c 61 67 22 3a 32 7d 2c 22 44 6f 63 75 6d 65 6e 74 43 68 61 74 55 49 4d 6f 64 65 6c 4f 6e 55 49 45 76 65 6e 74 22 3a 7b 22 45 76 65 6e 74 46 6c 61 67 22 3a 32 7d 2c 22 43 68 61 74 43 61 6c 6c 6f 75 74 55 73 65 72 4f 6e 50 61 72 74 69 63 69 70 61 6e 74 4c 69 73 74 43 68 61 6e 67 65 64 22 3a 7b 22 45 76 65 6e 74 46 6c 61 67 22 3a 32 7d 2c 22 43 6f 61 75 74 68 47 61 6c 6c 65 72 79 55 73 65 72 43 72 65 61 74 65 41 63 74 69 6f 6e 48 75 62 4c 69 73 74 46 72 6f 6d 53 6e 61 70 73 68 6f 74 22 3a 7b 22 45 76 65 6e 74 46 6c 61 67 22 3a 32 35 36 7d Data Ascii: BWacChatEnabled":{"EventFlag":2},"MsoIMServicesSfCWacChatEnabled":{"EventFlag":2},"DocumentChatUIModelOnUIEvent":{"EventFlag":2},"ChatCalloutUserOnParticipantListChanged":{"EventFlag":2},"CoauthGalleryUserCreateActionHubListFromSnapshot":{"EventFlag":256}
2024-10-25 13:36:12 UTC	16384	IN	Data Raw: 7b 22 45 76 65 6e 74 46 6c 61 67 22 3a 34 39 34 30 38 7d 2c 22 4e 6f 45 6e 74 69 74 6c 65 6d 65 6e 74 73 45 78 70 65 72 69 6d 65 6e 74 54 72 69 67 67 65 72 22 3a 7b 22 45 76 65 6e 74 46 6c 61 67 22 3a 34 39 34 30 38 7d 7d 7d 2c 22 4f 66 66 69 63 65 43 6c 69 65 6e 74 4c 69 63 65 6e 73 69 6e 67 22 3a 7b 22 45 76 65 6e 74 73 22 3a 7b 22 4c 69 63 65 6e 73 65 43 6f 6d 70 6c 65 74 65 64 22 3a 7b 22 45 76 65 6e 74 46 6c 61 67 22 3a 32 7d 2c 22 4c 65 67 61 63 79 41 63 74 69 76 69 74 79 53 75 63 63 65 73 73 43 6f 75 6e 74 22 3a 7b 22 45 76 65 6e 74 46 6c 61 67 22 3a 32 7d 2c 22 4c 65 67 61 63 79 41 63 74 69 76 69 74 79 46 61 69 6c 75 72 65 43 6f 75 6e 74 22 3a 7b 22 45 76 65 6e 74 46 6c 61 67 22 3a 32 7d 7d 2c 22 53 75 62 4e 61 6d 65 73 70 61 63 65 73 22 3a 7b 22 Data Ascii: {"EventFlag":49408},"NoEntitlementsExperimentTrigger":{"EventFlag":49408}}},"OfficeClientLicensing":{"Events":{"LicenseCompleted":{"EventFlag":2},"LegacyActivitySuccessCount":{"EventFlag":2},"LegacyActivityFailureCount":{"EventFlag":2}},"SubNamespaces":{"
2024-10-25 13:36:12 UTC	16384	IN	Data Raw: 63 75 6d 65 6e 74 53 68 61 72 65 55 72 6c 22 3a 7b 22 45 76 65 6e 74 73 22 3a 7b 22 55 6e 70 61 63 6b 53 68 61 72 65 55 72 6c 41 6e 64 48 61 6e 64 6c 65 52 65 73 75 6c 74 22 3a 7b 22 45 76 65 6e 74 46 6c 61 67 22 3a 32 7d 2c 22 4f 6e 55 6e 70 61 63 6b 55 72 6c 43 6f 6d 70 6c 65 74 65 64 22 3a 7b 22 45 76 65 6e 74 46 6c 61 67 22 3a 32 7d 7d 7d 2c 22 55 6e 70 61 63 6b 4c 69 6e 6b 22 3a 7b 22 45 76 65 6e 74 73 22 3a 7b 22 55 6e 70 61 63 6b 4c 69 6e 6b 57 69 74 68 48 69 6e 74 22 3a 7b 22 45 76 65 6e 74 46 6c 61 67 22 3a 32 7d 7d 7d 2c 22 48 6c 69 6e 6b 22 3a 7b 22 45 76 65 6e 74 73 22 3a 7b 22 4d 73 6f 48 72 48 6c 69 6e 6b 43 72 65 61 74 65 46 72 6f 6d 53 74 72 69 6e 67 22 3a 7b 22 45 76 65 6e 74 46 6c 61 67 22 3a 32 7d 7d 7d 2c 22 4d 6f 63 73 69 22 3a 7b 22 Data Ascii: cumentShareUrl":{"Events":{"UnpackShareUrlAndHandleResult":{"EventFlag":2},"OnUnpackUrlCompleted":{"EventFlag":2}}},"UnpackLink":{"Events":{"UnpackLinkWithHint":{"EventFlag":2}}},"Hlink":{"Events":{"MsoHrHlinkCreateFromString":{"EventFlag":2}}},"Mocsi":{"
2024-10-25 13:36:12 UTC	16384	IN	Data Raw: 6f 72 49 6e 6b 69 6e 67 22 3a 74 72 75 65 2c 22 52 65 6d 6f 76 65 42 4b 46 54 41 47 69 62 73 74 22 3a 74 72 75 65 2c 22 4c 61 79 6f 75 74 41 6e 64 44 69 73 70 6c 61 79 2e 50 65 72 6d 69 74 43 6c 65 61 6e 43 6f 72 65 46 65 62 72 75 61 72 79 32 30 32 33 43 68 61 6e 67 65 73 22 3a 74 72 75 65 2c 22 4c 61 79 6f 75 74 41 6e 64 44 69 73 70 6c 61 79 2e 50 65 72 6d 69 74 43 6c 65 61 6e 43 6f 72 65 4a 61 6e 75 61 72 79 32 30 32 33 43 68 61 6e 67 65 73 22 3a 74 72 75 65 2c 22 45 6e 61 62 6c 65 4e 6f 72 6d 61 6c 54 65 6d 70 6c 61 74 65 53 74 79 6c 65 73 55 70 64 61 74 65 22 3a 74 72 75 65 2c 22 46 69 78 41 63 63 54 61 62 6c 65 56 32 49 6d 70 6c 65 6d 65 6e 74 61 74 69 6f 6e 46 47 22 3a 74 72 75 65 2c 22 44 6f 6e 74 49 6e 74 65 72 72 75 70 74 49 6e 6e 65 72 49 64 6c Data Ascii: orInking":true,"RemoveBKFTAGibst":true,"LayoutAndDisplay.PermitCleanCoreFebruary2023Changes":true,"LayoutAndDisplay.PermitCleanCoreJanuary2023Changes":true,"EnableNormalTemplateStylesUpdate":true,"FixAccTableV2ImplementationFG":true,"DontInterruptInnerIdl
2024-10-25 13:36:12 UTC	694	IN	Data Raw: 35 39 36 31 3a 35 39 36 33 32 36 2c 77 6f 72 64 6a 73 6f 6e 5f 30 34 32 36 5f 32 30 32 34 3a 35 35 39 31 38 34 2c 68 66 63 67 37 39 39 30 3a 34 34 39 39 33 33 2c 63 38 34 31 66 35 39 39 3a 34 34 31 35 36 35 2c 6f 65 73 65 74 75 70 64 65 6c 69 76 65 72 79 66 61 6c 6c 62 61 63 6b 33 3a 34 34 35 30 37 35 2c 39 62 38 64 61 39 35 35 3a 34 34 39 39 32 34 2c 62 65 6c 6f 77 6f 70 65 6e 64 69 76 69 64 65 72 3a 35 34 32 35 35 37 2c 6f 65 65 6e 61 62 6c 65 6f 73 66 69 64 65 6e 74 69 74 79 6d 61 6e 61 67 65 72 3a 34 34 39 39 31 39 2c 34 63 36 68 64 32 37 39 3a 34 36 33 37 32 31 2c 67 62 30 38 64 37 35 32 3a 32 39 32 31 32 32 2c 64 33 67 69 65 35 36 34 3a 32 38 33 38 35 33 2c 39 39 66 31 64 36 31 36 3a 32 38 33 38 35 34 2c 6f 65 6d 61 63 33 35 38 3a 32 30 35 30 32 22 Data Ascii: 5961:596326,wordjson_0426_2024:559184,hfcg7990:449933,c841f599:441565,oesetupdeliveryfallback3:445075,9b8da955:449924,belowopendivider:542557,oeenableosfidentitymanager:449919,4c6hd279:463721,gb08d752:292122,d3gie564:283853,99f1d616:283854,oemac358:20502"

Timestamp	Bytes transferred	Direction	Data
2024-10-25 13:36:12 UTC	818	OUT	GET /home/engagement/NTEwLVdlYnNpdGV8ODRiYjQxMTgwOWZiNGZlMWE2N2E2NjFhZDhlNTBlM2R8Y29uLTk3MTYxLWVufFdlYnNpdGUBX?l=http://vh26kx.pinboarddisplaced.com/?email= HTTP/1.1 Host: www.catapult-connect.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-10-25 13:36:13 UTC	412	IN	HTTP/1.1 302 Found Cache-Control: private Content-Type: text/html; charset=utf-8 Location: http://vh26kx.pinboarddisplaced.com/?email= Server: Microsoft-IIS/10.0 Set-Cookie: ASP.NET_SessionId=n3sjlghe2lc10ttn0wxmhwt1; path=/; HttpOnly; SameSite=Lax X-AspNetMvc-Version: 5.3 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET Date: Fri, 25 Oct 2024 13:36:12 GMT Connection: close Content-Length: 160
2024-10-25 13:36:13 UTC	160	IN	Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 4f 62 6a 65 63 74 20 6d 6f 76 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 32 3e 4f 62 6a 65 63 74 20 6d 6f 76 65 64 20 74 6f 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 76 68 32 36 6b 78 2e 70 69 6e 62 6f 61 72 64 64 69 73 70 6c 61 63 65 64 2e 63 6f 6d 2f 3f 65 6d 61 69 6c 3d 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 68 32 3e 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Object moved</title></head><body><h2>Object moved to <a href="http://vh26kx.pinboarddisplaced.com/?email=">here</a>.</h2></body></html>

Timestamp	Bytes transferred	Direction	Data
2024-10-25 13:36:14 UTC	422	OUT	POST /RST2.srf HTTP/1.0 Connection: Keep-Alive Content-Type: application/soap+xml Accept: / User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 10.0; Win64; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; IDCRL 24.10.0.19045.0.0; IDCRL-cfg 16.000.29743.00; App svchost.exe, 10.0.19041.1806, {DF60E2DF-88AD-4526-AE21-83D130EF0F68}) Content-Length: 4742 Host: login.live.com
2024-10-25 13:36:14 UTC	4742	OUT	Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 33 2f 30 35 2f 73 6f 61 70 2d 65 6e 76 65 6c 6f 70 65 22 20 78 6d 6c 6e 73 3a 70 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 2f 50 61 73 73 70 6f 72 74 2f 53 6f 61 70 53 65 72 76 69 63 65 73 2f 50 50 43 52 4c 22 20 78 6d 6c 6e 73 3a 77 73 73 65 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 34 30 31 2d 77 73 73 2d 77 73 73 65 63 75 72 69 74 79 2d 73 65 63 65 78 74 2d 31 Data Ascii: <?xml version="1.0" encoding="UTF-8"?><s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:ps="http://schemas.microsoft.com/Passport/SoapServices/PPCRL" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1
2024-10-25 13:36:14 UTC	569	IN	HTTP/1.1 200 OK Cache-Control: no-store, no-cache Pragma: no-cache Content-Type: application/soap+xml; charset=utf-8 Expires: Fri, 25 Oct 2024 13:35:14 GMT P3P: CP="DSP CUR OTPi IND OTRi ONL FIN" Referrer-Policy: strict-origin-when-cross-origin x-ms-route-info: C529_BL2 x-ms-request-id: 69070aef-5a11-431f-8cbb-8e4dedb2cae4 PPServer: PPV: 30 H: BL02EPF0001D87D V: 0 X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=31536000 X-XSS-Protection: 1; mode=block Date: Fri, 25 Oct 2024 13:36:14 GMT Connection: close Content-Length: 10197
2024-10-25 13:36:14 UTC	10197	IN	Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 20 3f 3e 3c 53 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 53 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 33 2f 30 35 2f 73 6f 61 70 2d 65 6e 76 65 6c 6f 70 65 22 20 78 6d 6c 6e 73 3a 77 73 73 65 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 34 30 31 2d 77 73 73 2d 77 73 73 65 63 75 72 69 74 79 2d 73 65 63 65 78 74 2d 31 2e 30 2e 78 73 64 22 20 78 6d 6c 6e 73 3a 77 73 75 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 Data Ascii: <?xml version="1.0" encoding="utf-8" ?><S:Envelope xmlns:S="http://www.w3.org/2003/05/soap-envelope" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200

Timestamp	Bytes transferred	Direction	Data
2024-10-25 13:36:14 UTC	306	OUT	GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=VDUrcCGC24EkDez&MD=TYG3lRtt HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-10-25 13:36:14 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "XAopazV00XDWnJCwkmEWRv6JkbjRA9QSSZ2+e/3MzEk=_2880" MS-CorrelationId: 4539a913-89f0-4d08-aa76-607f822a1d22 MS-RequestId: 6436cc49-93af-4e73-8e07-9fc39cb3b429 MS-CV: jZ3qzKdXT0+MoOAK.0 X-Microsoft-SLSClientCache: 2880 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Fri, 25 Oct 2024 13:36:13 GMT Connection: close Content-Length: 24490
2024-10-25 13:36:14 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 92 1e 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 23 d0 00 00 14 00 00 00 00 00 10 00 92 1e 00 00 18 41 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 e6 42 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 78 cf 8d 5c 26 1e e6 42 43 4b ed 5c 07 54 13 db d6 4e a3 f7 2e d5 d0 3b 4c 42 af 4a 57 10 e9 20 bd 77 21 94 80 88 08 24 2a 02 02 d2 55 10 a4 a8 88 97 22 8a 0a d2 11 04 95 ae d2 8b 20 28 0a 88 20 45 05 f4 9f 80 05 bd ed dd f7 ff 77 dd f7 bf 65 d6 4a 66 ce 99 33 67 4e d9 7b 7f fb db 7b 56 f4 4d 34 b4 21 e0 a7 03 0a d9 fc 68 6e 1d 20 70 28 14 02 85 20 20 ad 61 10 08 e3 66 0d ed 66 9b 1d 6a 90 af 1f 17 f0 4b 68 35 01 83 6c fb 44 42 5c 7d 83 3d 03 30 be 3e ae be 58 Data Ascii: MSCFD#AdBenvironment.cabx\&BCK\TN.;LBJW w!$*U" ( EweJf3gN{{VM4!hn p( affjKh5lDB\}=0>X
2024-10-25 13:36:14 UTC	8666	IN	Data Raw: 04 01 31 2f 30 2d 30 0a 02 05 00 e1 2b 8a 50 02 01 00 30 0a 02 01 00 02 02 12 fe 02 01 ff 30 07 02 01 00 02 02 11 e6 30 0a 02 05 00 e1 2c db d0 02 01 00 30 36 06 0a 2b 06 01 04 01 84 59 0a 04 02 31 28 30 26 30 0c 06 0a 2b 06 01 04 01 84 59 0a 03 02 a0 0a 30 08 02 01 00 02 03 07 a1 20 a1 0a 30 08 02 01 00 02 03 01 86 a0 30 0d 06 09 2a 86 48 86 f7 0d 01 01 05 05 00 03 81 81 00 0c d9 08 df 48 94 57 65 3e ad e7 f2 17 9c 1f ca 3d 4d 6c cd 51 e1 ed 9c 17 a5 52 35 0f fd de 4b bd 22 92 c5 69 e5 d7 9f 29 23 72 40 7a ca 55 9d 8d 11 ad d5 54 00 bb 53 b4 87 7b 72 84 da 2d f6 e3 2c 4f 7e ba 1a 58 88 6e d6 b9 6d 16 ae 85 5b b5 c2 81 a8 e0 ee 0a 9c 60 51 3a 7b e4 61 f8 c3 e4 38 bd 7d 28 17 d6 79 f0 c8 58 c6 ef 1f f7 88 65 b1 ea 0a c0 df f7 ee 5c 23 c2 27 fd 98 63 08 31 Data Ascii: 1/0-0+P000,06+Y1(0&0+Y0 00*HHWe>=MlQR5K"i)#r@zUTS{r-,O~Xnm[`Q:{a8}(yXe\#'c1

Timestamp	Bytes transferred	Direction	Data
2024-10-25 13:36:52 UTC	306	OUT	GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=VDUrcCGC24EkDez&MD=TYG3lRtt HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-10-25 13:36:52 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "vic+p1MiJJ+/WMnK08jaWnCBGDfvkGRzPk9f8ZadQHg=_1440" MS-CorrelationId: e3ead10c-0616-416c-9bf1-dc0ddb289458 MS-RequestId: 13548a46-280e-4433-8592-add2ffb6658c MS-CV: 9m4u1meeX0qIpPFo.0 X-Microsoft-SLSClientCache: 1440 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Fri, 25 Oct 2024 13:36:51 GMT Connection: close Content-Length: 30005
2024-10-25 13:36:52 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 8d 2b 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 5b 49 00 00 14 00 00 00 00 00 10 00 8d 2b 00 00 a8 49 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 72 4d 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 fe f6 51 be 21 2b 72 4d 43 4b ed 7c 05 58 54 eb da f6 14 43 49 37 0a 02 d2 b9 86 0e 41 52 a4 1b 24 a5 bb 43 24 44 18 94 90 92 52 41 3a 05 09 95 ee 54 b0 00 91 2e e9 12 10 04 11 c9 6f 10 b7 a2 67 9f bd cf 3e ff b7 ff b3 bf 73 ed e1 9a 99 f5 c6 7a d7 bb de f5 3e cf fd 3c f7 dc 17 4a 1a 52 e7 41 a8 97 1e 14 f4 e5 25 7d f4 05 82 82 c1 20 30 08 06 ba c3 05 02 11 7f a9 c1 ff d2 87 5c 1e f4 ed 65 8e 7a 1f f6 0a 40 03 1d 7b f9 83 2c 1c 2f db b8 3a 39 3a 58 38 ba 73 5e Data Ascii: MSCF+D[I+IdrMenvironment.cabQ!+rMCK\|XTCI7AR$C$DRA:T.og>sz><JRA%} 0\ez@{,/:9:X8s^
2024-10-25 13:36:52 UTC	14181	IN	Data Raw: 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 13 0a 57 61 73 68 69 6e 67 74 6f 6e 31 10 30 0e 06 03 55 04 07 13 07 52 65 64 6d 6f 6e 64 31 1e 30 1c 06 03 55 04 0a 13 15 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 6f 72 61 74 69 6f 6e 31 26 30 24 06 03 55 04 03 13 1d 4d 69 63 72 6f 73 6f 66 74 20 54 69 6d 65 2d 53 74 61 6d 70 20 50 43 41 20 32 30 31 30 30 1e 17 0d 32 33 31 30 31 32 31 39 30 37 32 35 5a 17 0d 32 35 30 31 31 30 31 39 30 37 32 35 5a 30 81 d2 31 0b 30 09 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 13 0a 57 61 73 68 69 6e 67 74 6f 6e 31 10 30 0e 06 03 55 04 07 13 07 52 65 64 6d 6f 6e 64 31 1e 30 1c 06 03 55 04 0a 13 15 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 6f 72 61 74 69 6f 6e 31 2d 30 2b 06 03 55 04 0b 13 24 4d 69 63 72 6f Data Ascii: UUS10UWashington10URedmond10UMicrosoft Corporation1&0$UMicrosoft Time-Stamp PCA 20100231012190725Z250110190725Z010UUS10UWashington10URedmond10UMicrosoft Corporation1-0+U$Micro

Timestamp	Bytes transferred	Direction	Data
2024-10-25 13:37:01 UTC	422	OUT	POST /RST2.srf HTTP/1.0 Connection: Keep-Alive Content-Type: application/soap+xml Accept: / User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 10.0; Win64; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; IDCRL 24.10.0.19045.0.0; IDCRL-cfg 16.000.29743.00; App svchost.exe, 10.0.19041.1806, {DF60E2DF-88AD-4526-AE21-83D130EF0F68}) Content-Length: 4808 Host: login.live.com
2024-10-25 13:37:01 UTC	4808	OUT	Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 33 2f 30 35 2f 73 6f 61 70 2d 65 6e 76 65 6c 6f 70 65 22 20 78 6d 6c 6e 73 3a 70 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 2f 50 61 73 73 70 6f 72 74 2f 53 6f 61 70 53 65 72 76 69 63 65 73 2f 50 50 43 52 4c 22 20 78 6d 6c 6e 73 3a 77 73 73 65 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 34 30 31 2d 77 73 73 2d 77 73 73 65 63 75 72 69 74 79 2d 73 65 63 65 78 74 2d 31 Data Ascii: <?xml version="1.0" encoding="UTF-8"?><s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:ps="http://schemas.microsoft.com/Passport/SoapServices/PPCRL" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1
2024-10-25 13:37:02 UTC	569	IN	HTTP/1.1 200 OK Cache-Control: no-store, no-cache Pragma: no-cache Content-Type: application/soap+xml; charset=utf-8 Expires: Fri, 25 Oct 2024 13:36:01 GMT P3P: CP="DSP CUR OTPi IND OTRi ONL FIN" Referrer-Policy: strict-origin-when-cross-origin x-ms-route-info: C529_SN1 x-ms-request-id: 02dbe6a4-76e5-4ae7-9187-87f7595265ae PPServer: PPV: 30 H: SN1PEPF0002F1AE V: 0 X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=31536000 X-XSS-Protection: 1; mode=block Date: Fri, 25 Oct 2024 13:37:01 GMT Connection: close Content-Length: 11197
2024-10-25 13:37:02 UTC	11197	IN	Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 20 3f 3e 3c 53 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 53 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 33 2f 30 35 2f 73 6f 61 70 2d 65 6e 76 65 6c 6f 70 65 22 20 78 6d 6c 6e 73 3a 77 73 73 65 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 34 30 31 2d 77 73 73 2d 77 73 73 65 63 75 72 69 74 79 2d 73 65 63 65 78 74 2d 31 2e 30 2e 78 73 64 22 20 78 6d 6c 6e 73 3a 77 73 75 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 Data Ascii: <?xml version="1.0" encoding="utf-8" ?><S:Envelope xmlns:S="http://www.w3.org/2003/05/soap-envelope" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200

Timestamp	Bytes transferred	Direction	Data
2024-10-25 13:37:01 UTC	537	OUT	GET /ab HTTP/1.1 Host: evoke-windowsservices-tas.msedge.net Cache-Control: no-store, no-cache X-PHOTOS-CALLERID: 9NMPJ99VJBWV X-EVOKE-RING: X-WINNEXT-RING: Public X-WINNEXT-TELEMETRYLEVEL: Basic X-WINNEXT-OSVERSION: 10.0.19045.0 X-WINNEXT-APPVERSION: 1.23082.131.0 X-WINNEXT-PLATFORM: Desktop X-WINNEXT-CANTAILOR: False X-MSEDGE-CLIENTID: {c1afbad7-f7da-40f2-92f9-8846a91d69bd} X-WINNEXT-PUBDEVICEID: dbfen2nYS7HW6ON4OdOknKxxv2CCI5LJBTojzDztjwI= If-None-Match: 2056388360_-1434155563 Accept-Encoding: gzip, deflate, br
2024-10-25 13:37:01 UTC	209	IN	HTTP/1.1 400 Bad Request X-MSEdge-Ref: Ref A: 16EC623432114021870AF2C23D857F63 Ref B: DFW311000108031 Ref C: 2024-10-25T13:37:01Z Date: Fri, 25 Oct 2024 13:37:01 GMT Connection: close Content-Length: 0

Timestamp	Bytes transferred	Direction	Data
2024-10-25 13:37:03 UTC	2603	OUT	GET /client/config?cc=CH&setlang=en-CH HTTP/1.1 X-Search-CortanaAvailableCapabilities: None X-Search-SafeSearch: Moderate Accept-Encoding: gzip, deflate X-Device-MachineId: {92C86F7C-DB2B-4F6A-95AD-98B4A2AE008A} X-UserAgeClass: Unknown X-BM-Market: CH X-BM-DateFormat: dd/MM/yyyy X-Device-OSSKU: 48 X-BM-DTZ: -240 X-DeviceID: 01000A41090080B6 X-BM-WindowsFlights: FX:117B9872,FX:119E26AD,FX:11C0E96C,FX:11C6E5C2,FX:11C7EB6A,FX:11C9408A,FX:11C940DB,FX:11CB9A9F,FX:11CB9AC1,FX:11CC111C,FX:11D5BFCD,FX:11DF5B12,FX:11DF5B75,FX:1240931B,FX:124B38D0,FX:127FC878,FX:1283FFE8,FX:12840617,FX:128979F9,FX:128EBD7E,FX:129135BB,FX:129E053F,FX:12A74DB5,FX:12AB734D,FX:12B8450E,FX:12BD6E73,FX:12C3331B,FX:12C7D66E X-Search-TimeZone: Bias=300; DaylightBias=-60; TimeZoneKeyName=Eastern Standard Time X-BM-Theme: 000000;0078d7 X-Search-RPSToken: t%3DEwDoAkR8BAAUcvamItSE/vUHpyZRp3BeyOJPQDsAAa0M9Ic0NHTHpTV5L%2BPXT4eE/ihX0ma2K%2Bqxj4Z3w3vBQT%2BQd1w7InmIoonB19jv%2BH8EL2f%2BGBGd672twTsaVsx4iBtnFzng40LMP7VYZ%2BoQVs07Fehh41KEzw3CPCSXXewyB/N35ZzycMBm2wXrt9xs3E9RTjr40e881zWqF4YcF%2BLKG7S%2Bjv/hAVutQhIyxBzDUrYsDdtf7bpqJG%2BWgZiDmoQ5RzqgI0vPPFQTCFiq2SuDMVj7791fFDopBTg8fSitv8EFlsCCMi/UjF4M7jCpSc1fM9EI%2B1MhwX9k%2BBHfjYPc6gA9OKvISNU9%2B8ZoK16AU7osM/9ctsKWpn9gTrAQZgAAEN04TM5tmVYfk%2B99Y3RDfviwAeWfcpUO%2BqwshT2HBqT5Dn4/SoMfNuQUNBfoMt%2BQUB%2BrCZnyYyZgq1jo9ydvhWeVzSUpeQUpk17FOxR5BivvlZl74LucHZvaxG1e4CtJuKmKqEcaIkU3mwNvs/Ty6TXN5oIivHjlH4AmGPFduRhiANdhR7%2B0g/OoiBpNc8UZrgp2xvmxZUdqnJlAugwhXdUN22ryjRNYKZD35xe3UB5t294PrCxP4slXGNPhtVY0OVnYq7sLxq74zrhHllYVxJ04/uuruEG8rcwWX%2BhfK20TMXotdDHSANUaK6DcLE5IxQznVHRrxvWXfEK%2B/yJOZHZvOCeqnyvezpbqhu47agwIy0L9kzYmVvR3yPqFfQQQb8ENL6SiYqRFuM1M5TJpw20hYIguJi/Unzs%2BOahW%2B0yuPLGqMcJEFiDZFBcic5xNGbWUOljs5Ac%2BzoqfudUpxQWJsepYUhuAIUVDytwzYCbquFPgRQ30U0LXZ8yhMRnwmkTlksHhev8x2hksDwL5Og9o5EhBnKMiEpgmGHTFK0Yu3mS5b4dWxtg2P [TRUNCATED] X-Agent-DeviceId: 01000A41090080B6 X-BM-CBT: 1729863419 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Cortana 1.14.7.19041; 10.0.0.0.19045.2006) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045 X-Device-isOptin: false Accept-language: en-GB, en, en-US X-Device-Touch: false X-Device-ClientSession: 9F8D82E5B2EB4B4188C74CD24CBA5576 X-Search-AppId: Microsoft.Windows.Cortana_cw5n1h2txyewy!CortanaUI Host: www.bing.com Connection: Keep-Alive Cookie: SRCHUID=V=2&GUID=C4EAB6C130004333A34B5668AE4E4D10&dmnchg=1; SRCHD=AF=NOFORM; SRCHUSR=DOB=20240207; SRCHHPGUSR=SRCHLANG=en; MUID=4590362BB5CF472B95BBEDB3112D4B7B; MUIDB=4590362BB5CF472B95BBEDB3112D4B7B
2024-10-25 13:37:03 UTC	1148	IN	HTTP/1.1 200 OK Content-Length: 2215 Content-Type: application/json; charset=utf-8 Cache-Control: private X-EventID: 671b9eff4a3846abbd67bbdef2dc65f2 X-AS-SetSessionMarket: de-ch UserAgentReductionOptOut: A7kgTC5xdZ2WIVGZEfb1hUoNuvjzOZX3VIV/BA6C18kQOOF50Q0D3oWoAm49k3BQImkujKILc7JmPysWk3CSjwUAAACMeyJvcmlnaW4iOiJodHRwczovL3d3dy5iaW5nLmNvbTo0NDMiLCJmZWF0dXJlIjoiU2VuZEZ1bGxVc2VyQWdlbnRBZnRlclJlZHVjdGlvbiIsImV4cGlyeSI6MTY4NDg4NjM5OSwiaXNTdWJkb21haW4iOnRydWUsImlzVGhpcmRQYXJ0eSI6dHJ1ZX0= X-XSS-Protection: 0 P3P: CP="NON UNI COM NAV STA LOC CURa DEVa PSAa PSDa OUR IND" Date: Fri, 25 Oct 2024 13:37:03 GMT Connection: close Set-Cookie: _EDGE_S=SID=0A1EF1E7D41260ED17CEE4C4D54E615B&mkt=de-ch; domain=.bing.com; path=/; HttpOnly Set-Cookie: ANON=A=84BEA1DAAAB85FA790252CDAFFFFFFFF; domain=.bing.com; expires=Wed, 19-Nov-2025 13:37:03 GMT; path=/; secure; SameSite=None Set-Cookie: WLS=C=0000000000000000&N=; domain=.bing.com; path=/; secure; SameSite=None Set-Cookie: _SS=SID=0A1EF1E7D41260ED17CEE4C4D54E615B; domain=.bing.com; path=/; secure; SameSite=None Alt-Svc: h3=":443"; ma=93600 X-CDN-TraceID: 0.02d01702.1729863423.158c7a01
2024-10-25 13:37:03 UTC	2215	IN	Data Raw: 7b 22 76 65 72 73 69 6f 6e 22 3a 31 2c 22 63 6f 6e 66 69 67 22 3a 7b 22 46 65 61 74 75 72 65 43 6f 6e 66 69 67 22 3a 7b 22 53 65 61 72 63 68 42 6f 78 49 62 65 61 6d 50 6f 69 6e 74 65 72 4f 6e 48 6f 76 65 72 22 3a 7b 22 76 61 6c 75 65 22 3a 74 72 75 65 2c 22 66 65 61 74 75 72 65 22 3a 22 22 7d 2c 22 53 68 6f 77 53 65 61 72 63 68 47 6c 79 70 68 4c 65 66 74 4f 66 53 65 61 72 63 68 42 6f 78 22 3a 7b 22 76 61 6c 75 65 22 3a 74 72 75 65 2c 22 66 65 61 74 75 72 65 22 3a 22 22 7d 2c 22 53 65 61 72 63 68 42 6f 78 55 73 65 53 65 61 72 63 68 49 63 6f 6e 41 74 52 65 73 74 22 3a 7b 22 76 61 6c 75 65 22 3a 66 61 6c 73 65 2c 22 66 65 61 74 75 72 65 22 3a 22 22 7d 2c 22 53 65 61 72 63 68 42 75 74 74 6f 6e 55 73 65 53 65 61 72 63 68 49 63 6f 6e 22 3a 7b 22 76 61 6c 75 65 Data Ascii: {"version":1,"config":{"FeatureConfig":{"SearchBoxIbeamPointerOnHover":{"value":true,"feature":""},"ShowSearchGlyphLeftOfSearchBox":{"value":true,"feature":""},"SearchBoxUseSearchIconAtRest":{"value":false,"feature":""},"SearchButtonUseSearchIcon":{"value

Target ID:	0
Start time:	09:36:05
Start date:	25/10/2024
Path:	C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\user\Desktop\Aunali_khokhawala-In Services.Agreement-SDYAMPA 416944 (1).rtf" /o ""
Imagebase:	0x9d0000
File size:	1'620'872 bytes
MD5 hash:	1A0C2C2E7D9C4BC18E91604E9B0C7678
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Target ID:	5
Start time:	09:36:10
Start date:	25/10/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://www.catapult-connect.com/home/engagement/NTEwLVdlYnNpdGV8ODRiYjQxMTgwOWZiNGZlMWE2N2E2NjFhZDhlNTBlM2R8Y29uLTk3MTYxLWVufFdlYnNpdGUBX?l=http://vh26kx.pinboarddisplaced.com/?email=#aunali_khokhawala@iamgold.com
Imagebase:	0x7ff7d6f10000
File size:	3'242'272 bytes
MD5 hash:	83395EAB5B03DEA9720F8D7AC0D15CAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Process: OS API Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Aunali_khokhawala-In Services.Agreement-SDYAMPA 416944 (1).rtf

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

Phishing

Compliance

Software Vulnerabilities

Networking

System Summary

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

QR Codes

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\FontCache\4\Catalog\ListAll.Json

C:\Users\user\AppData\Local\Microsoft\FontCache\4\PreviewFont\flat_officeFontsPreview_4_40.ttf

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{031970B3-0916-4DE5-B29A-9EC28EF59203}.tmp

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{30A89364-DFCB-4F49-8D7A-BBD418550ACC}.tmp

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{43588343-FFBD-4B32-B403-5D323D6F30C1}.tmp

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{4A5339A5-6D61-4AF3-A870-F904A11AB01F}.tmp

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{6A0E937E-1DCC-4D0F-8FC8-0BDCC74BE8AA}.tmp

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{92178CD0-3989-4E53-A29A-E8F10674BAE6}.tmp

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{9609C0E1-349D-4B2C-9844-EBFB864D3556}.tmp

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{9D09223B-F4AE-4714-92BB-7FB2C3290CC0}.tmp

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{A4D98A5C-5EAB-494B-AE1E-E03386277A70}.tmp

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{A5DFA894-CC49-4089-9872-A166570C60C1}.tmp

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{AAEBFDF9-52AE-49BA-B7AC-A571B0F9F015}.tmp

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{B359172A-D567-4CBF-AB19-76C7104B5C0C}.tmp

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{CDB3B519-5DC0-4AE8-98D0-2333C645A803}.tmp

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{D5C1120D-1E43-47B4-90E3-8493F26B450F}.tmp

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{DA749D3A-A466-45F8-8C42-B23697F8BC8F}.tmp

C:\Users\user\AppData\Local\Temp\Diagnostics\WINWORD\App1729863366749927500_A479818C-5078-4E2D-9335-2B0AA0E295E8.log

C:\Users\user\AppData\Local\Temp\Diagnostics\WINWORD\App1729863366750501500_A479818C-5078-4E2D-9335-2B0AA0E295E8.log

C:\Users\user\AppData\Local\Temp\TCD40CD.tmp\APASixthEditionOfficeOnline.xsl

C:\Users\user\AppData\Local\Temp\TCD40CD.tmp\Content.inf

C:\Users\user\AppData\Local\Temp\TCD40CE.tmp\Content.inf

C:\Users\user\AppData\Local\Temp\TCD40CE.tmp\gosttitle.xsl

Windows Analysis Report
Aunali_khokhawala-In Services.Agreement-SDYAMPA 416944 (1).rtf

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols associated with web traffic to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre