Edit tour

Windows Analysis Report
cndx.com.eml

Overview

General Information

Sample name:	cndx.com.eml renamed because original name is a hash value
Original sample name:	NoteID [5087952] _Signature Requested on New Vendor Payment Agreement 2025.pdf - 11.3.2025 13448 Contact - infodcndx.com.eml
Analysis ID:	1635418
MD5:	d8244b47a6e21b23e267a15d475733f3
SHA1:	59542fd6d7b8f6934e1e3fc361480db37b4baff0
SHA256:	7bef7c7698183b80dcf4a38f786b4e1b952328292b019feb1eecf6ddecb1d768
Infos:

Detection

HTMLPhisher, Invisible JS, Tycoon2FA

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

AI detected phishing page

Found malware configuration

Yara detected HtmlPhish10

Yara detected Invisible JS

Yara detected Obfuscation Via HangulCharacter

Yara detected Tycoon 2FA PaaS

AI detected landing page (webpage, office document or email)

AI detected suspicious Javascript

AI detected suspicious elements in Email content

AI detected suspicious elements in Email header

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Queries random domain names (often used to prevent blacklisting and sinkholes)

Sets file extension default program settings to executables

Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Deletes files inside the Windows folder

Detected non-DNS traffic on DNS port

Drops PE files

Drops PE files to the windows directory (C:\Windows)

HTML body contains low number of good links

HTML body contains password input but no form action

HTML page contains hidden javascript code

HTML title does not match URL

Invalid T&C link found

May sleep (evasive loops) to hinder dynamic analysis

PE file contains more sections than normal

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sigma detected: Office Autorun Keys Modification

Sigma detected: Outlook Security Settings Updated - Registry

Stores large binary data to the registry

Uses Javascript AES encryption / decryption (likely to hide suspicious Javascript code)

Classification

Process Tree

System is w10x64_ra

OUTLOOK.EXE (PID: 3628 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\cndx.com.eml" MD5: 91A5292942864110ED734005B7E005C0)

ai.exe (PID: 3796 cmdline: "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "C2C1DB76-E792-401E-B25F-D9AA653E3BBC" "328EA4D7-BCFC-4741-8B7C-89C6A268B6B1" "3628" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx" MD5: EC652BEDD90E089D9406AFED89A8A8BD)

Acrobat.exe (PID: 7124 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\JTPU6IGC\New Vendor Payment Agreement.pdf" MD5: 24EAD1C46A47022347DC0F05F6EFBB8C)

AcroCEF.exe (PID: 7076 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)

AcroCEF.exe (PID: 5680 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2264 --field-trial-handle=1600,i,11530587855780634379,1758848505498259293,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)

chrome.exe (PID: 7768 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://incasa.furniture/cllascio.php?342d36383734373437303733336132663266363535313534326537323663373137303666366536313737363937353739326537323735326637353461373336353537343732662d247b524543495049454e545f454d41494c7d MD5: E81F54E6C1129887AEA47E7D092680BF)

chrome.exe (PID: 8048 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=1996,i,17686875717613629800,8577659881032118236,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version --mojo-platform-channel-handle=2176 /prefetch:3 MD5: E81F54E6C1129887AEA47E7D092680BF)

Acrobat.exe (PID: 6712 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" /b /id 656_966385559 /if pdfshell_preva55650e9-d035-4a7a-ad2b-e3fdf5fa4259 /CR MD5: 24EAD1C46A47022347DC0F05F6EFBB8C)

OpenWith.exe (PID: 3972 cmdline: C:\Windows\system32\OpenWith.exe -Embedding MD5: E4A834784FA08C17D47A1E72429C5109)

notepad.exe (PID: 7484 cmdline: "C:\Windows\system32\NOTEPAD.EXE" C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\JTPU6IGC\banners.dat MD5: 27F71B12CB585541885A31BE22F61C83)

cleanup

Malware Configuration

Threatname: Tycoon2FA

{"otherweburl": "", "websitenames": "[\"godaddy\", \"okta\"]", "bes": "[\"Apple.com\",\"Netflix.com\"]", "pes": "[\"https:\\/\\/t.me\\/\",\"https:\\/\\/t.com\\/\",\"t.me\\/\",\"https:\\/\\/t.me.com\\/\",\"t.me.com\\/\",\"t.me@\",\"https:\\/\\/t.me@\",\"https:\\/\\/t.me\",\"https:\\/\\/t.com\",\"t.me\",\"https:\\/\\/t.me.com\",\"t.me.com\",\"t.me\\/@\",\"https:\\/\\/t.me\\/@\",\"https:\\/\\/t.me@\\/\",\"t.me@\\/\",\"https:\\/\\/www.telegram.me\\/\",\"https:\\/\\/www.telegram.me\"]", "capnum": "1", "appnum": "1", "pvn": "0", "view": "", "pagelinkval": "2orHC", "emailcheck": "0", "webname": "rtrim(/web8/, '/')", "urlo": "/lvPTLqclnU6Ne032t9nT6XrGeNpClEaxa8pRESzOyH28Zwd8B2aa1w", "gdf": "/ghZGhivVUwyd3q8fbWEUoYtsBEMT77uv2GfzHjPlmZnaoWs1ab120"}

Yara Signatures

HTML

Source	Rule	Description	Author
1.19.d.script.csv	JoeSecurity_Tycoon2FA	Yara detected Tycoon 2FA PaaS	Joe Security
1.5.d.script.csv	JoeSecurity_HangulCharacter	Yara detected Obfuscation Via HangulCharacter	Joe Security
1.5.d.script.csv	JoeSecurity_InvisibleJS	Yara detected Invisible JS	Joe Security
1.22..script.csv	JoeSecurity_HangulCharacter	Yara detected Obfuscation Via HangulCharacter	Joe Security
2.1.pages.csv	JoeSecurity_Tycoon2FA_1	Yara detected Tycoon 2FA PaaS	Joe Security
2.2.pages.csv	JoeSecurity_Tycoon2FA_1	Yara detected Tycoon 2FA PaaS	Joe Security
2.1.pages.csv	JoeSecurity_HangulCharacter	Yara detected Obfuscation Via HangulCharacter	Joe Security
2.2.pages.csv	JoeSecurity_HangulCharacter	Yara detected Obfuscation Via HangulCharacter	Joe Security
3.5.pages.csv	JoeSecurity_HtmlPhish_10	Yara detected HtmlPhish_10	Joe Security
3.7.pages.csv	JoeSecurity_HtmlPhish_10	Yara detected HtmlPhish_10	Joe Security
3.8.pages.csv	JoeSecurity_HtmlPhish_10	Yara detected HtmlPhish_10	Joe Security
3.4.pages.csv	JoeSecurity_HtmlPhish_10	Yara detected HtmlPhish_10	Joe Security
3.6.pages.csv	JoeSecurity_HtmlPhish_10	Yara detected HtmlPhish_10	Joe Security
2.1.pages.csv	JoeSecurity_InvisibleJS	Yara detected Invisible JS	Joe Security
2.2.pages.csv	JoeSecurity_InvisibleJS	Yara detected Invisible JS	Joe Security
Click to see the 10 entries

Sigma Signatures

Sigma detected: Office Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE, ProcessId: 3628, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Addins\OneNote.OutlookAddin\1

Sigma detected: Outlook Security Settings Updated - Registry

Source: Registry Key set

Author: frack113: Data: Details: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\JTPU6IGC\, EventID: 13, EventType: SetValue, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE, ProcessId: 3628, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Security\OutlookSecureTempFolder

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 1.19.d.script.csv

Malware Configuration Extractor: Tycoon2FA {"otherweburl": "", "websitenames": "[\"godaddy\", \"okta\"]", "bes": "[\"Apple.com\",\"Netflix.com\"]", "pes": "[\"https:\\/\\/t.me\\/\",\"https:\\/\\/t.com\\/\",\"t.me\\/\",\"https:\\/\\/t.me.com\\/\",\"t.me.com\\/\",\"t.me@\",\"https:\\/\\/t.me@\",\"https:\\/\\/t.me\",\"https:\\/\\/t.com\",\"t.me\",\"https:\\/\\/t.me.com\",\"t.me.com\",\"t.me\\/@\",\"https:\\/\\/t.me\\/@\",\"https:\\/\\/t.me@\\/\",\"t.me@\\/\",\"https:\\/\\/www.telegram.me\\/\",\"https:\\/\\/www.telegram.me\"]", "capnum": "1", "appnum": "1", "pvn": "0", "view": "", "pagelinkval": "2orHC", "emailcheck": "0", "webname": "rtrim(/web8/, '/')", "urlo": "/lvPTLqclnU6Ne032t9nT6XrGeNpClEaxa8pRESzOyH28Zwd8B2aa1w", "gdf": "/ghZGhivVUwyd3q8fbWEUoYtsBEMT77uv2GfzHjPlmZnaoWs1ab120"}

Phishing

AI detected phishing page

Source: https://eqt.rlqponawiuy.ru/JCSVKVYLYPBPNGLUQQSCEPMHNQJZPdnhuozrlhxajulwpvsbikl3ah8ovp951mh0ke7afthelzvry508?YFWJNXXADMKOZUFQX	Joe Sandbox AI: Score: 9 Reasons: The brand 'Microsoft' is classified as 'wellknown'., The legitimate domain for Microsoft is 'microsoft.com'., The provided URL 'eqt.rlqponawiuy.ru' does not match the legitimate domain for Microsoft., The URL uses a suspicious domain extension '.ru', which is not typically associated with Microsoft., The URL contains random characters and does not resemble any known Microsoft subdomains or services., The presence of input fields for 'Email, phone, or Skype' is typical for phishing attempts targeting Microsoft accounts. DOM: 3.4.pages.csv
Source: https://eqt.rlqponawiuy.ru/JCSVKVYLYPBPNGLUQQSCEPMHNQJZPdnhuozrlhxajulwpvsbikl3ah8ovp951mh0ke7afthelzvry508?YFWJNXXADMKOZUFQX	Joe Sandbox AI: Score: 9 Reasons: The brand 'Microsoft' is a well-known global technology company., The legitimate domain for Microsoft is 'microsoft.com'., The provided URL 'eqt.rlqponawiuy.ru' does not match the legitimate domain for Microsoft., The URL uses a '.ru' domain extension, which is unusual for Microsoft and could indicate a phishing attempt., The URL contains random characters and does not resemble any known Microsoft subdomains., The presence of an input field for 'Enter password' is suspicious given the URL's lack of association with Microsoft. DOM: 3.7.pages.csv
Source: https://eqt.rlqponawiuy.ru/JCSVKVYLYPBPNGLUQQSCEPMHNQJZPdnhuozrlhxajulwpvsbikl3ah8ovp951mh0ke7afthelzvry508?YFWJNXXADMKOZUFQX	Joe Sandbox AI: Score: 9 Reasons: The brand 'Microsoft' is classified as 'wellknown'., The legitimate domain for Microsoft is 'microsoft.com'., The provided URL 'eqt.rlqponawiuy.ru' does not match the legitimate domain for Microsoft., The URL uses a Russian domain extension '.ru', which is unusual for Microsoft., The URL contains random characters and does not resemble any known Microsoft subdomain or service., The presence of an email input field related to Microsoft services (outlook.com) on a suspicious domain increases the likelihood of phishing. DOM: 3.6.pages.csv

Yara detected HtmlPhish10

Source: Yara match	File source: 3.5.pages.csv, type: HTML
Source: Yara match	File source: 3.7.pages.csv, type: HTML
Source: Yara match	File source: 3.8.pages.csv, type: HTML
Source: Yara match	File source: 3.4.pages.csv, type: HTML
Source: Yara match	File source: 3.6.pages.csv, type: HTML

Yara detected Invisible JS

Source: Yara match	File source: 1.5.d.script.csv, type: HTML
Source: Yara match	File source: 2.1.pages.csv, type: HTML
Source: Yara match	File source: 2.2.pages.csv, type: HTML

Yara detected Obfuscation Via HangulCharacter

Source: Yara match	File source: 1.5.d.script.csv, type: HTML
Source: Yara match	File source: 1.22..script.csv, type: HTML
Source: Yara match	File source: 2.1.pages.csv, type: HTML
Source: Yara match	File source: 2.2.pages.csv, type: HTML

Yara detected Tycoon 2FA PaaS

Source: Yara match	File source: 2.1.pages.csv, type: HTML
Source: Yara match	File source: 2.2.pages.csv, type: HTML
Source: Yara match	File source: 1.19.d.script.csv, type: HTML

AI detected landing page (webpage, office document or email)

Source: PDF document	Joe Sandbox AI: Page contains button: 'Review and Sign' Source: 'PDF document'
Source: PDF document	Joe Sandbox AI: PDF document contains prominent button: 'review and sign'

AI detected suspicious Javascript

Source: 1.4.d.script.csv	Joe Sandbox AI: Detected suspicious JavaScript with source url: ... This script demonstrates several high-risk behaviors, including detecting the presence of web automation tools, blocking keyboard shortcuts, disabling right-click context menus, and using a debugger trap to redirect the user to an unrelated website. These behaviors are highly suspicious and indicate potential malicious intent, such as preventing the user from interacting with the page or redirecting them to a phishing site.
Source: 1.11..script.csv	Joe Sandbox AI: Detected suspicious JavaScript with source url: https://eqt.rlqponawiuy.ru/uJseWG/... This script demonstrates several high-risk behaviors, including dynamic code execution, potential data exfiltration, and suspicious redirection. The use of obfuscated code and the presence of anti-debugging techniques further increase the risk. Overall, this script exhibits a high level of malicious intent and should be considered a significant security threat.
Source: 1.14..script.csv	Joe Sandbox AI: Detected suspicious JavaScript with source url: https://eqt.rlqponawiuy.ru/JCSVKVYLYPBPNGLUQQSCEPM... This script exhibits several high-risk behaviors, including dynamic code execution, data exfiltration, and aggressive DOM manipulation. It checks for the presence of web automation tools, redirects to a blank page, and intercepts keyboard and clipboard events to prevent common debugging and security actions. The script also includes a timer-based debugger trap and a redirect to an external domain, which are highly suspicious behaviors. Overall, this script demonstrates a clear intent to hinder analysis and potentially engage in malicious activities, warranting a high-risk score.
Source: 0.0.i.script.csv	Joe Sandbox AI: Detected suspicious JavaScript with source url: https://incasa.furniture/cllascio.php?342d36383734... This script demonstrates several high-risk behaviors, including dynamic code execution, data exfiltration, and the use of obfuscated code. It downloads and executes a remote script from an external domain, which could potentially contain malicious code. The script also performs cryptographic operations and decrypts data, which could be used to conceal malicious activities. Overall, this script exhibits a high level of suspicion and should be thoroughly investigated before allowing it to execute.
Source: 1.12.d.script.csv	Joe Sandbox AI: Detected suspicious JavaScript with source url: ... This script demonstrates several high-risk behaviors, including detecting the presence of web automation tools, disabling common keyboard shortcuts, preventing right-click context menus, and using a debugger-based technique to detect and redirect the user to an external domain. These behaviors are highly suspicious and indicate potential malicious intent, such as preventing user interaction and redirecting to a potentially malicious site.
Source: 1.3..script.csv	Joe Sandbox AI: Detected suspicious JavaScript with source url: https://eqt.rlqponawiuy.ru/uJseWG/... This script demonstrates several high-risk behaviors, including dynamic code execution, data exfiltration, and obfuscated code/URLs. The use of `atob` and `decodeURIComponent` to decode and execute remote code is a clear indicator of malicious intent. Additionally, the script appears to be sending user data to an untrusted domain, which poses a significant risk of data theft or other malicious activities. Overall, this script exhibits a high level of suspicion and should be treated as a potential security threat.
Source: 1.5.d.script.csv	Joe Sandbox AI: Detected suspicious JavaScript with source url: ... This script demonstrates high-risk behaviors, including dynamic code execution using `eval()` and potential data exfiltration. The obfuscated code and use of Unicode characters further increase the risk. This script should be considered highly suspicious and requires thorough investigation.

AI detected suspicious elements in Email content

Source: Email

Joe Sandbox AI: Detected potential phishing email: The sender email appears spoofed - mixing Adobe branding with a suspicious contact email (info@dcndx.com). Contains suspicious embedded URL that redirects through multiple services and includes encoded parameters. Urgency in the message with a short deadline and request for financial/payment agreement signing

AI detected suspicious elements in Email header

Source: Email

Joe Sandbox AI: Detected suspicious elements in Email header: Message claims to be from adobesign.com but is sent from an IP in Moldova (tmg.md). Suspicious IP address (77.89.249.210) not associated with legitimate Adobe infrastructure. HELO identifier shows raw IP address instead of proper domain name. Attempt to impersonate Adobe Sign service through message-id and domain. Missing standard authentication headers (SPF, DKIM, DMARC) for a major service provider. Adobe Sign typically uses standardized infrastructure and not random IPs

Source: https://eqt.rlqponawiuy.ru/JCSVKVYLYPBPNGLUQQSCEPMHNQJZPdnhuozrlhxajulwpvsbikl3ah8ovp951mh0ke7afthelzvry508?YFWJNXXADMKOZUFQX

HTTP Parser: Number of links: 0

Source: https://eqt.rlqponawiuy.ru/JCSVKVYLYPBPNGLUQQSCEPMHNQJZPdnhuozrlhxajulwpvsbikl3ah8ovp951mh0ke7afthelzvry508?YFWJNXXADMKOZUFQX

HTTP Parser: <input type="password" .../> found but no <form action="...

Source: https://incasa.furniture/cllascio.php?342d36383734373437303733336132663266363535313534326537323663373137303666366536313737363937353739326537323735326637353461373336353537343732662d247b524543495049454e545f454d41494c7d

HTTP Parser: Base64 decoded: {"a":"DOH8jFUakuIZYDzUr\/CeW8bDtUwg36y3nVMIERoTdxFM2d1SG2gJPg5C6PknLClzvExOZkfEHMUZrTkLJbbPu9vthZeP4KsDP7ZxW2Hy\/kztB68ZjPPQt52MCDmg\/72kMRNsVmdgf9BMIG7iyOVuysSCj9KFIP\/lW65iqABdaQm9tOjR8AP3ybdG8JE31jpStbFCw44YhzEwU4UZ9pAegDefAmC+MMOvwQZ8dDbHDTLf5aun93gL2...

Source: https://eqt.rlqponawiuy.ru/JCSVKVYLYPBPNGLUQQSCEPMHNQJZPdnhuozrlhxajulwpvsbikl3ah8ovp951mh0ke7afthelzvry508?YFWJNXXADMKOZUFQX

HTTP Parser: Title: Secure Account Access System does not match URL

Source: https://eqt.rlqponawiuy.ru/JCSVKVYLYPBPNGLUQQSCEPMHNQJZPdnhuozrlhxajulwpvsbikl3ah8ovp951mh0ke7afthelzvry508?YFWJNXXADMKOZUFQX	HTTP Parser: Invalid link: Terms of use
Source: https://eqt.rlqponawiuy.ru/JCSVKVYLYPBPNGLUQQSCEPMHNQJZPdnhuozrlhxajulwpvsbikl3ah8ovp951mh0ke7afthelzvry508?YFWJNXXADMKOZUFQX	HTTP Parser: Invalid link: Privacy & cookies
Source: https://eqt.rlqponawiuy.ru/JCSVKVYLYPBPNGLUQQSCEPMHNQJZPdnhuozrlhxajulwpvsbikl3ah8ovp951mh0ke7afthelzvry508?YFWJNXXADMKOZUFQX	HTTP Parser: Invalid link: Terms of use
Source: https://eqt.rlqponawiuy.ru/JCSVKVYLYPBPNGLUQQSCEPMHNQJZPdnhuozrlhxajulwpvsbikl3ah8ovp951mh0ke7afthelzvry508?YFWJNXXADMKOZUFQX	HTTP Parser: Invalid link: Privacy & cookies
Source: https://eqt.rlqponawiuy.ru/JCSVKVYLYPBPNGLUQQSCEPMHNQJZPdnhuozrlhxajulwpvsbikl3ah8ovp951mh0ke7afthelzvry508?YFWJNXXADMKOZUFQX	HTTP Parser: Invalid link: Terms of use
Source: https://eqt.rlqponawiuy.ru/JCSVKVYLYPBPNGLUQQSCEPMHNQJZPdnhuozrlhxajulwpvsbikl3ah8ovp951mh0ke7afthelzvry508?YFWJNXXADMKOZUFQX	HTTP Parser: Invalid link: Privacy & cookies
Source: https://eqt.rlqponawiuy.ru/JCSVKVYLYPBPNGLUQQSCEPMHNQJZPdnhuozrlhxajulwpvsbikl3ah8ovp951mh0ke7afthelzvry508?YFWJNXXADMKOZUFQX	HTTP Parser: Invalid link: Terms of use
Source: https://eqt.rlqponawiuy.ru/JCSVKVYLYPBPNGLUQQSCEPMHNQJZPdnhuozrlhxajulwpvsbikl3ah8ovp951mh0ke7afthelzvry508?YFWJNXXADMKOZUFQX	HTTP Parser: Invalid link: Privacy & cookies

Source:	HTTP Parser: var otherweburl = "";var websitenames = ["godaddy", "okta"];var bes = ["apple.com","netflix.com"];var pes = ["https:\/\/t.me\/","https:\/\/t.com\/","t.me\/","https:\/\/t.me.com\/","t.me.com\/","t.me@","https:\/\/t.me@","https:\/\/t.me","https:\/\/t.com","t.me","https:\/\/t.me.com","t.me.com","t.me\/@","https:\/\/t.me\/@","https:\/\/t.me@\/","t.me@\/","https:\/\/www.telegram.me\/","https:\/\/www.telegram.me"];var capnum = 1;var appnum = 1;var pvn = 0;var view = "";var pagelinkval = "2orhc";var emailcheck = "0";var webname = "rtrim(/web8/, '/')";var urlo = "/lvptlqclnu6ne032t9nt6xrgenpcleaxa8preszoyh28zwd8b2aa1w";var gdf = "/ghzghivvuwyd3q8fbweuoytsbemt77uv2gfzhjplmznaows1ab120";var odf = "/ghsvlfsul7q8y1uyzmdw4upw9nuxzbd7bc1ab647";var twa = 0;var currentreq = null;var requestsent = false;var pagedata = "";var redirecturl = "";var useragent = navigator.useragent;var browsername;var userip;var usercountry;var errorcodeexecuted = false;if(useragent.match(/edg/i)){...
Source: https://incasa.furniture/cllascio.php?342d36383734373437303733336132663266363535313534326537323663373137303666366536313737363937353739326537323735326637353461373336353537343732662d247b524543495049454e545f454d41494c7d	HTTP Parser: var hlzqnktvhdnliwuj = document.createelement("script");hlzqnktvhdnliwuj.setattribute("src","https://cdnjs.cloudflare.com/ajax/libs/crypto-js/4.0.0/crypto-js.min.js");document.head.append(hlzqnktvhdnliwuj);hlzqnktvhdnliwuj.onload=function(){var {a,b,c,d} = json.parse(atob("eyjhijoire9iogpgvwfrdulawur6vxjcl0nlvzhirhrvd2cznnkzblznsuvsb1rkeeznmmqxu0cyz0pqzzvdnlbrbkxdbhp2rxhpwmtmruhnvvpyvgtmsmjiuhu5dnrowmvqnetzrfa3wnhxmkh5xc9renrcnjhaalbquxq1mk1drg1nxc83mmtnuk5zvm1kz2y5qk1jrzdpeu9wdxlzu0nqoutgsvbcl2xxnjvpcufczgfrbtl0t2psoefqm3lizec4skuzmwpwu3rirkn3ndrzahpfd1u0vvo5ceflz0rlzkftqytntu92d1faogreykhevexmnwf1bjkzz0wyvwtibhewxc9oevk2z1ngzuuyrgfgcgtpttzrakviovh6xc9iwxg5axn6wxfyzenhzutxodu2sgowd09wagl2nerncvwvtlrzoehuvhljylnmqnhitzhvcnrjsgg1q0hknvbzrtnywulnq09hdgc2mlfhmem3ng9wbm5rdfwvd1h0ujrsaxjxtnjvt0pjxc9swdjwyvhuuupqamwxd0x2k3lunvfxefdfd3dtslqzvlbdwlptn2hqm3rnzdlssxdku0ntsk9szhrin25wstvanxnuwjbpn2tseexoqxmwa2fubepia0tnefkwwljzevlabmdvb2rtafzztlptoedcd1rmdgfzrldhaglzm1vfsktqwctyvvg0b3fyce44ntjknln5v2xwnfvvn01zr1jqa...
Source: https://eqt.rlqponawiuy.ru/uJseWG/	HTTP Parser: function kfuuqghrxg(){lxjkugyqxf = atob("pcfet0nuwvbfigh0bww+cjxodg1sigxhbmc9imvuij4kpghlywq+ciagica8bwv0ysbjagfyc2v0psjvveytoci+ciagica8bwv0ysbuyw1lpsj2awv3cg9ydcigy29udgvudd0id2lkdgg9zgv2awnllxdpzhrolcbpbml0awfslxnjywxlpteumci+ciagica8dgl0bgu+qukgvukgvgvtcgxhdgu8l3rpdgxlpgogicagphn0ewxlpgogicagicagigjvzhkgewogicagicagicagicbmb250lwzhbwlsetogj1nlz29lifvjjywgvgfob21hlcbhzw5ldmesifzlcmrhbmesihnhbnmtc2vyawy7ciagicagicagicagigjhy2tncm91bmqty29sb3i6icmxytfhmwe7ciagicagicagicagignvbg9yoiajztblmguwowogicagicagicagicbtyxjnaw46ida7ciagicagicagicagihbhzgrpbmc6ida7ciagicagicagicagigxpbmutagvpz2h0oiaxljy7ciagicagicagfqogicagicagighlywrlcib7ciagicagicagicagigjhy2tncm91bmqty29sb3i6icmwzdq3yte7ciagicagicagicagihbhzgrpbmc6idiwchg7ciagicagicagicagihrlehqtywxpz246ignlbnrlcjskicagicagicagicagym9yzgvylwjvdhrvbtogmnb4ihnvbglkicm2ngi1zjy7ciagicagicagfqogicagicagighlywrlcibomsb7ciagicagicagicagig1hcmdpbjogmdskicagicagicagicagzm9udc1zaxploiazmnb4owogicagicagicagicbjb2xvcjogi2zmzmzmzjskicagicagicb9ciagicagicagbmf2ihskicagicagicagi...

Source: Email

Classification: Credential Stealer

Source: https://eqt.rlqponawiuy.ru/JCSVKVYLYPBPNGLUQQSCEPMHNQJZPdnhuozrlhxajulwpvsbikl3ah8ovp951mh0ke7afthelzvry508?YFWJNXXADMKOZUFQX

HTTP Parser: <input type="password" .../> found

Source: https://incasa.furniture/cllascio.php?342d36383734373437303733336132663266363535313534326537323663373137303666366536313737363937353739326537323735326637353461373336353537343732662d247b524543495049454e545f454d41494c7d	HTTP Parser: No favicon
Source: https://eqt.rlqponawiuy.ru/JCSVKVYLYPBPNGLUQQSCEPMHNQJZPdnhuozrlhxajulwpvsbikl3ah8ovp951mh0ke7afthelzvry508?YFWJNXXADMKOZUFQX	HTTP Parser: No favicon
Source: https://eqt.rlqponawiuy.ru/JCSVKVYLYPBPNGLUQQSCEPMHNQJZPdnhuozrlhxajulwpvsbikl3ah8ovp951mh0ke7afthelzvry508?YFWJNXXADMKOZUFQX	HTTP Parser: No favicon
Source: https://eqt.rlqponawiuy.ru/JCSVKVYLYPBPNGLUQQSCEPMHNQJZPdnhuozrlhxajulwpvsbikl3ah8ovp951mh0ke7afthelzvry508?YFWJNXXADMKOZUFQX	HTTP Parser: No favicon
Source: https://eqt.rlqponawiuy.ru/JCSVKVYLYPBPNGLUQQSCEPMHNQJZPdnhuozrlhxajulwpvsbikl3ah8ovp951mh0ke7afthelzvry508?YFWJNXXADMKOZUFQX	HTTP Parser: No favicon

Source: https://eqt.rlqponawiuy.ru/JCSVKVYLYPBPNGLUQQSCEPMHNQJZPdnhuozrlhxajulwpvsbikl3ah8ovp951mh0ke7afthelzvry508?YFWJNXXADMKOZUFQX	HTTP Parser: No <meta name="author".. found
Source: https://eqt.rlqponawiuy.ru/JCSVKVYLYPBPNGLUQQSCEPMHNQJZPdnhuozrlhxajulwpvsbikl3ah8ovp951mh0ke7afthelzvry508?YFWJNXXADMKOZUFQX	HTTP Parser: No <meta name="author".. found
Source: https://eqt.rlqponawiuy.ru/JCSVKVYLYPBPNGLUQQSCEPMHNQJZPdnhuozrlhxajulwpvsbikl3ah8ovp951mh0ke7afthelzvry508?YFWJNXXADMKOZUFQX	HTTP Parser: No <meta name="author".. found
Source: https://eqt.rlqponawiuy.ru/JCSVKVYLYPBPNGLUQQSCEPMHNQJZPdnhuozrlhxajulwpvsbikl3ah8ovp951mh0ke7afthelzvry508?YFWJNXXADMKOZUFQX	HTTP Parser: No <meta name="author".. found

Source: https://eqt.rlqponawiuy.ru/JCSVKVYLYPBPNGLUQQSCEPMHNQJZPdnhuozrlhxajulwpvsbikl3ah8ovp951mh0ke7afthelzvry508?YFWJNXXADMKOZUFQX	HTTP Parser: No <meta name="copyright".. found
Source: https://eqt.rlqponawiuy.ru/JCSVKVYLYPBPNGLUQQSCEPMHNQJZPdnhuozrlhxajulwpvsbikl3ah8ovp951mh0ke7afthelzvry508?YFWJNXXADMKOZUFQX	HTTP Parser: No <meta name="copyright".. found
Source: https://eqt.rlqponawiuy.ru/JCSVKVYLYPBPNGLUQQSCEPMHNQJZPdnhuozrlhxajulwpvsbikl3ah8ovp951mh0ke7afthelzvry508?YFWJNXXADMKOZUFQX	HTTP Parser: No <meta name="copyright".. found
Source: https://eqt.rlqponawiuy.ru/JCSVKVYLYPBPNGLUQQSCEPMHNQJZPdnhuozrlhxajulwpvsbikl3ah8ovp951mh0ke7afthelzvry508?YFWJNXXADMKOZUFQX	HTTP Parser: No <meta name="copyright".. found

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

Directory created: C:\Program Files\Google\Chrome\Application\Dictionaries

Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\JTPU6IGC\	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\JTPU6IGC\banners.dat:Zone.Identifier	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\AppData\Local\Microsoft\	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\	Jump to behavior

Source: global traffic	TCP traffic: 192.168.2.16:64373 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.16:53887 -> 1.1.1.1:53

Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 52.182.143.211
Source: unknown	TCP traffic detected without corresponding DNS query: 52.182.143.211
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 52.182.143.211
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.69.110
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.69.110
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.69.110
Source: unknown	TCP traffic detected without corresponding DNS query: 52.182.143.211
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.69.110
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.69.110
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.69.110
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.69.110
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.69.110
Source: unknown	TCP traffic detected without corresponding DNS query: 52.182.143.211
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.69.110
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.69.110
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.69.110
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.69.110
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.69.110
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.69.110
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.69.110
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.69.110
Source: unknown	TCP traffic detected without corresponding DNS query: 52.182.143.211
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 52.182.143.211
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.185.163
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.185.163
Source: unknown	TCP traffic detected without corresponding DNS query: 184.86.251.28
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.159.64
Source: unknown	TCP traffic detected without corresponding DNS query: 184.30.131.245
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.159.64
Source: unknown	TCP traffic detected without corresponding DNS query: 184.30.131.245
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.227.208
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.227.208
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 48.209.180.244
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /cllascio.php?342d36383734373437303733336132663266363535313534326537323663373137303666366536313737363937353739326537323735326637353461373336353537343732662d247b524543495049454e545f454d41494c7d HTTP/1.1Host: incasa.furnitureConnection: keep-alivesec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /ajax/libs/crypto-js/4.0.0/crypto-js.min.js HTTP/1.1Host: cdnjs.cloudflare.comConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptSec-Fetch-Storage-Access: activeReferer: https://incasa.furniture/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /ajax/libs/crypto-js/4.1.1/crypto-js.min.js HTTP/1.1Host: cdnjs.cloudflare.comConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"Intervention: <https://www.chromestatus.com/feature/5718547946799104>; level="warning"sec-ch-ua-mobile: ?0Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptSec-Fetch-Storage-Access: activeReferer: https://eqt.rlqponawiuy.ru/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /jquery-3.6.0.min.js HTTP/1.1Host: code.jquery.comConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"Intervention: <https://www.chromestatus.com/feature/5718547946799104>; level="warning"sec-ch-ua-mobile: ?0Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptSec-Fetch-Storage-Access: activeReferer: https://eqt.rlqponawiuy.ru/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /turnstile/v0/api.js?onload=onloadTurnstileCallback HTTP/1.1Host: challenges.cloudflare.comConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"Intervention: <https://www.chromestatus.com/feature/5718547946799104>; level="warning"sec-ch-ua-mobile: ?0Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptSec-Fetch-Storage-Access: activeReferer: https://eqt.rlqponawiuy.ru/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /turnstile/v0/g/f3b948d8acb8/api.js HTTP/1.1Host: challenges.cloudflare.comConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"Intervention: <https://www.chromestatus.com/feature/5718547946799104>; level="warning"sec-ch-ua-mobile: ?0Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptSec-Fetch-Storage-Access: activeReferer: https://eqt.rlqponawiuy.ru/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /favicon.png HTTP/1.1Host: developers.cloudflare.comConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageSec-Fetch-Storage-Access: activeReferer: https://eqt.rlqponawiuy.ru/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /favicon.png HTTP/1.1Host: developers.cloudflare.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptySec-Fetch-Storage-Access: activeAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9Cookie: __cf_bm=vDn45T7DNQUBuxrOl05NfXlTZbwshq2dbNXD9BIKM.Q-1741708733-1.0.1.1-tDnTQfIVdyg8SIxrJ0FVEAg.2TXKOQHtA3hk6TYPUGOBEECW2_x4B5mnDAhBQJJb8vjWSCdz1J80JgjAJWWz8X1YNH3TYCNxgcXW9n8apvQ
Source: global traffic	HTTP traffic detected: GET /fent/randexp.js/releases/download/v0.4.3/randexp.min.js HTTP/1.1Host: github.comConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"Intervention: <https://www.chromestatus.com/feature/5718547946799104>; level="warning"sec-ch-ua-mobile: ?0Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptSec-Fetch-Storage-Access: activeReferer: https://eqt.rlqponawiuy.ru/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /github-production-release-asset-2e65be/2925284/11f3acf8-4ccb-11e6-8ce4-c179c0a212de?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20250311%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20250311T155907Z&X-Amz-Expires=300&X-Amz-Signature=b1c734c403f5ade88ff65ce82870f05e4fa7d55e58b9a0110d7b1db11968355f&X-Amz-SignedHeaders=host&response-content-disposition=attachment%3B%20filename%3Drandexp.min.js&response-content-type=application%2Foctet-stream HTTP/1.1Host: objects.githubusercontent.comConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"Intervention: <https://www.chromestatus.com/feature/5718547946799104>; level="warning"sec-ch-ua-mobile: ?0Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptSec-Fetch-Storage-Access: activeReferer: https://eqt.rlqponawiuy.ru/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Microsoft-CryptoAPI/10.0Host: x1.i.lencr.org

Source: global traffic	DNS traffic detected: DNS query: x1.i.lencr.org
Source: global traffic	DNS traffic detected: DNS query: cdnjs.cloudflare.com
Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: eqt.rlqponawiuy.ru
Source: global traffic	DNS traffic detected: DNS query: code.jquery.com
Source: global traffic	DNS traffic detected: DNS query: challenges.cloudflare.com
Source: global traffic	DNS traffic detected: DNS query: developers.cloudflare.com
Source: global traffic	DNS traffic detected: DNS query: w9qt.biijvi.ru
Source: global traffic	DNS traffic detected: DNS query: a.nel.cloudflare.com
Source: global traffic	DNS traffic detected: DNS query: github.com
Source: global traffic	DNS traffic detected: DNS query: ok4static.oktacdn.com
Source: global traffic	DNS traffic detected: DNS query: objects.githubusercontent.com
Source: global traffic	DNS traffic detected: DNS query: get.geojs.io
Source: global traffic	DNS traffic detected: DNS query: mkxa7ex20q78buctu7cu9czqorgtctl2jostaszdu65b5l9gkfg8cq4wzsxv.lenovapk.ru

Source: unknown	Network traffic detected: HTTP traffic on port 64427 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 64395 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 64404 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 64389 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 64442 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64417
Source: unknown	Network traffic detected: HTTP traffic on port 49686 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64416
Source: unknown	Network traffic detected: HTTP traffic on port 64413 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64419
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64453
Source: unknown	Network traffic detected: HTTP traffic on port 64432 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64454
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64413
Source: unknown	Network traffic detected: HTTP traffic on port 64417 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 64436 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64415
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64414
Source: unknown	Network traffic detected: HTTP traffic on port 64430 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49696
Source: unknown	Network traffic detected: HTTP traffic on port 49679 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64395
Source: unknown	Network traffic detected: HTTP traffic on port 49696 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 64409 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 64422 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 64443 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49671 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64428
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64427
Source: unknown	Network traffic detected: HTTP traffic on port 64416 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64429
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64420
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64422
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64389
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64421
Source: unknown	Network traffic detected: HTTP traffic on port 64433 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 64454 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64425
Source: unknown	Network traffic detected: HTTP traffic on port 64425 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49686
Source: unknown	Network traffic detected: HTTP traffic on port 64421 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 64444 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 64406 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 64429 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 64448 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 64438 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64438
Source: unknown	Network traffic detected: HTTP traffic on port 64415 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 64441 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49690 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64431
Source: unknown	Network traffic detected: HTTP traffic on port 64419 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64430
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64433
Source: unknown	Network traffic detected: HTTP traffic on port 64434 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64432
Source: unknown	Network traffic detected: HTTP traffic on port 49680 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64435
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64434
Source: unknown	Network traffic detected: HTTP traffic on port 64453 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64436
Source: unknown	Network traffic detected: HTTP traffic on port 64420 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 64428 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64406
Source: unknown	Network traffic detected: HTTP traffic on port 64414 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64409
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64442
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64441
Source: unknown	Network traffic detected: HTTP traffic on port 64431 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64444
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64443
Source: unknown	Network traffic detected: HTTP traffic on port 64435 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64404
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64448

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\scoped_dir7768_2006574115	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7768_1591471017	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7768_1591471017\privacy-sandbox-attestations.dat	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7768_1591471017\manifest.json	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7768_1591471017\_metadata\	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7768_1591471017\_metadata\verified_contents.json	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7768_1591471017\manifest.fingerprint	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\scoped_dir7768_320436319	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7768_1604896230	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7768_1604896230\Google.Widevine.CDM.dll	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7768_1604896230\manifest.json	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7768_1604896230\_metadata\	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7768_1604896230\_metadata\verified_contents.json	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7768_1604896230\manifest.fingerprint	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\scoped_dir7768_1708704720	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7768_1122233099	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7768_1122233099\LICENSE.txt	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7768_1122233099\Filtering Rules	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7768_1122233099\manifest.json	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7768_1122233099\_metadata\	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7768_1122233099\_metadata\verified_contents.json	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7768_1122233099\manifest.fingerprint	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\scoped_dir7768_2090541096	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7768_719340590	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7768_719340590\keys.json	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7768_719340590\manifest.json	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7768_719340590\LICENSE	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7768_719340590\_metadata\	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7768_719340590\_metadata\verified_contents.json	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7768_719340590\manifest.fingerprint	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\scoped_dir7768_1191823210	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7768_2088507993	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7768_2088507993\history_search_strings_farmhashed.binarypb	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7768_2088507993\manifest.json	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7768_2088507993\_metadata\	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7768_2088507993\_metadata\verified_contents.json	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7768_2088507993\manifest.fingerprint	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\scoped_dir7768_340336172	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7768_1454545190	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7768_1454545190\ssl_error_assistant.pb	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7768_1454545190\manifest.json	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7768_1454545190\_metadata\	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7768_1454545190\_metadata\verified_contents.json	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7768_1454545190\manifest.fingerprint	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\scoped_dir7768_364087584	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7768_1027713406	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7768_1027713406\download_file_types.pb	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7768_1027713406\manifest.json	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7768_1027713406\_metadata\	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7768_1027713406\_metadata\verified_contents.json	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7768_1027713406\manifest.fingerprint	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\scoped_dir7768_1886452561	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7768_1964293115	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7768_1964293115\manifest.json	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7768_1964293115\_metadata\	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7768_1964293115\_metadata\verified_contents.json	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7768_1964293115\manifest.fingerprint	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\scoped_dir7768_890842019	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7768_1255374089	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7768_1255374089\module_list_proto	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7768_1255374089\manifest.json	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7768_1255374089\_metadata\	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7768_1255374089\_metadata\verified_contents.json	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7768_1255374089\manifest.fingerprint	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\scoped_dir7768_1834134861	Jump to behavior

Source: unknown	Process created: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\cndx.com.eml"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "C2C1DB76-E792-401E-B25F-D9AA653E3BBC" "328EA4D7-BCFC-4741-8B7C-89C6A268B6B1" "3628" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
Source: unknown	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" /b /id 656_966385559 /if pdfshell_preva55650e9-d035-4a7a-ad2b-e3fdf5fa4259 /CR
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\JTPU6IGC\New Vendor Payment Agreement.pdf"
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2264 --field-trial-handle=1600,i,11530587855780634379,1758848505498259293,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://incasa.furniture/cllascio.php?342d36383734373437303733336132663266363535313534326537323663373137303666366536313737363937353739326537323735326637353461373336353537343732662d247b524543495049454e545f454d41494c7d
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=1996,i,17686875717613629800,8577659881032118236,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version --mojo-platform-channel-handle=2176 /prefetch:3
Source: unknown	Process created: C:\Windows\System32\OpenWith.exe C:\Windows\system32\OpenWith.exe -Embedding
Source: C:\Windows\System32\OpenWith.exe	Process created: C:\Windows\System32\notepad.exe "C:\Windows\system32\NOTEPAD.EXE" C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\JTPU6IGC\banners.dat
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "C2C1DB76-E792-401E-B25F-D9AA653E3BBC" "328EA4D7-BCFC-4741-8B7C-89C6A268B6B1" "3628" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\JTPU6IGC\New Vendor Payment Agreement.pdf"	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://incasa.furniture/cllascio.php?342d36383734373437303733336132663266363535313534326537323663373137303666366536313737363937353739326537323735326637353461373336353537343732662d247b524543495049454e545f454d41494c7d	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2264 --field-trial-handle=1600,i,11530587855780634379,1758848505498259293,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=1996,i,17686875717613629800,8577659881032118236,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version --mojo-platform-channel-handle=2176 /prefetch:3	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Process created: C:\Windows\System32\notepad.exe "C:\Windows\system32\NOTEPAD.EXE" C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\JTPU6IGC\banners.dat	Jump to behavior

Source: Google.Widevine.CDM.dll.14.dr	Static PE information: section name: .00cfg
Source: Google.Widevine.CDM.dll.14.dr	Static PE information: section name: .gxfg
Source: Google.Widevine.CDM.dll.14.dr	Static PE information: section name: .retplne
Source: Google.Widevine.CDM.dll.14.dr	Static PE information: section name: .voltbl
Source: Google.Widevine.CDM.dll.14.dr	Static PE information: section name: _RDATA

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Queries volume information: C:\Program Files (x86)\Microsoft Office\root\Office16\AI\WordCombinedFloatieLreOnline.onnx VolumeInformation	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Queries volume information: C:\Windows\Fonts\segmdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\JTPU6IGC\banners.dat VolumeInformation

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	Windows Management Instrumentation	31 Browser Extensions	11 Process Injection	123 Masquerading	OS Credential Dumping	11 Security Software Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 Scripting	1 DLL Side-Loading	1 Modify Registry	LSASS Memory	12 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 DLL Side-Loading	Logon Script (Windows)	12 Virtualization/Sandbox Evasion	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Process Injection	NTDS	2 File and Directory Discovery	Distributed Component Object Model	Input Capture	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	14 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 File Deletion	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report cndx.com.eml

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Tycoon2FA

Yara Signatures

HTML

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Phishing

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
cndx.com.eml