Edit tour

Windows Analysis Report
phishingtest.eml

Overview

General Information

Sample name:	phishingtest.eml
Analysis ID:	1584027
MD5:	d92f54097fa8e7e8351f4b0c526766a9
SHA1:	d8f7ef7fd37f555ebc3650e7bcb261d61c12b736
SHA256:	9206e05b6526d783f4f0df70fa05723a90cf02d54b36f36f1472ee93afac941f
Infos:

Detection

Score:	48
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

AI detected landing page (webpage, office document or email)

AI detected potential phishing Email

Creates a window with clipboard capturing capabilities

IP address seen in connection with other malware

Queries the volume information (name, serial number etc) of a device

Sigma detected: Office Autorun Keys Modification

Sigma detected: Outlook Security Settings Updated - Registry

Stores files to the Windows start menu directory

Classification

Process Tree

System is w10x64_ra

OUTLOOK.EXE (PID: 6972 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\phishingtest.eml" MD5: 91A5292942864110ED734005B7E005C0)

ai.exe (PID: 7052 cmdline: "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "AE3842F3-4B46-407E-93B9-BC48317ECC3C" "6414065B-BA2B-4351-945D-A87980A02F5D" "6972" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx" MD5: EC652BEDD90E089D9406AFED89A8A8BD)

Acrobat.exe (PID: 6388 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\7V90LNRU\Open 332.pdf" MD5: 24EAD1C46A47022347DC0F05F6EFBB8C)

AcroCEF.exe (PID: 3972 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)

AcroCEF.exe (PID: 6344 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2276 --field-trial-handle=1164,i,9528970337408047140,8902369827790921300,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)

chrome.exe (PID: 8084 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://www.google.com/url?q=https://offsiteforms.store/1wq4W8&sa=D&source=editors&ust=1734917344975185&usg=AOvVaw351shL2sABmvKRpEejl5tD MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 7408 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 --field-trial-handle=1896,i,13739452463520773973,10384309443688143443,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

cleanup

Sigma Signatures

Sigma detected: Office Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE, ProcessId: 6972, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Addins\OneNote.OutlookAddin\1

Sigma detected: Outlook Security Settings Updated - Registry

Source: Registry Key set

Author: frack113: Data: Details: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\7V90LNRU\, EventID: 13, EventType: SetValue, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE, ProcessId: 6972, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Security\OutlookSecureTempFolder

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Phishing

AI detected landing page (webpage, office document or email)

Source: PDF document

Joe Sandbox AI: PDF document contains prominent button: 'click to continue'

AI detected potential phishing Email

Source: Email

Joe Sandbox AI: Detected potential phishing email: The subject line is suspiciously repetitive and spammy, containing multiple variations of the same message about account balance replenishment. The email body contains random, nonsensical text fragments mixed with legitimate-looking Google Docs references. The attachment '332.pdf' with a generic name combined with account-related claims is a common phishing tactic

Source: Email

Classification: Credential Stealer

Source: https://www.google.com/url?q=https://offsiteforms.store/1wq4W8&sa=D&source=editors&ust=1734917344975185&usg=AOvVaw351shL2sABmvKRpEejl5tD

HTTP Parser: No favicon

Source: Joe Sandbox View

IP Address: 239.255.255.250 239.255.255.250

Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.31.69
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.31.69
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.31.69
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.31.69
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.31.69
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.31.69
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.186.36
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.186.36
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.186.36
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.186.36
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.186.36
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.186.36
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.186.36
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.186.36
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.186.36
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.186.36
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.186.36
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.186.36
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.186.36
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.186.36
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.186.36
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.186.36
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.186.36
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.186.36
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.186.36
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.186.36
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.186.36
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.184.196
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.184.196

Source: global traffic	HTTP traffic detected: GET /url?q=https://offsiteforms.store/1wq4W8&sa=D&source=editors&ust=1734917344975185&usg=AOvVaw351shL2sABmvKRpEejl5tD HTTP/1.1Host: www.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7X-Client-Data: CIu2yQEIprbJAQipncoBCLbgygEIkqHLAQj2mM0BCIWgzQEI3L3NAQi5ys0BCMfRzQEIidPNAQjc080BCMvWzQEI9NbNAQiK180BCKfYzQEI+cDUFRi60s0BGMvYzQEY642lFw==Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: www.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-arch: "x86"sec-ch-ua-full-version: "117.0.5938.132"sec-ch-ua-platform-version: "10.0.0"sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-prefers-color-scheme: lightsec-ch-ua-wow64: ?0sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8X-Client-Data: CIu2yQEIprbJAQipncoBCLbgygEIkqHLAQj2mM0BCIWgzQEI3L3NAQi5ys0BCMfRzQEIidPNAQjc080BCMvWzQEI9NbNAQiK180BCKfYzQEI+cDUFRi60s0BGMvYzQEY642lFw==Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://www.google.com/url?q=https://offsiteforms.store/1wq4W8&sa=D&source=editors&ust=1734917344975185&usg=AOvVaw351shL2sABmvKRpEejl5tDAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: NID=520=Ambpgyum6R16n3Ex1ERRSrZGjUeEfba1ZVicRJDb4ipkDbVjdu8n4ttdqaKYn6DFzbiExu6Rh9B3L-Wy5qzcY0w_aiIQlWbO44BSb50l3_X5XYBaTbgMcucnWWdqPHc5Cd3mh_v5x0pb1vOZlief4uoY2vL02z5pRKizUkRn2s1bKYNm-rl7FyKXzVspeKjKG3zf4w
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: www.google.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /X-Client-Data: CIu2yQEIprbJAQipncoBCLbgygEIkqHLAQj2mM0BCIWgzQEIucrNAQiJ080BGMvYzQEY642lFw==Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: NID=520=Ambpgyum6R16n3Ex1ERRSrZGjUeEfba1ZVicRJDb4ipkDbVjdu8n4ttdqaKYn6DFzbiExu6Rh9B3L-Wy5qzcY0w_aiIQlWbO44BSb50l3_X5XYBaTbgMcucnWWdqPHc5Cd3mh_v5x0pb1vOZlief4uoY2vL02z5pRKizUkRn2s1bKYNm-rl7FyKXzVspeKjKG3zf4w

Source: global traffic	DNS traffic detected: DNS query: x1.i.lencr.org
Source: global traffic	DNS traffic detected: DNS query: offsiteforms.store

Source: 77EC63BDA74BD0D0E0426DC8F80085060.11.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: 2D85F72862B55C4EADD9E66E06947F3D0.11.dr	String found in binary or memory: http://x1.i.lencr.org/
Source: 7851c594-d350-4674-8507-440f4237afd1.tmp.12.dr, f5dee65a-a010-4a7e-b7b4-b827ed509b09.tmp.12.dr	String found in binary or memory: https://chrome.cloudflare-dns.com
Source: phishingtest.eml	String found in binary or memory: https://docs.google.com/drawings/d/1dkbLi49y3JQRyVOPkSMc7r-v-rgTS9vROyawO=
Source: chromecache_232.16.dr	String found in binary or memory: https://offsiteforms.store/1wq4W8
Source: phishingtest.eml	String found in binary or memory: https://ssl.gstatic.com/docs/docli=
Source: phishingtest.eml	String found in binary or memory: https://workspace.google.com/
Source: phishingtest.eml	String found in binary or memory: https://www.gstatic.com/=

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49678 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49694 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49694
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49693
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49692
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49693 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49692 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

Window created: window name: CLIPBRDWNDCLASS

Jump to behavior

Source: classification engine

Classification label: mal48.winEML@37/61@11/5

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

File created: C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmp

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

File created: C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20250103T2156090855-6972.etl

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: unknown	Process created: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\phishingtest.eml"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "AE3842F3-4B46-407E-93B9-BC48317ECC3C" "6414065B-BA2B-4351-945D-A87980A02F5D" "6972" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\7V90LNRU\Open 332.pdf"
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2276 --field-trial-handle=1164,i,9528970337408047140,8902369827790921300,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://www.google.com/url?q=https://offsiteforms.store/1wq4W8&sa=D&source=editors&ust=1734917344975185&usg=AOvVaw351shL2sABmvKRpEejl5tD
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 --field-trial-handle=1896,i,13739452463520773973,10384309443688143443,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "AE3842F3-4B46-407E-93B9-BC48317ECC3C" "6414065B-BA2B-4351-945D-A87980A02F5D" "6972" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\7V90LNRU\Open 332.pdf"	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://www.google.com/url?q=https://offsiteforms.store/1wq4W8&sa=D&source=editors&ust=1734917344975185&usg=AOvVaw351shL2sABmvKRpEejl5tD	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2276 --field-trial-handle=1164,i,9528970337408047140,8902369827790921300,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 --field-trial-handle=1896,i,13739452463520773973,10384309443688143443,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: c2r64.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: gpapi.dll	Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{F959DBBB-3867-41F2-8E5F-3B8BEFAA81B3}\InprocServer32

Jump to behavior

Source: Google Drive.lnk.15.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: YouTube.lnk.15.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Sheets.lnk.15.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Gmail.lnk.15.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Slides.lnk.15.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Docs.lnk.15.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

Window found: window name: SysTabControl32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common

Jump to behavior

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk	Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe

Queries volume information: C:\Program Files (x86)\Microsoft Office\root\Office16\AI\WordCombinedFloatieLreOnline.onnx VolumeInformation

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	21 Browser Extensions	1 Process Injection	1 Masquerading	OS Credential Dumping	1 Process Discovery	Remote Services	1 Clipboard Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 Registry Run Keys / Startup Folder	1 Registry Run Keys / Startup Folder	1 Process Injection	LSASS Memory	1 File and Directory Discovery	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 DLL Side-Loading	1 DLL Side-Loading	1 DLL Side-Loading	Security Account Manager	13 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
https://offsiteforms.store/1wq4W8	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
bg.microsoft.map.fastly.net	199.232.214.172	true	false	high
x1.i.lencr.org	unknown	unknown	false	high
offsiteforms.store	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://www.google.com/url?q=https://offsiteforms.store/1wq4W8&sa=D&source=editors&ust=1734917344975185&usg=AOvVaw351shL2sABmvKRpEejl5tD	false		high
https://www.google.com/favicon.ico	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://offsiteforms.store/1wq4W8	chromecache_232.16.dr	false	Avira URL Cloud: safe	unknown
https://chrome.cloudflare-dns.com	7851c594-d350-4674-8507-440f4237afd1.tmp.12.dr, f5dee65a-a010-4a7e-b7b4-b827ed509b09.tmp.12.dr	false		high
http://x1.i.lencr.org/	2D85F72862B55C4EADD9E66E06947F3D0.11.dr	false		high
https://workspace.google.com/	phishingtest.eml	false		high
https://docs.google.com/drawings/d/1dkbLi49y3JQRyVOPkSMc7r-v-rgTS9vROyawO=	phishingtest.eml	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
142.250.184.196	unknown	United States	15169	GOOGLEUS	false
142.250.186.36	unknown	United States	15169	GOOGLEUS	false
8.8.8.8	unknown	United States	15169	GOOGLEUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false

Private

IP
192.168.2.16

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1584027
Start date and time:	2025-01-04 03:55:39 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 3m 39s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsinteractivecookbook.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	20
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	phishingtest.eml
Detection:	MAL
Classification:	mal48.winEML@37/61@11/5
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .eml

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.113.194.132, 184.28.90.27, 52.109.68.130, 20.189.173.7, 184.28.88.176, 3.233.129.217, 3.219.243.226, 52.6.155.20, 52.22.41.97, 162.159.61.3, 172.64.41.3, 23.209.209.135, 199.232.214.172, 2.16.168.105, 2.16.168.107, 142.250.184.195, 216.58.206.46, 74.125.133.84, 142.250.185.78, 172.217.18.110, 142.250.181.238, 4.175.87.197, 23.56.162.204
Excluded domains from analysis (whitelisted): e4578.dscg.akamaiedge.net, chrome.cloudflare-dns.com, e8652.dscx.akamaiedge.net, odc.officeapps.live.com, slscr.update.microsoft.com, europe.odcsm1.live.com.akadns.net, clientservices.googleapis.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, acroipm2.adobe.com, mobile.events.data.microsoft.com, ecs-office.s-0005.s-msedge.net, clients2.google.com, redirector.gvt1.com, ssl-delivery.adobe.com.edgekey.net, e16604.g.akamaiedge.net, a122.dscd.akamai.net, www.google.com, prod.fs.microsoft.com.akadns.net, wu-b-net.trafficmanager.net, crl.root-x1.letsencrypt.org.edgekey.net, ecs.office.com, google.com, fs.microsoft.com, accounts.google.com, ctldl.windowsupdate.com.delivery.microsoft.com, acroipm2.adobe.com.edgesuite.net, frc-azsc-000.odc.officeapps.live.com, ctldl.windowsupdate.com, p13n.adobe.io, s-0005-office.config.skype.com, onedscolprdwus06.westus.cloudapp.azure.com, fe3cr.delivery.mp.microsoft.com, armmf.adob
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Report size getting too big, too many NtSetValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
21:56:35	API Interceptor	2x Sleep call for process: AcroCEF.exe modified

LLM Input / Output

Input	Output
URL: email Model: Joe Sandbox AI	{ "explanation": [ "The subject line is suspiciously repetitive and spammy, containing multiple variations of the same message about account balance replenishment", "The email body contains random, nonsensical text fragments mixed with legitimate-looking Google Docs references", "The attachment '332.pdf' with a generic name combined with account-related claims is a common phishing tactic" ], "phishing": true, "confidence": 9, "generated_by_ai": true }
{ "date": "Mon, 23 Dec 2024 00:29:05 +0000", "subject": " Your account balance has been replenished with your funds! \n\n Get ready to spend with your replenished account balance! \n\n Your funds are back and your account balance is looking good! \n\n Your account balance is now replenished with your funds! \n\n Your account balance is back to normal with your funds! \n\n Your account balance is now replenished - time to treat yourself! \n\n Your account balance is looking healthy with your funds replenished! \n\n Your account balance is back to normal - thanks for your patience! \n\n Your account balance is now replenished - happy spending! \n\n Your account balance is back to normal - enjoy your funds! \n\n Your account balance is now replenished - time to make some purchases! ", "communications": [ "Attached: Open 332.pdf\nSent using Google Docs https://docs.google.com/\n\nWeve received your payment application! Our team is committed to \nreviewing it promptly and efficiently. You can expect a decision within \nGranby. In the meantime, if you have any questions, please dont hesitate \nto reach out. We appreciate your patience! \n\n\n \nhttps://docs.google.com/drawings/d/1dkbLi49y3JQRyVOPkSMc7r-v-rgTS9vROyawOplkRes/preview\n\n\n\n suction that completely fails without the use of Cathcarts tube. The Such \nbeing his observations and views, he rejoiced in the popular Putavimus eum \nquasi leprosum. Isa. liii. . digestive juices of the animal have converted \nthe starches and sugars.\n" ], "from": "\"Pamphile Cinkan (via Google Slides)\" <drive-shares-noreply@google.com>", "to": "cvanreenen@hotmail.com", "attachements": [ "Open 332.pdf" ] }
URL: https://google.com Model: Joe Sandbox AI	{ "typosquatting": false, "unusual_query_string": false, "suspicious_tld": false, "ip_in_url": false, "long_subdomain": false, "malicious_keywords": false, "encoded_characters": false, "redirection": false, "contains_email_address": false, "known_domain": true, "brand_spoofing_attempt": false, "third_party_hosting": false }
URL: https://google.com
URL: PDF document Model: Joe Sandbox AI	{ "contains_trigger_text": true, "trigger_text": "Click to continue", "prominent_button_name": "Click to continue", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_fake_security_alerts": false }

URL: https://www.google.com/url?q=https://offsiteforms.store/1wq4W8&sa=D&source=editors&ust=1734917344975185&usg=AOvVaw351shL2sABmvKRpEejl5tD Model: Joe Sandbox AI	{ "contains_trigger_text": true, "trigger_text": "The previous page is sending you to https://offsiteforms.store/1wq4W8.", "prominent_button_name": "return to the previous page", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_fake_security_alerts": false }

URL: Email Model: Joe Sandbox AI	{ "contains_trigger_text": true, "trigger_text": "We've received your payment application! Our team is committed to reviewing it promptly and efficiently. You can expect a decision within Granby. In the meantime, if you have any questions, please don't hesitate to reach out. We appreciate your patience!", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": true, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_fake_security_alerts": false }

URL: PDF document Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }
URL: https://www.google.com/url?q=https://offsiteforms.store/1wq4W8&sa=D&source=editors&ust=1734917344975185&usg=AOvVaw351shL2sABmvKRpEejl5tD Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }
URL: Email Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }
URL: Email Model: Joe Sandbox AI	{"classification":"Credential Stealer"}
Email: Detected potential phishing email: The subject line is suspiciously repetitive and spammy, containing multiple variations of the same message about account balance replenishment. The email body contains random, nonsensical text fragments mixed with legitimate-looking Google Docs references. The attachment '332.pdf' with a generic name combined with account-related claims is a common phishing tactic	{"classification":"Credential Stealer"}

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
239.255.255.250	http://livedashboardkit.info	Get hash	malicious	Unknown	Browse
	iGhDjzEiDU.exe	Get hash	malicious	Remcos	Browse
	random.exe	Get hash	malicious	Unknown	Browse
	random.exe	Get hash	malicious	Unknown	Browse
	1735939565593f5d6bf694464eb338b020a826ec212acacc46d4424bb914edbae3d507116e469.dat-decoded.exe	Get hash	malicious	LiteHTTP Bot	Browse
	https://track2.mccarthysearch.com/9155296/c?p=UJEwZLRSuPVlnD1ICTWZusB5H46ZFxhQFeZmgv_N89FzkqdhuHSGoPyB5qZfahmny00oVnRJ_XGR4M89Ovy-j3JZN_nz1Nb-BfHfDXVFwrd4A8njKtxWHgVV9KpuZ3ad6Xn31h13Ok4dSqgAUkhmVH1KUMKOlrKi5AYGmafMXkrBRxU_B4vy7NXVbEVJ970TwM25LbuS_B0xuuC5g8ehQDyYNyEV1WCghuhx_ZKmrGeOOXDf8HkQ-KOwv_tecp8TMdskXzay5lvoS31gB-nWxsjPaZ8f84KWvabQB4eF73ffpyNcTpJues_4IHHPjEKJ9ritMRTaHbFdQGNT_n13X_E7no0nMmaegQjwo4kKGu6oR02iG2c_6ucy3I6d8vsNl324Pjhx3M20dDmfZAju1roW9lGyO1LfgEnp1iSAFpx4kA7frEmKGzJYNX_cZrwVBoH8vvIYauXGnXBrZacRhuZGGbOjW2HHr9KF-0q7xjdgG2hxjWZ2H9zjubJGDnUjHRfiIr_-0bem1pLFqziEmy0450LGuXV23cQ6GD8yuK9tuRwMIF0sbkhVqONC0e6TsXlkUuTRAVWBbLlRPcygJ-CbukwvFtAxobVQ8-PpIuGj97DYFnmbfbJrrZDtH57TpdP4AxtW5k74BKSXvb1B6JX0p7Oyr1kXxLs_OrNPdAdrf8gXR35D9W7WeQ2zhPEqP0Mv5sJx4DlYh6Y4FqgPfCRFcDcL7Cy3HSlJ0XYfv-ae4o-hdX_0rJPqEG_-Bn2yj60YPDYpE8KDIgC_ZMwlNLdK4pAK6vSt4NWDncuV5y7QDqt97ribjd4U3AOvQTKW9r_eMky9-IC9hkSPrg2S0ZBgA9ITW3AQ3v-lq94cAwt1v1RLaFgsy67l_7lni1gYsZaQdOsFJsDpCFYaZsTMcVz2QAnQ_2UidhzlUekPl5xh9LNe9o77rO1FolZslooaXxCf2U2RZmvUA6NCNiGZ8KSsoUYTnqAHenvBJVJwMWd66yD2O60rC3Ic2qOQ1KOF9AB6-iFTvQFxtSTjS2hFwi7N97LeQtVYKhdzZuq2SasgJg0JPnZiFv_FSbgmiodqx9rz_lWIqWQNoQVht-oO2BfFxSF_aedAmm2MuQAL7z8UjBf_deiKwQyfKOyA6ZkAJ14F9xwhNm9F7B4PBgDtocqJQBjw5Cf1jCBSAs3nSYP2_nzofJuQSXd-YD9PIzkkmJw7Nqux7IgJ6p1z2Hsf6i3zShVdZY3g2mmA1xR1FV1LoSYwcRBqZt3pv0UDjuqCEoiqKDuyT0rkhqTRLo29uuM588Lna16PFSgSLoLUhnJ2rx8NLQQc5TqrsGjlN-ulCwTEyA0C9Epz9mxq14yDjw==	Get hash	malicious	Unknown	Browse
	https://covid19.protected-forms.com/XQTNkY0hwMkttOEdiZmZ0V2RRTHpDdDNqUTROanhES0NBYmdFOG1KTGRSTUtrK3VMMzlEN1JKVVFXNUxaNGJOQmd1YzQ3ajJMeVdZUDU3TytRbGtIaFhWRkxnT0lkeTZhdy9xWEhjeFBoRXRTb2hxdjlVbi9iSk1qZytLQ0JxRjd4UmpOS3VUQ2lpOEZneTRoVmpzY2dyekR1WlhYOWVteVcrUXg0a2Y2aEU2ZEZwMVNId3R0U01RK3N3PT0tLVR0bDl1WEFUelg3K2VzTystLUxaMkFrZnU0UmJXRkR3aE5NRE9BOEE9PQ==?cid=2351432832	Get hash	malicious	KnowBe4	Browse
	https://www.copiat.ro/6.exe	Get hash	malicious	Unknown	Browse
	http://www.cipassoitalia.it/	Get hash	malicious	CAPTCHA Scam ClickFix	Browse
	http://lzkaw.theaudiobee.com/4JvVHv3166gBJC324kvamxlnkfn259BVCQSWLGBOGFXUP772APMZ15384h17	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
bg.microsoft.map.fastly.net	a36r7SLgH7.exe	Get hash	malicious	AsyncRAT	Browse	199.232.214.172
	3lhrJ4X.exe	Get hash	malicious	LiteHTTP Bot	Browse	199.232.214.172
	2Mi3lKoJfj.exe	Get hash	malicious	Quasar	Browse	199.232.210.172
	Reparto Trabajo TP4.xlsm	Get hash	malicious	Unknown	Browse	199.232.210.172
	file.exe	Get hash	malicious	DcRat, JasonRAT	Browse	199.232.214.172
	iviewers.dll	Get hash	malicious	DcRat, KeyLogger, StormKitty, Strela Stealer, VenomRAT	Browse	199.232.214.172
	wrcaf.ps1	Get hash	malicious	DcRat, KeyLogger, StormKitty, Strela Stealer, VenomRAT	Browse	199.232.210.172
	iubn.ps1	Get hash	malicious	DcRat, KeyLogger, StormKitty, Strela Stealer, VenomRAT	Browse	199.232.210.172
	rwvg1.exe	Get hash	malicious	DcRat, KeyLogger, StormKitty, VenomRAT	Browse	199.232.210.172
	ersyb.exe	Get hash	malicious	DcRat, KeyLogger, StormKitty, VenomRAT	Browse	199.232.214.172

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	287
Entropy (8bit):	5.161858425275866
Encrypted:	false
SSDEEP:	6:iOVGCAq2PRN2nKuAl9OmbnIFUtf/cVNJZmw5/cVNDkwORN2nKuAl9OmbjLJ:7V8vaHAahFUtf/kX/5/kF5JHAaSJ
MD5:	14282D890EEC94E61B81B145B3C27F10
SHA1:	70FF9E0D0DF95018371A2F0790AAE151C4B0FE5D
SHA-256:	F0E033F608F7A918A1041FAEA639F89F7B58212C0F608AE7D57D567A66C4F796
SHA-512:	C5DA6563CEBDFED42A45F5BB2F92D3BF6D81817EB753C3045BD713BF4DC6971480265C6023752A77DB1AF9CEA9020B725D6C69173B39AD4C112316A9A94301F8
Malicious:	false
Reputation:	low
Preview:	2025/01/03-21:56:22.819 e90 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/MANIFEST-000001.2025/01/03-21:56:22.825 e90 Recovering log #3.2025/01/03-21:56:22.825 e90 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/000003.log .

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	data
Category:	dropped
Size (bytes):	110592
Entropy (8bit):	4.481917691207649
Encrypted:	false
SSDEEP:	768:RUdWO2ze1rociQ88Cvcr4n0l9anZEYy99OgXcw28jEmMeuWlWyWdWyk:1gcI4nC9anCzFXR87k
MD5:	3DC3F4CF32FB364960997F1F73AA4998
SHA1:	29711C5C8150ADF3D6CB39288499F798AE1D67CA
SHA-256:	62B872CF90D74B7E06E4406BD7951305A06A6A580F48D96BAE05C875268879C2
SHA-512:	4118324ACC5B2D9DC70FE87164C319B4604DFFC978C812D60859FDD0919B4D589DCA5EF5812295839ECAF6DEE2E576DD22E3AC2D16F4189A6C1E8728A8D21AD6
Malicious:	false
Preview:	............................................................................`...T...<....u.5T^..................eJ..............Zb..2...................................,...@.t.z.r.e.s...d.l.l.,.-.1.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.1.1.1..............................................................I.Y...........u.5T^..........v.2._.O.U.T.L.O.O.K.:.1.b.3.c.:.c.f.5.e.e.c.c.b.3.6.8.e.4.c.7.d.a.c.6.f.e.7.6.3.4.3.0.b.8.b.c.b...C.:.\.U.s.e.r.s.\.c.a.l.i.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.O.u.t.l.o.o.k. .L.o.g.g.i.n.g.\.O.U.T.L.O.O.K._.1.6._.0._.1.6.8.2.7._.2.0.1.3.0.-.2.0.2.5.0.1.0.3.T.2.1.5.6.0.9.0.8.5.5.-.6.9.7.2...e.t.l.......P.P.T...<....u.5T^..........................................................................................................................................................................................................................................................................................................

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Sat Jan 4 01:56:39 2025, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2673
Entropy (8bit):	3.9890803058274256
Encrypted:	false
SSDEEP:	48:8tdjTLLjwHiidAKZdA1FehwiZUklqehSy+3:8DnpFy
MD5:	A8867BAB0A9F67C781C0BA3D4B377C39
SHA1:	6123B07EEFE6842B5E2D53570648C37DB63ACD66
SHA-256:	C4D3C95D39719F2E9DEFCEFC36EC8D3AF7002BD6643FC0C01762CFD294C94F3B
SHA-512:	BB902FF6FDC6C13DA611BD67F187F48B0D59A2B2E610736A88A85B0217919F800C072E610170D9AB436F429FFBECEECF5BAB910C64BF93258B9FC976EF22027F
Malicious:	false
Preview:	L..................F.@.. ...$+.,....Y..FT^..N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.I$Z......B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V$Z......L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V$Z......M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V$Z............................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V$Z.............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i............LV......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

File type:	RFC 822 mail, ASCII text, with very long lines (320), with CRLF line terminators
Entropy (8bit):	6.170271613093535
TrID:	E-Mail message (Var. 5) (54515/1) 100.00%
File name:	phishingtest.eml
File size:	67'523 bytes
MD5:	d92f54097fa8e7e8351f4b0c526766a9
SHA1:	d8f7ef7fd37f555ebc3650e7bcb261d61c12b736
SHA256:	9206e05b6526d783f4f0df70fa05723a90cf02d54b36f36f1472ee93afac941f
SHA512:	e12ba54e8bf805944df322243e68b06db9415181289f97a066c37a6d3a09db9df00de1a053a49a41c0c59f827139986e18319134781b16b12746e522278becae
SSDEEP:	1536:DMTe0Ckei9ZyatQeSQbS/liebuYdo0/98EXNFzudGZhaZK4:4CkMAQgAl/KaCEdIam
TLSH:	D863E07BE8460203E7B280559D49FC0AB2A23D6ED4A7A8C0FC5D75D70BDC8654963ECB
File Content Preview:	Received: from CO1PR03MB7986.namprd03.prod.outlook.com (2603:10b6:303:276::16).. by SN6PR03MB4223.namprd03.prod.outlook.com with HTTPS; Mon, 23 Dec 2024.. 00:29:09 +0000..Received: from AS8PR04CA0024.eurprd04.prod.outlook.com (2603:10a6:20b:310::29).. by

Subject:	Your account balance has been replenished with your funds! Get ready to spend with your replenished account balance! Your funds are back and your account balance is looking good! Your account balance is now replenished with your funds! Your account balance is back to normal with your funds! Your account balance is now replenished - time to treat yourself! Your account balance is looking healthy with your funds replenished! Your account balance is back to normal - thanks for your patience! Your account balance is now replenished - happy spending! Your account balance is back to normal - enjoy your funds! Your account balance is now replenished - time to make some purchases!
From:	"Pamphile Cinkan (via Google Slides)" <drive-shares-noreply@google.com>
To:	cvanreenen@hotmail.com
Cc:	yewhiano@hotmail.com, andymartinez121@hotmail.com, nezka.e@hotmail.com, ainhoa_toscal@hotmail.com
BCC:	yewhiano@hotmail.com, andymartinez121@hotmail.com, nezka.e@hotmail.com, ainhoa_toscal@hotmail.com
Date:	Mon, 23 Dec 2024 00:29:05 +0000
Communications:	Attached: Open 332.pdf Sent using Google Docs https://docs.google.com/ Weve received your payment application! Our team is committed to reviewing it promptly and efficiently. You can expect a decision within Granby. In the meantime, if you have any questions, please dont hesitate to reach out. We appreciate your patience! https://docs.google.com/drawings/d/1dkbLi49y3JQRyVOPkSMc7r-v-rgTS9vROyawOplkRes/preview suction that completely fails without the use of Cathcarts tube. The Such being his observations and views, he rejoiced in the popular Putavimus eum quasi leprosum. Isa. liii. . digestive juices of the animal have converted the starches and sugars.
Attachments:	Open 332.pdf

Key	Value
Received	by mail-qv1-f71.google.com with SMTP id 6a1803df08f44-6dcd1e4a051so81737776d6.2 for <cvanreenen@hotmail.com>; Sun, 22 Dec 2024 16:29:05 -0800 (PST)
Authentication-Results	spf=pass (sender IP is 209.85.219.71) smtp.mailfrom=doclist.bounces.google.com; dkim=pass (signature was verified) header.d=google.com;dmarc=pass action=none header.from=google.com;compauth=pass reason=100
Received-SPF	Pass (protection.outlook.com: domain of doclist.bounces.google.com designates 209.85.219.71 as permitted sender) receiver=protection.outlook.com; client-ip=209.85.219.71; helo=mail-qv1-f71.google.com; pr=C
X-IncomingTopHeaderMarker	OriginalChecksum:F6C7869BF6D1CED58893F2DC51444635A8C36CDC95A88382BAC49F196715AE68;UpperCasedChecksum:3D9A4BAF7BF36486B3C8BB7A54CB2BF25C91700A7196FCD678C491D24789EDD0;SizeAsReceived:4012;Count:17
DKIM-Signature	v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1734913745; x=1735518545; darn=hotmail.com; h=cc:to:from:subject:date:message-id:references:reply-to:mime-version :from:to:cc:subject:date:message-id:reply-to; bh=aGAJ0gnW7kDhGSOWk482UbgMznfmO7QI40+SBxCO57s=; b=jOePDKj+sJKd+kOgKMVdyicyyjC10Ul0qjOHkcDFKuOjrTkRi1yPwcjSW5GvmsQ8ng 3s88rxJuV+WRX0PlbnRcsEgoT1wMyU1j9MZFS81B0Wf2f/9DKC+2coitIx+mxLyNo3XP SulbsRBt9456lwqx8oz+DbMZIcJS/Ok/cqueAiIdf4PSmiris9soMKwQQWnObO50GITt xvHvbik/tlh/u1XBn8owBtos0/q/FJYmN3ROkslzQgar5n8FVKib5WMQcbP4zarDqgFE dMwVXn3L6Zs86pTTzMeo/IndbGgb9PAKa1JRpB+3k+bKfBrNcmdIVqfA12rFZqJBis6p 1B0Q==
X-Google-DKIM-Signature	v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1734913745; x=1735518545; h=cc:to:from:subject:date:message-id:references:reply-to:mime-version :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=aGAJ0gnW7kDhGSOWk482UbgMznfmO7QI40+SBxCO57s=; b=NNEqakly5gWxE5kBhGPwb/wgoPa+KLMwDYy2OnQSlOtuupBVRQr3zus/zIk1BEGUGK uSXnamOwm5Een1dF3TqZNX7+r8Ghp40asz79wBOpV4cjb7uGJ7P/w4rj+p8xm+jtlvpC CsiCSydEahf1flAvPo3CdPRd44cN7ohjYa9TQqnMy7dtnHCaTf1GXODf6xXWGncTZ/+h wfv6s/4zhrTtcBisJgnJGz73LROnAXWu3bwoT2rFdHREezswHWTPYaVBlgr3f31oYifr dyYsWAIPkBZE+PGgTDEGCLGtxYXE2Qs5kolWdVQcYJtCHplyZ8l9QksbyyBZiTQcnk2w tKJg==
X-Gm-Message-State	AOJu0YxIrZ/hO2r3E9ztGkGd8PfwUOsOVHr+p+RJNGDq+u72itJmIrLa nlwm2vlIUJBdSDI6atdrvvkwwbENHk/p96mezClwnCwF8SpFQFtuGgOzTiT45I3Gy8YPO7icewd zum9SmCynSwdzYDa4coBOeu10
X-Google-Smtp-Source	AGHT+IGiCnMHMMvPlyjwqLpX74+Nu2ZY2PxyiWYyIbEm+tO2LMmHOenhoEnt5UvYvD6mrX6wiNQmm1YpDM4=
X-Received	by 2002:a05:6214:2522:b0:6d4:1813:1f20 with SMTP id 6a1803df08f44-6dd2330b0b2mr164015306d6.8.1734913745131; Sun, 22 Dec 2024 16:29:05 -0800 (PST)
Reply-To	Pamphile Cinkan <coppesmeronexcj@bbpaxuxyc.zeqifeku.quest>
X-No-Auto-Attachment	1
References	<78684d56-dfdc-463c-84cf-1466e33202be@docs-share.google.com>
Message-ID	<autogen-java-24312fb5-d7fa-4ef7-b3b7-6ef8cd01a721@google.com>
Date	Mon, 23 Dec 2024 00:29:05 +0000
Subject	Your account balance has been replenished with your funds! Get ready to spend with your replenished account balance! Your funds are back and your account balance is looking good! Your account balance is now replenished with your funds! Your account balance is back to normal with your funds! Your account balance is now replenished - time to treat yourself! Your account balance is looking healthy with your funds replenished! Your account balance is back to normal - thanks for your patience! Your account balance is now replenished - happy spending! Your account balance is back to normal - enjoy your funds! Your account balance is now replenished - time to make some purchases!
From	"Pamphile Cinkan (via Google Slides)" <drive-shares-noreply@google.com>
To	cvanreenen@hotmail.com
Cc	yewhiano@hotmail.com, andymartinez121@hotmail.com, nezka.e@hotmail.com, ainhoa_toscal@hotmail.com
Content-Type	multipart/mixed; boundary="0000000000007eb1130629e515fa"
X-IncomingHeaderCount	17
Return-Path	30a5oZxQKChQxB2Fy-C1uByC-78By95I08805y.w86wFu7Byy7y718D6u25.w86@doclist.bounces.google.com
X-MS-Exchange-Organization-ExpirationStartTime	23 Dec 2024 00:29:05.9949 (UTC)
X-MS-Exchange-Organization-ExpirationStartTimeReason	OriginalSubmit
X-MS-Exchange-Organization-ExpirationInterval	1:00:00:00.0000000
X-MS-Exchange-Organization-ExpirationIntervalReason	OriginalSubmit
X-MS-Exchange-Organization-Network-Message-Id	ae62c185-f168-446f-3064-08dd22e8cf2b
X-EOPAttributedMessage	0
X-EOPTenantAttributedMessage	84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa:0
X-MS-Exchange-Organization-MessageDirectionality	Incoming
X-MS-PublicTrafficType	Email
X-MS-TrafficTypeDiagnostic	AM1PEPF000252DF:EE_\|CO1PR03MB7986:EE_\|SN6PR03MB4223:EE_
X-MS-Exchange-Organization-AuthSource	AM1PEPF000252DF.eurprd07.prod.outlook.com
X-MS-Exchange-Organization-AuthAs	Anonymous
X-MS-UserLastLogonTime	12/23/2024 12:21:44 AM
X-MS-Office365-Filtering-Correlation-Id	ae62c185-f168-446f-3064-08dd22e8cf2b
X-MS-Exchange-EOPDirect	true
X-Sender-IP	209.85.219.71
X-SID-PRA	DRIVE-SHARES-NOREPLY@GOOGLE.COM
X-SID-Result	PASS
X-MS-Exchange-Organization-SCL	1
X-Microsoft-Antispam	BCL:3;ARA:1444111002\|1680799054\|6092099012\|1131999016\|9400799030\|10300799035\|9020799016\|9000799050\|47200799021\|461199028\|58200799018\|68400799013\|21080799006\|7002799012\|3412199025\|4302099013\|440099028\|8011999015\|6111999015\|4141999021\|21101999018\|1370799030\|1380799030\|1360799030\|56899033\|1602099012;
X-MS-Exchange-CrossTenant-OriginalArrivalTime	23 Dec 2024 00:29:05.8543 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id	ae62c185-f168-446f-3064-08dd22e8cf2b
X-MS-Exchange-CrossTenant-Id	84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa
X-MS-Exchange-CrossTenant-AuthSource	AM1PEPF000252DF.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs	Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader	Internet
X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg	00000000-0000-0000-0000-000000000000
X-MS-Exchange-Transport-CrossTenantHeadersStamped	CO1PR03MB7986
X-MS-Exchange-Transport-EndToEndLatency	00:00:03.3663341
X-MS-Exchange-Processed-By-BccFoldering	15.20.8272.000
X-Microsoft-Antispam-Mailbox-Delivery	ucf:0;jmr:0;ex:0;auth:1;dest:I;ENG:(5062000308)(920221119095)(90000117)(920221120095)(90010023)(91010020)(91040095)(9050020)(9100341)(944500132)(4810010)(4910033)(9575002)(10195002)(9320005)(120001);
X-Message-Delivery	Vj0xLjE7dXM9MDtsPTA7YT0wO0Q9MTtHRD0xO1NDTD0z
X-Microsoft-Antispam-Message-Info	tbPwqCnpi87JhfCbx5Nb9lTGdygRt/ZGf2aVWY6JkylFZa2YqUtg8w1dns5OrF/njgKXnr80/whi74Q2eVr1u2JKYvM+7MFvau84n6ZFCJZ801O6xHdTN3P1Tf+XrT0FpHpED6W9WLWXBuUP+Bgh8nJsEF3EOaoapF8Z5gt3Czx+MvcNvzKUqP+S0fiXRWPQ2wEfmsowlqwvcovkWiEZ0tKC6axV78kSLfA6ReMZHpPojboTpTDkfVGWbSP+PouiK57pxlfB+4MH0JhSHPvDA0W6x1OgYw0GcSuphNMM3yv93S7fP29t0s9L1KbI/AX29Kg5ggb4LEu20U2b6R2IflKwl+shk454hh2seJ0jpGfCGbe6ZQn58JJoE/PYYETFWN6OAN4dX28zYytewRre1muRt0wrTnveSfhswYbkujPp8rdQlne7+VtUMy9Z06ptzjzhZOaZsX7rBx9wJcdq/YDM3PSX3k2cl1rkAtyu5LOZtivhV6bU0dSO9Ma1xojI+A19yubeTz7h/1zjk/IFG+pNktMnapcWIrOYbbO4cmZ9XVgFM+r5L7Iu8Xr3rJC6pQPXAzIMhTvAy7QfllXipdhBWFSHTu8LpyzZwU2z9JO1+NgrFyiO+uLo6jOcxfzC6Dfs/ZbOSWPHsv7GUufiTZR73d41ThifyIgEebwaeP4jPrzuqiWyBQP64WU5e4t5EZYZXnBETFwPvrQW7dh1IuPiYVTH6GBCoFrXREW7h7yYosN7o0GTvUgDJhycz14nCFFgnHWkni32rN6NPcczfd/GNggBN5gTdasn2KXkgBwmDZ90D6+/0fCtkHIIt1z7gO31YV79fIldvfEMO/hjkM1GuG/XXDwqSKGz+hovK12n4HCetqe0DdnuO6YIg1y89zv67i+UvdvPQkPzG2I0Cmyu3TRVbOibpIW9QUUlW3mlCzSgc/aVmkd/DSS66DGQWf6zIw51/3+7uc2DciLY/2Pu6V3kf6q8vXFj0BeTB0hbl1qCn4mg26e7gZ4yZjmLnM9g5d/y+oTkqy2nJPPP7wLoEqpPaxBDgKWHSgv3iBP0tq+0vbIlbKzclV5EOn+a1ArklsloWnvh4RmwMCclUYr+enpiRfaWaiXIa2lmc/a8Vz+Cf12G4M5i1gdN4GLOmqIelfUt5eQegMHc6ThTWXrAbUoZ1XPDUCrXgtANfEDYNTrBUkimgMHzfHGIUr3kyrqDABxB1+pi5KmeRk4h7SFRu+JCAzUEIREKaJtiZLKYDUB+AEwxcc6OhEFBy3oXpIoxZstg7WSfrF+5BNah4fCvcdzdQhZ8fw2L5iAqj2PGMNv54ty6YsvKA+KAt8B9O1stfbUWxomCSOZcPOs4xfrnzRE8Y7QvoO/8GhtZjyUIOWTpW998LMG+vMNpgay/WQQgqvtgD8nDHQsme+Y0JkqTd3rM4SZ4vWRDAnrV9mfSnVwixW4RBW4wbVmDNyQji2Ox/Yv0rHn1mQSk6ZiTBUckUDTfyqe2Plsy87Pgfr3gP/T4n3kM40IJAqIfRqEGgj5sCi30v5cBD+R8UCeKvfhoUQ3jme1VGdAFep5YTytjlJ6NOv1+0567ybTJHHGEotlOgKwa+L6su3krnY1R2gMZS6iKDvBlsNLCfEfunwDcgz7J9DZ0g/3KLC6T/7Q2YTy0HvKClxnjF+0WIeF8nq0VFtNvtfQAwXqueqNI4dPw83jDSHvsiR0YCPpJPH41p0rMJkHEPUapm0at5DNFzm1EdkxIUPlVGKrpbCbOmMHLGI5TKSoAtmb+lmniBnLfnohe7pf21Kw517kL3OsEuIgaId4s5ltuEEdYORhAvxfrWowRKfDkmeOA3ye25lFNdDKZbDmDENLL6b4CTUEqmL0LjJ3WEnYCm8q96Gt8hK8pi86wpWTtr9L4yAvFAtoveMxYjfWEPRXl55teKNmZxXgYRSPBX0RhCDKS13CatYbDMWuwa14bvv+gilArm1DsaRaoIjdOi8EgVZBVXhtzvxJ7cbnLIM9tgBceGYYTDsFuY+VGdGkqOf6JhJXG375eKizXEEcQdWS45bfTb/dWVXhJ75M7HMyBOTnJFPBe6xgOAkY+Ik3z7E4kxk4flmqmzF5Oc0kmonOjUvJSzcY7hg==
MIME-Version	1.0

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 4, 2025 03:56:12.430694103 CET	49673	443	192.168.2.16	204.79.197.203
Jan 4, 2025 03:56:12.732476950 CET	49673	443	192.168.2.16	204.79.197.203
Jan 4, 2025 03:56:13.338474989 CET	49673	443	192.168.2.16	204.79.197.203
Jan 4, 2025 03:56:14.539562941 CET	49673	443	192.168.2.16	204.79.197.203
Jan 4, 2025 03:56:15.194905996 CET	49689	80	192.168.2.16	192.229.211.108
Jan 4, 2025 03:56:15.395153999 CET	49703	443	192.168.2.16	40.126.31.69
Jan 4, 2025 03:56:15.395260096 CET	49703	443	192.168.2.16	40.126.31.69
Jan 4, 2025 03:56:15.400089979 CET	443	49703	40.126.31.69	192.168.2.16
Jan 4, 2025 03:56:15.400130033 CET	443	49703	40.126.31.69	192.168.2.16
Jan 4, 2025 03:56:15.400139093 CET	443	49703	40.126.31.69	192.168.2.16
Jan 4, 2025 03:56:15.400166035 CET	443	49703	40.126.31.69	192.168.2.16
Jan 4, 2025 03:56:15.400320053 CET	443	49703	40.126.31.69	192.168.2.16
Jan 4, 2025 03:56:15.748356104 CET	443	49703	40.126.31.69	192.168.2.16
Jan 4, 2025 03:56:15.748370886 CET	443	49703	40.126.31.69	192.168.2.16
Jan 4, 2025 03:56:15.748377085 CET	443	49703	40.126.31.69	192.168.2.16
Jan 4, 2025 03:56:15.748435974 CET	443	49703	40.126.31.69	192.168.2.16
Jan 4, 2025 03:56:15.748455048 CET	443	49703	40.126.31.69	192.168.2.16
Jan 4, 2025 03:56:15.748488903 CET	49703	443	192.168.2.16	40.126.31.69
Jan 4, 2025 03:56:15.748526096 CET	49703	443	192.168.2.16	40.126.31.69
Jan 4, 2025 03:56:15.748841047 CET	443	49703	40.126.31.69	192.168.2.16
Jan 4, 2025 03:56:15.748852968 CET	443	49703	40.126.31.69	192.168.2.16
Jan 4, 2025 03:56:15.748863935 CET	443	49703	40.126.31.69	192.168.2.16
Jan 4, 2025 03:56:15.748876095 CET	443	49703	40.126.31.69	192.168.2.16
Jan 4, 2025 03:56:15.748886108 CET	49703	443	192.168.2.16	40.126.31.69
Jan 4, 2025 03:56:15.748915911 CET	49703	443	192.168.2.16	40.126.31.69
Jan 4, 2025 03:56:16.945501089 CET	49673	443	192.168.2.16	204.79.197.203
Jan 4, 2025 03:56:20.589030027 CET	49678	443	192.168.2.16	20.189.173.10
Jan 4, 2025 03:56:20.891504049 CET	49678	443	192.168.2.16	20.189.173.10
Jan 4, 2025 03:56:21.506489038 CET	49678	443	192.168.2.16	20.189.173.10
Jan 4, 2025 03:56:21.759494066 CET	49673	443	192.168.2.16	204.79.197.203
Jan 4, 2025 03:56:22.715497017 CET	49678	443	192.168.2.16	20.189.173.10
Jan 4, 2025 03:56:25.058098078 CET	49680	80	192.168.2.16	192.229.211.108
Jan 4, 2025 03:56:25.121560097 CET	49678	443	192.168.2.16	20.189.173.10
Jan 4, 2025 03:56:25.362119913 CET	49680	80	192.168.2.16	192.229.211.108
Jan 4, 2025 03:56:25.962439060 CET	49680	80	192.168.2.16	192.229.211.108
Jan 4, 2025 03:56:27.166508913 CET	49680	80	192.168.2.16	192.229.211.108
Jan 4, 2025 03:56:29.572149992 CET	49680	80	192.168.2.16	192.229.211.108
Jan 4, 2025 03:56:29.936510086 CET	49678	443	192.168.2.16	20.189.173.10
Jan 4, 2025 03:56:31.371541023 CET	49673	443	192.168.2.16	204.79.197.203
Jan 4, 2025 03:56:34.373662949 CET	49680	80	192.168.2.16	192.229.211.108
Jan 4, 2025 03:56:37.708441019 CET	49726	443	192.168.2.16	142.250.186.36
Jan 4, 2025 03:56:37.708466053 CET	443	49726	142.250.186.36	192.168.2.16
Jan 4, 2025 03:56:37.708527088 CET	49726	443	192.168.2.16	142.250.186.36
Jan 4, 2025 03:56:37.708935022 CET	49726	443	192.168.2.16	142.250.186.36
Jan 4, 2025 03:56:37.708952904 CET	443	49726	142.250.186.36	192.168.2.16
Jan 4, 2025 03:56:38.357084990 CET	443	49726	142.250.186.36	192.168.2.16
Jan 4, 2025 03:56:38.357377052 CET	49726	443	192.168.2.16	142.250.186.36
Jan 4, 2025 03:56:38.357402086 CET	443	49726	142.250.186.36	192.168.2.16
Jan 4, 2025 03:56:38.358417034 CET	443	49726	142.250.186.36	192.168.2.16
Jan 4, 2025 03:56:38.358510971 CET	49726	443	192.168.2.16	142.250.186.36
Jan 4, 2025 03:56:38.359621048 CET	49726	443	192.168.2.16	142.250.186.36
Jan 4, 2025 03:56:38.359695911 CET	443	49726	142.250.186.36	192.168.2.16
Jan 4, 2025 03:56:38.359797001 CET	49726	443	192.168.2.16	142.250.186.36
Jan 4, 2025 03:56:38.359803915 CET	443	49726	142.250.186.36	192.168.2.16
Jan 4, 2025 03:56:38.403528929 CET	49726	443	192.168.2.16	142.250.186.36
Jan 4, 2025 03:56:38.650461912 CET	443	49726	142.250.186.36	192.168.2.16
Jan 4, 2025 03:56:38.650496960 CET	443	49726	142.250.186.36	192.168.2.16
Jan 4, 2025 03:56:38.650558949 CET	49726	443	192.168.2.16	142.250.186.36
Jan 4, 2025 03:56:38.650578022 CET	443	49726	142.250.186.36	192.168.2.16
Jan 4, 2025 03:56:38.650626898 CET	443	49726	142.250.186.36	192.168.2.16
Jan 4, 2025 03:56:38.650669098 CET	49726	443	192.168.2.16	142.250.186.36
Jan 4, 2025 03:56:38.651510954 CET	49726	443	192.168.2.16	142.250.186.36
Jan 4, 2025 03:56:38.651525021 CET	443	49726	142.250.186.36	192.168.2.16
Jan 4, 2025 03:56:38.706343889 CET	49731	443	192.168.2.16	142.250.186.36
Jan 4, 2025 03:56:38.706376076 CET	443	49731	142.250.186.36	192.168.2.16
Jan 4, 2025 03:56:38.706439972 CET	49731	443	192.168.2.16	142.250.186.36
Jan 4, 2025 03:56:38.706648111 CET	49731	443	192.168.2.16	142.250.186.36
Jan 4, 2025 03:56:38.706660032 CET	443	49731	142.250.186.36	192.168.2.16
Jan 4, 2025 03:56:39.353705883 CET	443	49731	142.250.186.36	192.168.2.16
Jan 4, 2025 03:56:39.356005907 CET	49731	443	192.168.2.16	142.250.186.36
Jan 4, 2025 03:56:39.356035948 CET	443	49731	142.250.186.36	192.168.2.16
Jan 4, 2025 03:56:39.356360912 CET	443	49731	142.250.186.36	192.168.2.16
Jan 4, 2025 03:56:39.356921911 CET	49731	443	192.168.2.16	142.250.186.36
Jan 4, 2025 03:56:39.356981993 CET	443	49731	142.250.186.36	192.168.2.16
Jan 4, 2025 03:56:39.357168913 CET	49731	443	192.168.2.16	142.250.186.36
Jan 4, 2025 03:56:39.399338007 CET	443	49731	142.250.186.36	192.168.2.16
Jan 4, 2025 03:56:39.546586990 CET	49678	443	192.168.2.16	20.189.173.10
Jan 4, 2025 03:56:39.627890110 CET	443	49731	142.250.186.36	192.168.2.16
Jan 4, 2025 03:56:39.627940893 CET	443	49731	142.250.186.36	192.168.2.16
Jan 4, 2025 03:56:39.627974033 CET	443	49731	142.250.186.36	192.168.2.16
Jan 4, 2025 03:56:39.628011942 CET	443	49731	142.250.186.36	192.168.2.16
Jan 4, 2025 03:56:39.628026009 CET	49731	443	192.168.2.16	142.250.186.36
Jan 4, 2025 03:56:39.628052950 CET	443	49731	142.250.186.36	192.168.2.16
Jan 4, 2025 03:56:39.628067970 CET	49731	443	192.168.2.16	142.250.186.36
Jan 4, 2025 03:56:39.628128052 CET	443	49731	142.250.186.36	192.168.2.16
Jan 4, 2025 03:56:39.629703045 CET	49731	443	192.168.2.16	142.250.186.36
Jan 4, 2025 03:56:39.629841089 CET	49731	443	192.168.2.16	142.250.186.36
Jan 4, 2025 03:56:39.629854918 CET	443	49731	142.250.186.36	192.168.2.16
Jan 4, 2025 03:56:39.640126944 CET	49732	443	192.168.2.16	142.250.184.196
Jan 4, 2025 03:56:39.640170097 CET	443	49732	142.250.184.196	192.168.2.16
Jan 4, 2025 03:56:39.640243053 CET	49732	443	192.168.2.16	142.250.184.196
Jan 4, 2025 03:56:39.640435934 CET	49732	443	192.168.2.16	142.250.184.196
Jan 4, 2025 03:56:39.640446901 CET	443	49732	142.250.184.196	192.168.2.16
Jan 4, 2025 03:56:40.276798010 CET	443	49732	142.250.184.196	192.168.2.16
Jan 4, 2025 03:56:40.277070999 CET	49732	443	192.168.2.16	142.250.184.196
Jan 4, 2025 03:56:40.277092934 CET	443	49732	142.250.184.196	192.168.2.16
Jan 4, 2025 03:56:40.278104067 CET	443	49732	142.250.184.196	192.168.2.16
Jan 4, 2025 03:56:40.278198957 CET	49732	443	192.168.2.16	142.250.184.196
Jan 4, 2025 03:56:40.278470039 CET	49732	443	192.168.2.16	142.250.184.196
Jan 4, 2025 03:56:40.278531075 CET	443	49732	142.250.184.196	192.168.2.16
Jan 4, 2025 03:56:40.278716087 CET	49732	443	192.168.2.16	142.250.184.196
Jan 4, 2025 03:56:40.278722048 CET	443	49732	142.250.184.196	192.168.2.16
Jan 4, 2025 03:56:40.326550961 CET	49732	443	192.168.2.16	142.250.184.196
Jan 4, 2025 03:56:40.549598932 CET	443	49732	142.250.184.196	192.168.2.16
Jan 4, 2025 03:56:40.549654007 CET	443	49732	142.250.184.196	192.168.2.16
Jan 4, 2025 03:56:40.549688101 CET	443	49732	142.250.184.196	192.168.2.16
Jan 4, 2025 03:56:40.549712896 CET	49732	443	192.168.2.16	142.250.184.196
Jan 4, 2025 03:56:40.549721003 CET	443	49732	142.250.184.196	192.168.2.16
Jan 4, 2025 03:56:40.549731970 CET	443	49732	142.250.184.196	192.168.2.16
Jan 4, 2025 03:56:40.549772978 CET	49732	443	192.168.2.16	142.250.184.196
Jan 4, 2025 03:56:40.549854994 CET	443	49732	142.250.184.196	192.168.2.16
Jan 4, 2025 03:56:40.549910069 CET	49732	443	192.168.2.16	142.250.184.196
Jan 4, 2025 03:56:40.550769091 CET	49732	443	192.168.2.16	142.250.184.196
Jan 4, 2025 03:56:40.550786972 CET	443	49732	142.250.184.196	192.168.2.16
Jan 4, 2025 03:56:42.516942024 CET	49733	443	192.168.2.16	142.250.186.36
Jan 4, 2025 03:56:42.516995907 CET	443	49733	142.250.186.36	192.168.2.16
Jan 4, 2025 03:56:42.517112017 CET	49733	443	192.168.2.16	142.250.186.36
Jan 4, 2025 03:56:42.517334938 CET	49733	443	192.168.2.16	142.250.186.36
Jan 4, 2025 03:56:42.517350912 CET	443	49733	142.250.186.36	192.168.2.16
Jan 4, 2025 03:56:43.163964033 CET	443	49733	142.250.186.36	192.168.2.16
Jan 4, 2025 03:56:43.164205074 CET	49733	443	192.168.2.16	142.250.186.36
Jan 4, 2025 03:56:43.164232969 CET	443	49733	142.250.186.36	192.168.2.16
Jan 4, 2025 03:56:43.164554119 CET	443	49733	142.250.186.36	192.168.2.16
Jan 4, 2025 03:56:43.164859056 CET	49733	443	192.168.2.16	142.250.186.36
Jan 4, 2025 03:56:43.164922953 CET	443	49733	142.250.186.36	192.168.2.16
Jan 4, 2025 03:56:43.211559057 CET	49733	443	192.168.2.16	142.250.186.36
Jan 4, 2025 03:56:43.977585077 CET	49680	80	192.168.2.16	192.229.211.108
Jan 4, 2025 03:56:53.071558952 CET	443	49733	142.250.186.36	192.168.2.16
Jan 4, 2025 03:56:53.071620941 CET	443	49733	142.250.186.36	192.168.2.16
Jan 4, 2025 03:56:53.071769953 CET	49733	443	192.168.2.16	142.250.186.36
Jan 4, 2025 03:56:53.842981100 CET	49733	443	192.168.2.16	142.250.186.36
Jan 4, 2025 03:56:53.843019009 CET	443	49733	142.250.186.36	192.168.2.16
Jan 4, 2025 03:57:34.451059103 CET	49694	443	192.168.2.16	142.250.185.227
Jan 4, 2025 03:57:34.451931953 CET	49693	443	192.168.2.16	142.250.185.67
Jan 4, 2025 03:57:34.456202030 CET	443	49694	142.250.185.227	192.168.2.16
Jan 4, 2025 03:57:34.456330061 CET	49694	443	192.168.2.16	142.250.185.227
Jan 4, 2025 03:57:34.456862926 CET	443	49693	142.250.185.67	192.168.2.16
Jan 4, 2025 03:57:34.456919909 CET	49693	443	192.168.2.16	142.250.185.67
Jan 4, 2025 03:57:34.524152040 CET	49692	443	192.168.2.16	142.250.184.193
Jan 4, 2025 03:57:34.529150963 CET	443	49692	142.250.184.193	192.168.2.16
Jan 4, 2025 03:57:34.529279947 CET	49692	443	192.168.2.16	142.250.184.193

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 4, 2025 03:56:35.092937946 CET	50654	53	192.168.2.16	1.1.1.1
Jan 4, 2025 03:56:37.699491024 CET	53	65016	1.1.1.1	192.168.2.16
Jan 4, 2025 03:56:37.714359045 CET	53	54854	1.1.1.1	192.168.2.16
Jan 4, 2025 03:56:38.695765972 CET	53	65078	1.1.1.1	192.168.2.16
Jan 4, 2025 03:56:43.102404118 CET	56552	53	192.168.2.16	1.1.1.1
Jan 4, 2025 03:56:43.102539062 CET	60473	53	192.168.2.16	1.1.1.1
Jan 4, 2025 03:56:43.110945940 CET	53	56552	1.1.1.1	192.168.2.16
Jan 4, 2025 03:56:43.111038923 CET	53	60473	1.1.1.1	192.168.2.16
Jan 4, 2025 03:56:43.111661911 CET	64414	53	192.168.2.16	1.1.1.1
Jan 4, 2025 03:56:43.120472908 CET	53	64414	1.1.1.1	192.168.2.16
Jan 4, 2025 03:56:43.249495029 CET	61882	53	192.168.2.16	1.1.1.1
Jan 4, 2025 03:56:43.249878883 CET	56638	53	192.168.2.16	1.1.1.1
Jan 4, 2025 03:56:43.258333921 CET	53	61882	1.1.1.1	192.168.2.16
Jan 4, 2025 03:56:43.258620024 CET	53	56638	1.1.1.1	192.168.2.16
Jan 4, 2025 03:56:44.334295988 CET	63382	53	192.168.2.16	1.1.1.1
Jan 4, 2025 03:56:44.334538937 CET	54382	53	192.168.2.16	1.1.1.1
Jan 4, 2025 03:56:44.344475031 CET	53	54382	1.1.1.1	192.168.2.16
Jan 4, 2025 03:56:44.348439932 CET	53	63382	1.1.1.1	192.168.2.16
Jan 4, 2025 03:56:49.359005928 CET	60205	53	192.168.2.16	1.1.1.1
Jan 4, 2025 03:56:49.359174967 CET	55780	53	192.168.2.16	1.1.1.1
Jan 4, 2025 03:56:49.367671013 CET	53	55780	1.1.1.1	192.168.2.16
Jan 4, 2025 03:56:49.374389887 CET	53	60205	1.1.1.1	192.168.2.16
Jan 4, 2025 03:56:49.375214100 CET	61765	53	192.168.2.16	1.1.1.1
Jan 4, 2025 03:56:49.384139061 CET	53	61765	1.1.1.1	192.168.2.16
Jan 4, 2025 03:56:55.719614029 CET	53	59469	1.1.1.1	192.168.2.16
Jan 4, 2025 03:57:16.766639948 CET	138	138	192.168.2.16	192.168.2.255

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 4, 2025 03:56:35.099944115 CET	1.1.1.1	192.168.2.16	0xbd4e	No error (0)	x1.i.lencr.org	crl.root-x1.letsencrypt.org.edgekey.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 4, 2025 03:56:35.767477036 CET	1.1.1.1	192.168.2.16	0x7b60	No error (0)	bg.microsoft.map.fastly.net		199.232.214.172	A (IP address)	IN (0x0001)	false
Jan 4, 2025 03:56:35.767477036 CET	1.1.1.1	192.168.2.16	0x7b60	No error (0)	bg.microsoft.map.fastly.net		199.232.210.172	A (IP address)	IN (0x0001)	false
Jan 4, 2025 03:56:43.110945940 CET	1.1.1.1	192.168.2.16	0x1efd	Name error (3)	offsiteforms.store	none	none	A (IP address)	IN (0x0001)	false
Jan 4, 2025 03:56:43.111038923 CET	1.1.1.1	192.168.2.16	0x6c9c	Name error (3)	offsiteforms.store	none	none	65	IN (0x0001)	false
Jan 4, 2025 03:56:43.120472908 CET	1.1.1.1	192.168.2.16	0xb993	Name error (3)	offsiteforms.store	none	none	A (IP address)	IN (0x0001)	false
Jan 4, 2025 03:56:43.258333921 CET	1.1.1.1	192.168.2.16	0x15b9	Name error (3)	offsiteforms.store	none	none	A (IP address)	IN (0x0001)	false
Jan 4, 2025 03:56:43.258620024 CET	1.1.1.1	192.168.2.16	0x9393	Name error (3)	offsiteforms.store	none	none	65	IN (0x0001)	false
Jan 4, 2025 03:56:44.344475031 CET	1.1.1.1	192.168.2.16	0x5eef	Name error (3)	offsiteforms.store	none	none	65	IN (0x0001)	false
Jan 4, 2025 03:56:44.348439932 CET	1.1.1.1	192.168.2.16	0x8045	Name error (3)	offsiteforms.store	none	none	A (IP address)	IN (0x0001)	false
Jan 4, 2025 03:56:49.367671013 CET	1.1.1.1	192.168.2.16	0xca13	Name error (3)	offsiteforms.store	none	none	65	IN (0x0001)	false
Jan 4, 2025 03:56:49.374389887 CET	1.1.1.1	192.168.2.16	0x9a1c	Name error (3)	offsiteforms.store	none	none	A (IP address)	IN (0x0001)	false
Jan 4, 2025 03:56:49.384139061 CET	1.1.1.1	192.168.2.16	0x3736	Name error (3)	offsiteforms.store	none	none	A (IP address)	IN (0x0001)	false

Timestamp	Bytes transferred	Direction	Data
2025-01-04 02:56:38 UTC	923	OUT	GET /url?q=https://offsiteforms.store/1wq4W8&sa=D&source=editors&ust=1734917344975185&usg=AOvVaw351shL2sABmvKRpEejl5tD HTTP/1.1 Host: www.google.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 X-Client-Data: CIu2yQEIprbJAQipncoBCLbgygEIkqHLAQj2mM0BCIWgzQEI3L3NAQi5ys0BCMfRzQEIidPNAQjc080BCMvWzQEI9NbNAQiK180BCKfYzQEI+cDUFRi60s0BGMvYzQEY642lFw== Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2025-01-04 02:56:38 UTC	1176	IN	HTTP/1.1 200 OK Date: Sat, 04 Jan 2025 02:56:38 GMT Pragma: no-cache Expires: Fri, 01 Jan 1990 00:00:00 GMT Cache-Control: no-cache, must-revalidate Content-Type: text/html; charset=UTF-8 Strict-Transport-Security: max-age=31536000 Accept-CH: Sec-CH-Prefers-Color-Scheme Accept-CH: Sec-CH-UA-Form-Factors Accept-CH: Sec-CH-UA-Platform Accept-CH: Sec-CH-UA-Platform-Version Accept-CH: Sec-CH-UA-Full-Version Accept-CH: Sec-CH-UA-Arch Accept-CH: Sec-CH-UA-Model Accept-CH: Sec-CH-UA-Bitness Accept-CH: Sec-CH-UA-Full-Version-List Accept-CH: Sec-CH-UA-WoW64 Permissions-Policy: unload=() P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info." Server: gws X-XSS-Protection: 0 Set-Cookie: NID=520=Ambpgyum6R16n3Ex1ERRSrZGjUeEfba1ZVicRJDb4ipkDbVjdu8n4ttdqaKYn6DFzbiExu6Rh9B3L-Wy5qzcY0w_aiIQlWbO44BSb50l3_X5XYBaTbgMcucnWWdqPHc5Cd3mh_v5x0pb1vOZlief4uoY2vL02z5pRKizUkRn2s1bKYNm-rl7FyKXzVspeKjKG3zf4w; expires=Sun, 06-Jul-2025 02:56:38 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=none Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2025-01-04 02:56:38 UTC	214	IN	Data Raw: 36 30 34 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 52 65 64 69 72 65 63 74 20 4e 6f 74 69 63 65 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 62 6f 64 79 2c 64 69 76 2c 61 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 52 6f 62 6f 74 6f 2c 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 66 66 66 3b 6d 61 72 67 69 6e 2d 74 6f Data Ascii: 604<html lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>Redirect Notice</title><style>body,div,a{font-family:Roboto,Arial,sans-serif}body{background-color:#fff;margin-to
2025-01-04 02:56:38 UTC	1333	IN	Data Raw: 70 3a 33 70 78 7d 64 69 76 7b 63 6f 6c 6f 72 3a 23 30 30 30 7d 61 3a 6c 69 6e 6b 7b 63 6f 6c 6f 72 3a 23 36 38 31 64 61 38 7d 61 3a 76 69 73 69 74 65 64 7b 63 6f 6c 6f 72 3a 23 36 38 31 64 61 38 7d 61 3a 61 63 74 69 76 65 7b 63 6f 6c 6f 72 3a 23 65 61 34 33 33 35 7d 64 69 76 2e 6d 79 6d 47 6f 7b 62 6f 72 64 65 72 2d 74 6f 70 3a 31 70 78 20 73 6f 6c 69 64 20 76 61 72 28 2d 2d 67 53 35 6a 58 62 29 3b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 31 70 78 20 73 6f 6c 69 64 20 76 61 72 28 2d 2d 67 53 35 6a 58 62 29 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 38 66 39 66 61 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 31 65 6d 3b 77 69 64 74 68 3a 31 30 30 25 7d 64 69 76 2e 61 58 67 61 47 62 7b 70 61 64 64 69 6e 67 3a 30 2e 35 65 6d 20 30 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 Data Ascii: p:3px}div{color:#000}a:link{color:#681da8}a:visited{color:#681da8}a:active{color:#ea4335}div.mymGo{border-top:1px solid var(--gS5jXb);border-bottom:1px solid var(--gS5jXb);background:#f8f9fa;margin-top:1em;width:100%}div.aXgaGb{padding:0.5em 0;margin-left
2025-01-04 02:56:38 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Timestamp	Bytes transferred	Direction	Data
2025-01-04 02:56:39 UTC	1395	OUT	GET /favicon.ico HTTP/1.1 Host: www.google.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" sec-ch-ua-full-version: "117.0.5938.132" sec-ch-ua-platform-version: "10.0.0" sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-prefers-color-scheme: light sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 X-Client-Data: CIu2yQEIprbJAQipncoBCLbgygEIkqHLAQj2mM0BCIWgzQEI3L3NAQi5ys0BCMfRzQEIidPNAQjc080BCMvWzQEI9NbNAQiK180BCKfYzQEI+cDUFRi60s0BGMvYzQEY642lFw== Sec-Fetch-Site: same-origin Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: image Referer: https://www.google.com/url?q=https://offsiteforms.store/1wq4W8&sa=D&source=editors&ust=1734917344975185&usg=AOvVaw351shL2sABmvKRpEejl5tD Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=520=Ambpgyum6R16n3Ex1ERRSrZGjUeEfba1ZVicRJDb4ipkDbVjdu8n4ttdqaKYn6DFzbiExu6Rh9B3L-Wy5qzcY0w_aiIQlWbO44BSb50l3_X5XYBaTbgMcucnWWdqPHc5Cd3mh_v5x0pb1vOZlief4uoY2vL02z5pRKizUkRn2s1bKYNm-rl7FyKXzVspeKjKG3zf4w
2025-01-04 02:56:39 UTC	704	IN	HTTP/1.1 200 OK Accept-Ranges: bytes Cross-Origin-Resource-Policy: cross-origin Cross-Origin-Opener-Policy-Report-Only: same-origin; report-to="static-on-bigtable" Report-To: {"group":"static-on-bigtable","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/static-on-bigtable"}]} Content-Length: 5430 X-Content-Type-Options: nosniff Server: sffe X-XSS-Protection: 0 Date: Sat, 04 Jan 2025 02:54:04 GMT Expires: Sun, 12 Jan 2025 02:54:04 GMT Cache-Control: public, max-age=691200 Last-Modified: Tue, 22 Oct 2019 18:30:00 GMT Content-Type: image/x-icon Vary: Accept-Encoding Age: 155 Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2025-01-04 02:56:39 UTC	686	IN	Data Raw: 00 00 01 00 02 00 10 10 00 00 01 00 20 00 68 04 00 00 26 00 00 00 20 20 00 00 01 00 20 00 a8 10 00 00 8e 04 00 00 28 00 00 00 10 00 00 00 20 00 00 00 01 00 20 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff ff 30 fd fd fd 96 fd fd fd d8 fd fd fd f9 fd fd fd f9 fd fd fd d7 fd fd fd 94 fe fe fe 2e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fe fe fe 09 fd fd fd 99 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd 95 ff ff ff 08 00 00 00 00 00 00 00 00 00 00 00 00 fe fe fe 09 fd fd fd c1 ff ff ff ff fa fd f9 ff b4 d9 a7 ff 76 ba 5d ff 58 ab 3a ff 58 aa 3a ff 72 b8 59 ff ac d5 9d ff f8 fb f6 ff ff Data Ascii: h& ( 0.v]X:X:rY
2025-01-04 02:56:39 UTC	1390	IN	Data Raw: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd d8 fd fd fd 99 ff ff ff ff 92 cf fb ff 37 52 ec ff 38 46 ea ff d0 d4 fa ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd 96 fe fe fe 32 ff ff ff ff f9 f9 fe ff 56 62 ed ff 35 43 ea ff 3b 49 eb ff 95 9c f4 ff cf d2 fa ff d1 d4 fa ff 96 9d f4 ff 52 5e ed ff e1 e3 fc ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 30 00 00 00 00 fd fd fd 9d ff ff ff ff e8 ea fd ff 58 63 ee ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 6c 76 f0 ff ff ff ff ff ff ff ff ff fd fd fd 98 00 00 00 00 00 00 00 00 ff ff ff 0a fd fd fd c3 ff ff ff ff f9 f9 fe ff a5 ac f6 ff 5d 69 ee ff 3c 4a eb Data Ascii: 7R8F2Vb5C;IR^0Xc5C5C5C5C5C5Clv]i<J
2025-01-04 02:56:39 UTC	1390	IN	Data Raw: ff ff ff ff ff ff ff ff ff ff fd fd fd d0 ff ff ff 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fd fd fd 8b ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff b1 d8 a3 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 60 a5 35 ff ca 8e 3e ff f9 c1 9f ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd 87 00 00 00 00 00 00 00 00 00 00 00 00 fe fe fe 25 fd fd fd fb ff ff ff ff ff ff ff ff ff ff ff ff c2 e0 b7 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 6e b6 54 ff 9f ce 8d ff b7 da aa ff b8 db ab ff a5 d2 95 ff 7b bc 64 ff 54 a8 35 ff 53 a8 34 ff 77 a0 37 ff e3 89 41 ff f4 85 42 ff f4 85 42 ff fc Data Ascii: S4S4S4S4S4S4S4S4S4S4S4S4S4S4`5>%S4S4S4S4S4S4nT{dT5S4w7ABB
2025-01-04 02:56:39 UTC	1390	IN	Data Raw: f4 85 42 ff f4 85 42 ff f4 85 42 ff f4 85 42 ff f4 85 42 ff f4 85 42 ff fb d5 bf ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd ea fd fd fd cb ff ff ff ff ff ff ff ff ff ff ff ff 46 cd fc ff 05 bc fb ff 05 bc fb ff 05 bc fb ff 21 ae f9 ff fb fb ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd c8 fd fd fd 9c ff ff ff ff ff ff ff ff ff ff ff ff 86 df fd ff 05 bc fb ff 05 bc fb ff 15 93 f5 ff 34 49 eb ff b3 b8 f7 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff Data Ascii: BBBBBBF!4I
2025-01-04 02:56:39 UTC	574	IN	Data Raw: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd d2 fe fe fe 24 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff ff 0a fd fd fd 8d fd fd fd fc ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd fb fd fd fd 8b fe fe fe 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fe fe fe 27 fd fd fd 9f fd fd fd f7 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff Data Ascii: $'

Timestamp	Bytes transferred	Direction	Data
2025-01-04 02:56:40 UTC	658	OUT	GET /favicon.ico HTTP/1.1 Host: www.google.com Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: / X-Client-Data: CIu2yQEIprbJAQipncoBCLbgygEIkqHLAQj2mM0BCIWgzQEIucrNAQiJ080BGMvYzQEY642lFw== Sec-Fetch-Site: none Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=520=Ambpgyum6R16n3Ex1ERRSrZGjUeEfba1ZVicRJDb4ipkDbVjdu8n4ttdqaKYn6DFzbiExu6Rh9B3L-Wy5qzcY0w_aiIQlWbO44BSb50l3_X5XYBaTbgMcucnWWdqPHc5Cd3mh_v5x0pb1vOZlief4uoY2vL02z5pRKizUkRn2s1bKYNm-rl7FyKXzVspeKjKG3zf4w
2025-01-04 02:56:40 UTC	704	IN	HTTP/1.1 200 OK Accept-Ranges: bytes Cross-Origin-Resource-Policy: cross-origin Cross-Origin-Opener-Policy-Report-Only: same-origin; report-to="static-on-bigtable" Report-To: {"group":"static-on-bigtable","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/static-on-bigtable"}]} Content-Length: 5430 X-Content-Type-Options: nosniff Server: sffe X-XSS-Protection: 0 Date: Sat, 04 Jan 2025 02:54:04 GMT Expires: Sun, 12 Jan 2025 02:54:04 GMT Cache-Control: public, max-age=691200 Last-Modified: Tue, 22 Oct 2019 18:30:00 GMT Content-Type: image/x-icon Vary: Accept-Encoding Age: 156 Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2025-01-04 02:56:40 UTC	686	IN	Data Raw: 00 00 01 00 02 00 10 10 00 00 01 00 20 00 68 04 00 00 26 00 00 00 20 20 00 00 01 00 20 00 a8 10 00 00 8e 04 00 00 28 00 00 00 10 00 00 00 20 00 00 00 01 00 20 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff ff 30 fd fd fd 96 fd fd fd d8 fd fd fd f9 fd fd fd f9 fd fd fd d7 fd fd fd 94 fe fe fe 2e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fe fe fe 09 fd fd fd 99 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd 95 ff ff ff 08 00 00 00 00 00 00 00 00 00 00 00 00 fe fe fe 09 fd fd fd c1 ff ff ff ff fa fd f9 ff b4 d9 a7 ff 76 ba 5d ff 58 ab 3a ff 58 aa 3a ff 72 b8 59 ff ac d5 9d ff f8 fb f6 ff ff Data Ascii: h& ( 0.v]X:X:rY
2025-01-04 02:56:40 UTC	1390	IN	Data Raw: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd d8 fd fd fd 99 ff ff ff ff 92 cf fb ff 37 52 ec ff 38 46 ea ff d0 d4 fa ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd 96 fe fe fe 32 ff ff ff ff f9 f9 fe ff 56 62 ed ff 35 43 ea ff 3b 49 eb ff 95 9c f4 ff cf d2 fa ff d1 d4 fa ff 96 9d f4 ff 52 5e ed ff e1 e3 fc ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 30 00 00 00 00 fd fd fd 9d ff ff ff ff e8 ea fd ff 58 63 ee ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 6c 76 f0 ff ff ff ff ff ff ff ff ff fd fd fd 98 00 00 00 00 00 00 00 00 ff ff ff 0a fd fd fd c3 ff ff ff ff f9 f9 fe ff a5 ac f6 ff 5d 69 ee ff 3c 4a eb Data Ascii: 7R8F2Vb5C;IR^0Xc5C5C5C5C5C5Clv]i<J
2025-01-04 02:56:40 UTC	1390	IN	Data Raw: ff ff ff ff ff ff ff ff ff ff fd fd fd d0 ff ff ff 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fd fd fd 8b ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff b1 d8 a3 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 60 a5 35 ff ca 8e 3e ff f9 c1 9f ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd 87 00 00 00 00 00 00 00 00 00 00 00 00 fe fe fe 25 fd fd fd fb ff ff ff ff ff ff ff ff ff ff ff ff c2 e0 b7 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 6e b6 54 ff 9f ce 8d ff b7 da aa ff b8 db ab ff a5 d2 95 ff 7b bc 64 ff 54 a8 35 ff 53 a8 34 ff 77 a0 37 ff e3 89 41 ff f4 85 42 ff f4 85 42 ff fc Data Ascii: S4S4S4S4S4S4S4S4S4S4S4S4S4S4`5>%S4S4S4S4S4S4nT{dT5S4w7ABB
2025-01-04 02:56:40 UTC	1390	IN	Data Raw: f4 85 42 ff f4 85 42 ff f4 85 42 ff f4 85 42 ff f4 85 42 ff f4 85 42 ff fb d5 bf ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd ea fd fd fd cb ff ff ff ff ff ff ff ff ff ff ff ff 46 cd fc ff 05 bc fb ff 05 bc fb ff 05 bc fb ff 21 ae f9 ff fb fb ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd c8 fd fd fd 9c ff ff ff ff ff ff ff ff ff ff ff ff 86 df fd ff 05 bc fb ff 05 bc fb ff 15 93 f5 ff 34 49 eb ff b3 b8 f7 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff Data Ascii: BBBBBBF!4I
2025-01-04 02:56:40 UTC	574	IN	Data Raw: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd d2 fe fe fe 24 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff ff 0a fd fd fd 8d fd fd fd fc ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd fb fd fd fd 8b fe fe fe 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fe fe fe 27 fd fd fd 9f fd fd fd f7 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff Data Ascii: $'

Target ID:	0
Start time:	21:56:09
Start date:	03/01/2025
Path:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\phishingtest.eml"
Imagebase:	0xcb0000
File size:	34'446'744 bytes
MD5 hash:	91A5292942864110ED734005B7E005C0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	2
Start time:	21:56:10
Start date:	03/01/2025
Path:	C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "AE3842F3-4B46-407E-93B9-BC48317ECC3C" "6414065B-BA2B-4351-945D-A87980A02F5D" "6972" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
Imagebase:	0x7ff717900000
File size:	710'048 bytes
MD5 hash:	EC652BEDD90E089D9406AFED89A8A8BD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	10
Start time:	21:56:20
Start date:	03/01/2025
Path:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\7V90LNRU\Open 332.pdf"
Imagebase:	0x7ff671780000
File size:	5'641'176 bytes
MD5 hash:	24EAD1C46A47022347DC0F05F6EFBB8C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Target ID:	11
Start time:	21:56:22
Start date:	03/01/2025
Path:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
Imagebase:	0x7ff767fb0000
File size:	3'581'912 bytes
MD5 hash:	9B38E8E8B6DD9622D24B53E095C5D9BE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Target ID:	15
Start time:	21:56:36
Start date:	03/01/2025
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://www.google.com/url?q=https://offsiteforms.store/1wq4W8&sa=D&source=editors&ust=1734917344975185&usg=AOvVaw351shL2sABmvKRpEejl5tD
Imagebase:	0x7ff7f9810000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Description:	Adversaries may abuse Internet browser extensions to establish persistent access to victim systems. Browser extensions or plugins are small programs that can add functionality and customize aspects of Internet browsers. They can be installed directly or through a browser's app store and generally have access and permissions to everything that the browser can access.
Tactics:	Persistence
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Process: Process Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report phishingtest.eml

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

Phishing

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old (copy)

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG.old (copy)

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\7851c594-d350-4674-8507-440f4237afd1.tmp

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\Network Persistent State (copy)

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\Network Persistent State~RF54a976.TMP (copy)

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\f5dee65a-a010-4a7e-b7b4-b827ed509b09.tmp

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\000003.log

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG.old (copy)

C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ConnectorIcons\icon-250104025626Z-167.bmp

C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages-journal

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2D85F72862B55C4EADD9E66E06947F3D

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\2D85F72862B55C4EADD9E66E06947F3D

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\ACROBAT_READER_MASTER_SURFACEID

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_FirstMile_Home_View_Surface

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_FirstMile_Right_Sec_Surface

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_READER_LAUNCH_CARD

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Convert_LHP_Banner

Windows Analysis Report
phishingtest.eml

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre