Edit tour

Windows Analysis Report
al arts).msg

Overview

General Information

Sample name:	al arts).msg renamed because original name is a hash value
Original sample name:	Application - Including ActorModel InfluencerIntertainer (IT qualified with model and martial arts).msg
Analysis ID:	1541254
MD5:	241b70549c9c6658839a4055bfc9e1e7
SHA1:	bebe04c35f1e46634fc61e087a2c3d951bee3912
SHA256:	f455df8ff4f49e71faf1595e7a22498e0faa700a0f59999f941ebec0a67f929a
Infos:

Detection

Score:	1
Range:	0 - 100
Whitelisted:	false
Confidence:	60%

Signatures

Queries the volume information (name, serial number etc) of a device

Sigma detected: Office Autorun Keys Modification

Sigma detected: Outlook Security Settings Updated - Registry

Classification

Process Tree

System is w10x64_ra

OUTLOOK.EXE (PID: 6164 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /f "C:\Users\user\Desktop\al arts).msg" MD5: 91A5292942864110ED734005B7E005C0)

ai.exe (PID: 6200 cmdline: "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "91BBC8C8-C3F8-4BCC-A83A-134AC6805A1F" "CE449DFF-05F8-4366-9183-92382898AABF" "6164" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx" MD5: EC652BEDD90E089D9406AFED89A8A8BD)

Acrobat.exe (PID: 6396 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\0KMBSEFF\Portfolio.pdf" MD5: 24EAD1C46A47022347DC0F05F6EFBB8C)

AcroCEF.exe (PID: 4480 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)

AcroCEF.exe (PID: 1960 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2260 --field-trial-handle=1600,i,7747233440129350338,15545740786662772743,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)

Acrobat.exe (PID: 1288 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\0KMBSEFF\Qualifications.pdf" MD5: 24EAD1C46A47022347DC0F05F6EFBB8C)

AcroCEF.exe (PID: 4480 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)

AcroCEF.exe (PID: 5736 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2084 --field-trial-handle=1652,i,1819166867340817594,11624593012543888002,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)

Acrobat.exe (PID: 2268 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\0KMBSEFF\SACAP Recommendation Panel Member.pdf" MD5: 24EAD1C46A47022347DC0F05F6EFBB8C)

AcroCEF.exe (PID: 2828 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)

AcroCEF.exe (PID: 2272 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2064 --field-trial-handle=1664,i,3015666642311836785,12591759560587696159,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)

Acrobat.exe (PID: 3652 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\0KMBSEFF\Civoc Committee Member Re-Appointment.pdf" MD5: 24EAD1C46A47022347DC0F05F6EFBB8C)

cleanup

Sigma Signatures

Sigma detected: Office Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: 1, EventID: 13, EventType: SetValue, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE, ProcessId: 6164, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Addins\SearchToolbarsDisabled

Sigma detected: Outlook Security Settings Updated - Registry

Source: Registry Key set

Author: frack113: Data: Details: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\0KMBSEFF\, EventID: 13, EventType: SetValue, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE, ProcessId: 6164, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Security\OutlookSecureTempFolder

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

File opened: C:\Program Files (x86)\Microsoft Office\root\vfs\SystemX86\MSVCR100.dll

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 23.38.184.133
Source: unknown	TCP traffic detected without corresponding DNS query: 23.38.184.133
Source: unknown	TCP traffic detected without corresponding DNS query: 23.38.184.133
Source: unknown	TCP traffic detected without corresponding DNS query: 23.38.184.133
Source: unknown	TCP traffic detected without corresponding DNS query: 23.38.184.133
Source: unknown	TCP traffic detected without corresponding DNS query: 96.7.168.138
Source: unknown	TCP traffic detected without corresponding DNS query: 96.7.168.138
Source: unknown	TCP traffic detected without corresponding DNS query: 96.7.168.138
Source: unknown	TCP traffic detected without corresponding DNS query: 96.7.168.138
Source: unknown	TCP traffic detected without corresponding DNS query: 96.7.168.138
Source: unknown	TCP traffic detected without corresponding DNS query: 96.7.168.138
Source: unknown	TCP traffic detected without corresponding DNS query: 96.7.168.138
Source: unknown	TCP traffic detected without corresponding DNS query: 96.7.168.138
Source: unknown	TCP traffic detected without corresponding DNS query: 96.7.168.138
Source: unknown	TCP traffic detected without corresponding DNS query: 96.7.168.138
Source: unknown	TCP traffic detected without corresponding DNS query: 96.7.168.138

Source: global traffic

DNS traffic detected: DNS query: x1.i.lencr.org

Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725

Source: classification engine

Classification label: clean1.winMSG@54/81@1/70

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Common AppData\Microsoft\Office\Heartbeat\HeartbeatCache.xml

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

File created: C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmp

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

File created: C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20241024T1015570167-6164.etl

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

File read: C:\Users\desktop.ini

Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Source: unknown	Process created: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /f "C:\Users\user\Desktop\al arts).msg"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "91BBC8C8-C3F8-4BCC-A83A-134AC6805A1F" "CE449DFF-05F8-4366-9183-92382898AABF" "6164" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\0KMBSEFF\Portfolio.pdf"
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2260 --field-trial-handle=1600,i,7747233440129350338,15545740786662772743,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "91BBC8C8-C3F8-4BCC-A83A-134AC6805A1F" "CE449DFF-05F8-4366-9183-92382898AABF" "6164" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\0KMBSEFF\Portfolio.pdf"
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: unknown unknown
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2260 --field-trial-handle=1600,i,7747233440129350338,15545740786662772743,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\0KMBSEFF\Qualifications.pdf"
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2084 --field-trial-handle=1652,i,1819166867340817594,11624593012543888002,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\0KMBSEFF\Qualifications.pdf"
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: unknown unknown
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2084 --field-trial-handle=1652,i,1819166867340817594,11624593012543888002,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\0KMBSEFF\SACAP Recommendation Panel Member.pdf"
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2064 --field-trial-handle=1664,i,3015666642311836785,12591759560587696159,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\0KMBSEFF\Civoc Committee Member Re-Appointment.pdf"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\0KMBSEFF\SACAP Recommendation Panel Member.pdf"
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: unknown unknown
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2064 --field-trial-handle=1664,i,3015666642311836785,12591759560587696159,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\0KMBSEFF\Civoc Committee Member Re-Appointment.pdf"
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: unknown unknown

Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: apphelp.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: c2r64.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: userenv.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: msasn1.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: gpapi.dll

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{529A9E6B-6587-4F23-AB9E-9C7D683E3C50}\InProcServer32

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

Window found: window name: SysTabControl32

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common

Source: al arts).msg

Static file information: File size 17753088 > 1048576

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

File opened: C:\Program Files (x86)\Microsoft Office\root\vfs\SystemX86\MSVCR100.dll

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

File Volume queried: C:\Windows\SysWOW64 FullSizeInformation

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

Process information queried: ProcessInformation

Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe

Queries volume information: C:\Program Files (x86)\Microsoft Office\root\Office16\AI\WordCombinedFloatieLreOnline.onnx VolumeInformation

Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 Process Injection	2 Masquerading	OS Credential Dumping	1 Process Discovery	Remote Services	Data from Local System	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Process Injection	LSASS Memory	1 File and Directory Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 DLL Side-Loading	Security Account Manager	14 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact

Name	IP	Active	Malicious	Antivirus Detection	Reputation
bg.microsoft.map.fastly.net	199.232.214.172	true	false		unknown
x1.i.lencr.org	unknown	unknown	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
52.113.194.132	unknown	United States	8068	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
162.159.61.3	unknown	United States	13335	CLOUDFLARENETUS	false
2.23.197.184	unknown	European Union	1273	CWVodafoneGroupPLCEU	false
93.184.221.240	unknown	European Union	15133	EDGECASTUS	false
23.38.184.133	unknown	United States	16625	AKAMAI-ASUS	false
52.109.28.48	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
184.28.88.176	unknown	United States	16625	AKAMAI-ASUS	false
96.7.168.138	unknown	United States	262589	INTERNEXABRASILOPERADORADETELECOMUNICACOESSABR	false
104.124.11.8	unknown	United States	20940	AKAMAI-ASN1EU	false
18.207.85.246	unknown	United States	14618	AMAZON-AESUS	false
13.89.179.9	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1541254
Start date and time:	2024-10-24 16:15:14 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsinteractivecookbook.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	25
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	EGA enabled
Analysis Mode:	stream
Analysis stop reason:	Timeout
Sample name:	al arts).msg renamed because original name is a hash value
Original Sample Name:	Application - Including ActorModel InfluencerIntertainer (IT qualified with model and martial arts).msg
Detection:	CLEAN
Classification:	clean1.winMSG@54/81@1/70
Cookbook Comments:	Found application associated with file extension: .msg

Warnings

Exclude process from analysis (whitelisted): dllhost.exe
Excluded IPs from analysis (whitelisted): 52.113.194.132
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Report size getting too big, too many NtSetInformationFile calls found.
Report size getting too big, too many NtSetValueKey calls found.
Timeout during stream target processing, analysis might miss dynamic analysis data
VT rate limit hit for: al arts).msg

LLM Input / Output

Input	Output
URL: Model: claude-3-5-sonnet-20240620	{ "explanation": [ "The email content is incoherent and unrelated to any legitimate job application or professional communication", "The sender's address (analyzer@analyzer.securityeducation.com) doesn't match the content or claimed identity of the sender", "The email contains personal information and opinions unrelated to a job application, which is unusual and potentially suspicious" ], "phishing": false, "confidence": 7 }
Is this email content a phishing attempt? Please respond only in valid JSON format: Email content converted to JSON: { "date": "Thu, 24 Oct 2024 15:59:12 +0200", "subject": "Application - Including Actor/Model/ Influencer/Intertainer (IT qualified with model and martial arts)", "communications": [ "________________________________\n\nCAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.\n________________________________\n\n________________________________\n\nCAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.\n________________________________\n\nSir/Madam\n\nJob Search:\n\nFor you to have a clear view of my opinions on everything that is happening around me in the world, I did some YouTube videos and online radio episode.\n\nWill apply for asylum, other country citizenship when I arrive outside my country - one fight was created over another one into covering up the problems from 2005 when I left Department of&nbs p;Health, I can not elaborate on this or any other techniques were&are used as one of the countries I am applying here is my country for experience/money and international rules.\n\nHow many techniques can you use to cover up something from then until now, even as we speak I have no privacy in my country as they make sure I know that every day. How can I know that, but the are many more. Why are black people in my case falling inline of fire, who is 'promoting' them. The only thing I am doing is my curre nt job and secretly apply for high level jobs with no limit, they behave as if they know as if I am in a village.\n\nand you don't have authority or capacity or jurisdiction... to investigate such things, but I am force to say enough to get work.\n\nDave Chappelle's career started at the same time as Seinfeld, but I bet Seinfeld is a retired billionaire some were now and Dave Chappelle has to work. To fight for there 20 years experience, cleaning there public image and the money those people made that time, they create a new fight saying he is fighting with the Gay community and now its them the people who attack him before who are in his side.\n\nHeight - 6'1,\nJacket - Large,\nShoe - 11,\nWaist - 33,\nWeight - 81.\n\nYours Faithfully,\nS. Bukula\nCell. +27762083323 (Whatsapp too)\n15 Yoyo Street,\nZwide,\nPort Elizabeth,\nEastern Cape,\nSouth Africa,\n6201.\n(Applicant) \n" ], "from": "analyzer@analyzer.securityeducation.com", "to": "clear-abuse@weisigergroup.com" }
URL: PDF document Model: claude-3-haiku-20240307	```json { "contains_trigger_text": true, "trigger_text": "To view secured document, click here", "prominent_button_name": "Click here", "text_input_field_labels": [ "Email Address", "Cell phone", "Fax number" ], "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": true, "has_visible_qrcode": false }

URL: Email Model: claude-3-haiku-20240307	```json { "contains_trigger_text": true, "trigger_text": "CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.", "prominent_button_name": "unknown", "text_input_field_labels": [ "Job Search:" ], "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": true, "has_visible_qrcode": false }

URL: PDF document Model: claude-3-haiku-20240307	```json { "brands": [] }
	```json { "brands": [] }
URL: Email Model: claude-3-haiku-20240307	```json { "brands": [] }
	```json { "brands": [] }

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	118
Entropy (8bit):	3.5700810731231707
Encrypted:	false
SSDEEP:
MD5:	573220372DA4ED487441611079B623CD
SHA1:	8F9D967AC6EF34640F1F0845214FBC6994C0CB80
SHA-256:	BE84B842025E4241BFE0C9F7B8F86A322E4396D893EF87EA1E29C74F47B6A22D
SHA-512:	F19FA3583668C3AF92A9CEF7010BD6ECEC7285F9C8665F2E9528DBA606F105D9AF9B1DB0CF6E7F77EF2E395943DC0D5CB37149E773319078688979E4024F9DD7
Malicious:	false
Reputation:	unknown
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.H.e.a.r.t.b.e.a.t.C.a.c.h.e./.>.

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	290
Entropy (8bit):	5.146735403018413
Encrypted:	false
SSDEEP:
MD5:	A42CD5AF59050B51964C580FA3C776BC
SHA1:	ED649288B2FC568AF1F7E1412C77AF50C816ACE1
SHA-256:	EA73909502B8B6B4A3FECED6D2AC1D516D9D8C6E0928F5D9B967932C3697B89F
SHA-512:	56B655752D3DA9A4634BB41661205E47FB504442AE4C593D46F8967DFA808D8784DA6C90D545686152B9F60CD9B59FE543C594FB28FF4D6D35086D0632B429D5
Malicious:	false
Reputation:	unknown
Preview:	2024/10/24-10:16:14.864 12a8 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/MANIFEST-000001.2024/10/24-10:16:14.868 12a8 Recovering log #3.2024/10/24-10:16:14.868 12a8 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/000003.log .

File type:	CDFV2 Microsoft Outlook Message
Entropy (8bit):	7.866742072411265
TrID:	Outlook Message (71009/1) 58.92% Outlook Form Template (41509/1) 34.44% Generic OLE2 / Multistream Compound File (8008/1) 6.64%
File name:	al arts).msg
File size:	17'753'088 bytes
MD5:	241b70549c9c6658839a4055bfc9e1e7
SHA1:	bebe04c35f1e46634fc61e087a2c3d951bee3912
SHA256:	f455df8ff4f49e71faf1595e7a22498e0faa700a0f59999f941ebec0a67f929a
SHA512:	c4f20176a5e2065aca11a4fb70699ddca23d458117f3310d7daa34f2f2c54ac659a861c21af2c8b19512c16aca6c88bfb7a1c9dbb04f21cb498725743bea8e8f
SSDEEP:	393216:9ClYrpL2c0EZztYiP+pe+F9Nak6HGN1ks3W8aUmVB2p:ZZ2yZL+P33mr8a
TLSH:	D90733335CC58652E276CA786FE73D6EF61EBF1A9C4062DB10622FCE2E306119C5D219
File Content Preview:	........................>.......................p...........................b...o...n...m...k...i...............................................................f...c..........................................................................................

Subject:	Application - Including Actor/Model/ Influencer/Intertainer (IT qualified with model and martial arts)
From:	analyzer@analyzer.securityeducation.com
To:	clear-abuse@weisigergroup.com
Cc:
BCC:
Date:	Thu, 24 Oct 2024 15:59:12 +0200
Communications:	________________________________ CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe. ________________________________ ________________________________ CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe. ________________________________ Sir/Madam Job Search: For you to have a clear view of my opinions on everything that is happening around me in the world, I did some YouTube videos and online radio episode. Will apply for asylum, other country citizenship when I arrive outside my country - one fight was created over another one into covering up the problems from 2005 when I left Department of&nbs p;Health, I can not elaborate on this or any other techniques were&are used as one of the countries I am applying here is my country for experience/money and international rules. How many techniques can you use to cover up something from then until now, even as we speak I have no privacy in my country as they make sure I know that every day. How can I know that, but the are many more. Why are black people in my case falling inline of fire, who is 'promoting' them. The only thing I am doing is my curre nt job and secretly apply for high level jobs with no limit, they behave as if they know as if I am in a village. and you don't have authority or capacity or jurisdiction... to investigate such things, but I am force to say enough to get work. Dave Chappelle's career started at the same time as Seinfeld, but I bet Seinfeld is a retired billionaire some were now and Dave Chappelle has to work. To fight for there 20 years experience, cleaning there public image and the money those people made that time, they create a new fight saying he is fighting with the Gay community and now its them the people who attack him before who are in his side. Height - 6'1, Jacket - Large, Shoe - 11, Waist - 33, Weight - 81. Yours Faithfully, S. Bukula Cell. +27762083323 (Whatsapp too) 15 Yoyo Street, Zwide, Port Elizabeth, Eastern Cape, South Africa, 6201. (Applicant)
Attachments:	Portfolio.pdf heyyo_1622491349820_2865035801737406320.jpg Age40.jpeg FullPic.jpg VID_20220603_175408.mp4 Qualifications.pdf SACAP Recommendation Panel Member.pdf Civoc Committee Member Appointment.pdf CIVOC term of office & Appreciation-June 2023.pdf Civoc Committee Member Re-Appointment.pdf

Key	Value
Received	from sonic.gate.mail.ne1.yahoo.com by sonic312.consmr.mail.bf2.yahoo.com with HTTP; Thu, 24 Oct 2024 13:59:36 +0000
BYAPR20MB2821.namprd20.prod.outlook.com with HTTPS; Thu, 24 Oct 2024 14	08:48
by DS0PR20MB6413.namprd20.prod.outlook.com (2603	10b6:8:159::11) with
2024 14	08:31 +0000
(2603	10b6:5:100::48) with Microsoft SMTP Server (version=TLS1_2,
Transport; Thu, 24 Oct 2024 14	08:29 +0000
Authentication-Results	spf=softfail (sender IP is 148.163.151.125)
Received-SPF	Neutral (protection.outlook.com: 148.163.155.71 is neither permitted nor denied by domain of yahoo.com)
15.20.8093.14 via Frontend Transport; Thu, 24 Oct 2024 14	08:28 +0000
Thu, 24 Oct 2024 10	08:23 -0400
Authentication-Results-Original	carolinacat.com; spf=pass smtp.mailfrom=bukulas@yahoo.com; dkim=pass header.s=s2048 header.d=yahoo.com; dmarc=pass header.from=yahoo.com
for <clear-abuse@weisigergroup.com>; Thu, 24 Oct 2024 10	08:18 -0400 (EDT)
for <clear-abuse@weisigergroup.com>; Thu, 24 Oct 2024 14	08:15 +0000 (UTC)
Content-Type	multipart/mixed; boundary="===============5364670376583075750=="
MIME-Version	1.0
Date	Thu, 24 Oct 2024 13:59:12 +0000 (UTC)
Subject	Application - Including Actor/Model/ Influencer/Intertainer (IT qualified with model and martial arts)
DKIM-Signature	v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1729778376; bh=CiMhU86+G431PeGU+MfnOG3cmXDrqRPK/Ma+0wlkJWY=; h=Date:From:In-Reply-To:References:Subject:From:Subject:Reply-To; b=sPdp1BEwZ47JOj+OCL8t9BjMdwzo0+/kF1x7wqbLQdj6D3ddYt7YFVU3NRxq7hiEQbEdJXoQkkL61UA82cwk5mT4gswhARr1SMdCtriuvpxQtCa5fncRSYBw3eHCrSGgasS+MUnBkiPsP3lJI0GhST4IQMnsoRTEEtZK1S0D9CoF+nVJ0BxHqXYTMGqReV189vU5rYzNYxxBRa59QluSUhHdfg82MyE4YmdiG7CwdgmhWkmChGg158BQ6hFAr6vddtBIZOXSSh74Bp1arMXoJUhIoWEWxo6wjERVmd6LphSbbbPb6IviF5tXyko6S3to+sAeVyj3VtVAZGa9JNMW7g==
X-SONIC-DKIM-SIGN	v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1729778377; bh=x+NsuPXxE8I9q7Ym4em2AInpx8Fv/GLcaMeGVuiHGfG=; h=X-Sonic-MF:Date:From:Subject:From:Subject; b=VVEPVupSnzzlloF9wU6CCweyER8G2yvGFsHtmLc5FhOGzW/byFCQY02U30fiyEzd9oXT0N9l13f83leWpeZoH9vwPxaYt95vIYnfpFhCp+zFk1Mwl/3wD52GMPx/h20KhRBxBWtaTzAlaBivDPJjP/rdaTFd2D2xWzS9XUkwpdqFEFWqvmpeZJyDXrDcBKwsGXZ6sS6SbWjmp/VQqUyyU6ZJmlb9pgbIUhEr7oQ+MuLAN96s+ieD+6OVyDnxv/llg7ssUklKic2ye0RgrfF1wmHpjtImtvcETy1KVp1UKHC0e2tPK4sT1i2ivBMPJs934lqR4uae1exXWXTC8MMSJg==
X-YMail-OSG	lpmcs3AVM1lLlbojLOnGJpwNiv1uMBmulNPpak0yqdoiHjpdMIUs5aikveKBK7K cebv8HOv.b9DICuDdvgVZJQ4krjDz9D.L4IBrHHmASv9Wy3mVg7TyU5PPnIH.JghoQFI0gWmRPUI VXV7cQpleAd9ypPEDqNtOC8MAigSeEcS065GIKmpFkwI6_cLDLDuVNvdy5uEWTzpLtBibpHhrYSP jTNE6skFq1sm9FidZf3smS29SDnmJxXSvLiA6CyHR2z8DO4BbvKyr.mHqab0FUkMH9I65zh9.LHC k1WwEUNd8efijGLw21DGfNSKOiPr9qeiNPnDQehnOiJvB4SFblBoUZOdj8Qt5Y3ttb7Qb_WKruut btnm8YNH3I1F_0jfOL1kSigWoIN_WY03ryhJFJRRIkaS6XEWe5RkP1Ny_QWEO8BYzFkqLAaOBuQm Ml68JPXfk0lpLPKrzIFyiZSCmNf.4t2CS1ZDgMmhLPDmQgHVmWNe0dM6vTm9WibfLoZ0d4nPoIRb 8gn1v2ShMhJYHXOI4yDuGBRQtAEGxnklxvTZpfcEIwrCQ8msPnHmZbnBob9XTEPe5j6nfou.NUbX Y0OtUZa3dtzsX4KUBrkFbXpf9jWUQP2KjvKVWHS8_cYzjOpQ5WEUdTt8QR0v3QSUdVE_EvirS6sU 8W_mzpg_sLtMFlIBiityb_37hseav4RHxVlbnfwqplHdu8h.FtaPKYqr4GGmIiG.luSxg0zeJqVF xauvkWl6i2ihnIbjH.0ZXhsmealNiawl5BghpXGrIOt7TMyfsHqXolTz7Fx7J3Q05bkB_LIP32Wk rS3FPi1NHLrLnE7TfaGW2BVTGOsvCkiLEvXafqZJDIZq027EFM9CSeOGbvLI.SWIyLpo1tp8ftmz QC._5jiNCpfsB3xPP9j7fb9OHk2zKRNVCYdNJgP9UlPDmyXU28_ARsAtlcSLrXRuqYhNVSB_jI
X-Sonic-MF	<bukulas@yahoo.com>
X-Sonic-ID	4000518b-78f1-468f-bfe1-9416d250ff4e
References	<539852665.3986040.1694324994363.ref@mail.yahoo.com> <539852665.3986040.1694324994363@mail.yahoo.com> <914183103.3979046.1694325272314@mail.yahoo.com> <1646627252.845296.1699246089710@mail.yahoo.com> <1482034477.1944069.1699250067597@mail.yahoo.com> <1969046082.3265529.1701543991160@mail.yahoo.com> <213510698.1434995.1702304809625@mail.yahoo.com> <1402634623.1223416.1709966476144@mail.yahoo.com> <1355323837.1806307.1710235059679@mail.yahoo.com> <426142858.2086596.1710309792628@mail.yahoo.com> <1764374592.2084204.1710309929072@mail.yahoo.com> <1141307966.2208080.1710350192573@mail.yahoo.com> <1327375866.2333465.1710382978027@mail.yahoo.com> <2094992804.2345501.1710383111210@mail.yahoo.com> <470722878.265447.1711131935274@mail.yahoo.com> <1316629392.5411953.1713072003298@mail.yahoo.com> <1199441544.2422765.1718093017561@mail.yahoo.com> <1492166070.5242595.1724153940023@mail.yahoo.com> <115928812.5353137.1724178368284@mail.yahoo.com> <684949549.5357203.1724178612482@mail.yah
X-Mailer	WebService/1.1.22806 YMailMini
X-CLX-Shades	MLX
X-Authority-Analysis	v=2.4 cv=AbnjHGXG c=1 sm=1 tr=0 ts=671a52df cx=c_pps a=cQqS3QABa1i1je/Szeii9Q==:117 a=9cW_t1CCXrUA:10 a=DAUX931o1VcA:10 a=1enQG0Rb0DYA:10 a=x7bEGLp0ZPQA:10 a=6-3z4ESPaP4A:10 a=s23OOv2JePUA:10 a=Bp0BBvT7Al8zpM0Bt5sA:9 a=QEXdDO2ut3YA:10 a=TARHkEnC4JyF1C4K:21 a=vfoxlPI3TKfATZubiW4A:9 a=n3BslyFRqc0A:10 a=x9I3668ZiE8A:10 a=7hx2hz1aG1wuJMqA4-YA:9 a=KQqxNPgzF0kA:10 a=2rKnfEBQLkbx4ewl4uQA:9 a=pCLjeSqRgc2co1cIApoA:9 a=I95hUHFZ0FazP98U9_8A:9 a=11516z0XXmQA:10 a=hRP7tDuYUIaDnJOBiVQA:9 a=Cl_jrCwBs5k02ZoXhtEA:9 a=GuJGy58QHR1RPHZPEyIA:9 a=tUa-TQltbqEgj7bEXVsA:9 a=1FKUQzPpzFRvWJEUPiAA:9 a=KWZKrUnrgeO1kK65X3nB:22
X-Proofpoint-GUID	gNn5-dF3mplUxI7PGilo6dCT_v3Tqwg2
X-CLX-Response	1TFkXEx8RCkx6FxkfGhEKWUQXZENMWR9IQUtBfE4RClhYF2hjUnNeRFBJHVN nEQp4Thd6RBwdb0VsbURDZhEKeUwXZV1NbG4bZ0JOemcRCkNIFwcdHBEKQ1kXBxgeHREKQ0kXGg QaGhoRCllNF2dmchEKWUkXGnEaEBp3Bh0fcR4eEB13BhgaBhoRClleF2xseREKSUYXSUtYRUZDR EtJS151QkVZXk9OEQpJRxd4T00RCkNOF01kRB8HTmwZR1pGf1JjHXptQ0ZFHE5pfnVcGX5bXU0Y EQpYXBcfBBoEGR0dBRsaBBsaGgQbGR4EGR8QGx4aHxoRCl5ZF09+BU4cEQpNXBcSGhEKTFoXaXt pQkVpEQpFWRdva00RCkxfF3oFBQUFBQUFBQVlEQpMRhdva2tsa2sRCkJPF2hGeUdMAUwcW3JuEQ pDWhcdHgQcBBsYEgQSGBEKQl4XGxEKRF4XGhEKQlwXGxEKXk4XGxEKQksXekQcHW9FbG1EQ2YRC kJJF3pEHB1vRWxtRENmEQpCRRdoY1JzXkRQSR1TZxEKQk4XekQcHW9FbG1EQ2YRCkJMF2hjUnNe RFBJHVNnEQpCbBdoY1JzXkRQSR1TZxEKQkAXZHJcHGd9Qx8bbWsRCkJYF2heE2BGYml/UEhPEQp NXhcbEQpaWBcZEQp5QxdiZHpDZVlHWmVYTBEKWUsXGxoSHRgRCnBoF2ROXUQbZk5JXxxNEBoRCn BoF2EaAWd4XnIfa2R8EBoRCnBoF2JmcAVfYRkdRhlpEBkaEQpwaBdlRAVbTmEccBtwEhAZGhEKc GgXYVMFbBp+bWVHX1kQGRoRCnBoF2lcTF4BfAFETWgSEBoRCnBoF2ATTAVvQkdaeRtLEBoRCnBo F2FhBVJOT2RiQkFQEBkaEQpwaxd6WkFETx9BfmNYYhAaEQpwSxdjGBhlfkt+QnJ9BRAbGxoRCm1 +FxsRClhN
X-Proofpoint-ORIG-GUID	gNn5-dF3mplUxI7PGilo6dCT_v3Tqwg2
X-Proofpoint-Virus-Version	vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1051,Hydra:6.0.680,FMLib:17.12.62.30 definitions=2024-10-24_15,2024-10-24_02,2024-09-30_01
X-Proofpoint-Spam-Details	rule=inbound_notspam policy=inbound score=0 priorityscore=350 impostorscore=0 adultscore=0 lowpriorityscore=0 unknownsenderscore=20 clxscore=95 mlxlogscore=75 bulkscore=0 malwarescore=0 suspectscore=0 mlxscore=0 spamscore=0 phishscore=0 classifier=parse_limit authscore=0 adjust=0 reason=mlx scancount=1 engine=8.21.0-2409260000 definitions=main-2410240114 domainage_hfrom=10872
X-EOPAttributedMessage	1
X-EOPTenantAttributedMessage	8d82527c-9fb9-4488-b18a-02fa42b91d9b:1
X-MS-TrafficTypeDiagnostic	BL6PEPF0001AB51:EE_\|IA1PR20MB6760:EE_\|DS0PR20MB4960:EE_\|DS3PEPF000099DC:EE_\|DS0PR20MB6413:EE_\|BYAPR20MB2821:EE_
X-MS-Office365-Filtering-Correlation-Id	3768f28c-b73f-4b8b-e6e7-08dcf43555c8
X-Microsoft-Antispam-Untrusted	BCL:0;ARA:13230040\|7093399012\|12012899012\|8096899003;
X-Forefront-Antispam-Report-Untrusted	CIP:148.163.155.71;CTRY:US;LANG:en;SCL:-1;SRV:;IPV:NLI;SFV:NSPM;H:mx0b-002cd101.pphosted.com;PTR:mx0b-002cd101.pphosted.com;CAT:NONE;SFS:(13230040)(7093399012)(12012899012)(8096899003);DIR:INB;
X-Auto-Response-Suppress	DR, RN, NRN, OOF, AutoReply
X-MS-Exchange-Transport-CrossTenantHeadersStamped	DS0PR20MB6413
X-MS-Exchange-Transport-EndToEndLatency	00:00:20.2171770
X-MS-Exchange-Processed-By-BccFoldering	15.20.8093.014
X-Microsoft-Antispam-Mailbox-Delivery	ucf:0;jmr:0;auth:0;dest:I;ENG:(910001)(944506478)(944626604)(920097)(930097)(140003)(1310096);
X-Microsoft-Antispam-Message-Info-Original	=?us-ascii?Q?Zg4fToQcORSCK1XyQ3EniFIChFtzbLP2GDO7yXvpA9uEKSZS9PPQRQXcgLv/?=
X-PhishAlarm-Format	PhishAlarm O365 Add-In/4.5.211
X-PhishAlarm-Sender	"bukulas@yahoo.com" <bukulas@yahoo.com>
X-PhishAlarm-Reporter	SGray@weisigergroup.com
X-PhishAlarm-SES-key	78fad241-2f80-4c9c-9f47-b8015c4beacf
In-Reply-To	<1386046233.3176050.1729778360595@mail.yahoo.com>
Message-ID	<172977889371.8.10008684587329511309.analyzer@169.254.50.165>
X-PhishAlarm-Clear-Id	723af255-f691-484d-ad79-8d7e8bc23256
X-PhishAlarm-Clear-Timeout	180
X-PhishAlarm-Overcast-Trace-Token	ZGDX6g=NM-LqA=ZQ8-tLf9DDEGmOvHFxTJ
From	analyzer@analyzer.securityeducation.com
To	clear-abuse@weisigergroup.com
Return-Path	analyzer@analyzer.securityeducation.com
X-MS-Exchange-Organization-ExpirationStartTime	24 Oct 2024 14:08:28.9441
X-MS-Exchange-Organization-ExpirationStartTimeReason	OriginalSubmit
X-MS-Exchange-Organization-ExpirationInterval	1:00:00:00.0000000
X-MS-Exchange-Organization-ExpirationIntervalReason	OriginalSubmit
X-MS-Exchange-Organization-Network-Message-Id	3768f28c-b73f-4b8b-e6e7-08dcf43555c8
X-MS-Exchange-Organization-MessageDirectionality	Incoming
X-MS-Exchange-Transport-CrossTenantHeadersStripped	DS3PEPF000099DC.namprd04.prod.outlook.com
X-MS-PublicTrafficType	Email
X-MS-Exchange-Organization-AuthSource	DS3PEPF000099DC.namprd04.prod.outlook.com
X-MS-Exchange-Organization-AuthAs	Anonymous
X-MS-Office365-Filtering-Correlation-Id-Prvs	03419f0f-652c-49de-cc5f-08dcf4343273
X-MS-Exchange-Organization-SCL	-1
X-Microsoft-Antispam	BCL:0;ARA:13230040\|13012899012\|13102899012\|12012899012\|3092899012\|5062899012\|3072899012\|35042699022\|2092899012\|8096899003;
X-Forefront-Antispam-Report	CIP:148.163.151.125;CTRY:US;LANG:en;SCL:-1;SRV:;IPV:NLI;SFV:NSPM;H:mx0a-002cd101.pphosted.com;PTR:mx0a-002cd101.pphosted.com;CAT:NONE;SFS:(13230040)(13012899012)(13102899012)(12012899012)(3092899012)(5062899012)(3072899012)(35042699022)(2092899012)(8096899003);DIR:INB;
X-MS-Exchange-CrossTenant-OriginalArrivalTime	24 Oct 2024 14:08:28.6160
X-MS-Exchange-CrossTenant-Network-Message-Id	3768f28c-b73f-4b8b-e6e7-08dcf43555c8
X-MS-Exchange-CrossTenant-Id	8d82527c-9fb9-4488-b18a-02fa42b91d9b
X-MS-Exchange-CrossTenant-AuthSource	DS3PEPF000099DC.namprd04.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs	Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader	Internet
X-Microsoft-Antispam-Message-Info	=?us-ascii?Q?hojgbt6fGCjiQw44VMv5oZsFwyBvkruPNdQ3nASgjpW7t1UhQEB7McFfp7UR?=
date	Thu, 24 Oct 2024 15:59:12 +0200

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report al arts).msg

Overview

General Information

Detection

Signatures

Classification

Process Tree

Yara Signatures

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

Compliance

Networking

System Summary

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

General Information

Warnings

LLM Input / Output

Created / dropped Files

C:\Program Files (x86)\Microsoft Office\root\vfs\Common AppData\Microsoft\OFFICE\Heartbeat\HeartbeatCache.xml

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old (copy)

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old~RF52a8f3.TMP (copy)

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG.old (copy)

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG.old~RF52a912.TMP (copy)

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\0a5edc79-5c7a-4ac3-8f06-d6812a213fdf.tmp

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\3967b086-1717-4e31-91ac-c445515a7138.tmp

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\79c9e04a-5a38-4a09-9af7-9fe888b15657.tmp

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\Network Persistent State (copy)

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\Network Persistent State~RF5298e5.TMP (copy)

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\Network Persistent State~RF531837.TMP (copy)

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\000003.log

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG.old (copy)

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG.old~RF52a950.TMP (copy)

C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ConnectorIcons\icon-241024141618Z-172.bmp

C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ConnectorIcons\icon-241024141714Z-159.bmp

C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ConnectorIcons\icon-241024141740Z-153.bmp

C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages-journal

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2D85F72862B55C4EADD9E66E06947F3D

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\2D85F72862B55C4EADD9E66E06947F3D

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeFnt23.lst.6008

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeSysFnt23.lst (copy)

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\IconCacheAcro65536.dat

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\ACROBAT_READER_MASTER_SURFACEID

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_FirstMile_Home_View_Surface

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_FirstMile_Right_Sec_Surface

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_READER_LAUNCH_CARD

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Convert_LHP_Banner

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Disc_LHP_Banner

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Disc_LHP_Retention

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Edit_LHP_Banner

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Home_LHP_Trial_Banner

Windows Analysis Report
al arts).msg