Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

FW Complete with Docusign Remittance Advice .pdf.eml

RFC 822 mail, ASCII text, with very long lines (347), with CRLF line terminators

initial sample

C:\Users\user\AppData\Roaming\Microsoft\Outlook\NoEmail.srs

Composite Document File V2 Document, Cannot read section info

dropped

C:\Users\user\Documents\Outlook Files\Outlook Data File - NoEmail.pst

Microsoft Outlook email folder (>=2003)

dropped

C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmp

data

dropped

C:\Users\user\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

data

dropped

C:\Users\user\AppData\Local\Microsoft\FontCache\4\CatalogCacheMetaData.xml

XML 1.0 document, ASCII text, with very long lines (1869), with no line terminators

dropped

C:\Users\user\AppData\Local\Microsoft\FontCache\4\Catalog\ListAll.Json

JSON data

dropped

C:\Users\user\AppData\Local\Microsoft\FontCache\4\PreviewFont\flat_officeFontsPreview_4_40.ttf

dropped

C:\Users\user\AppData\Local\Microsoft\Office\16.0\AddInClassifierCache\OfficeSharedEntities.bin

ASCII text, with very long lines (65536), with no line terminators

dropped

C:\Users\user\AppData\Local\Microsoft\Office\16.0\AddInClassifierCache\OfficeSharedEntitiesUpdated.bin

ASCII text, with no line terminators

modified

C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db

SQLite 3.x database, last written using SQLite version 3034001, writer version 2, read version 2, file counter 2, database pages 1, cookie 0, schema 0, largest root page 1, unknown 0 encoding, version-valid-for 2

dropped

C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-journal

SQLite Rollback Journal

dropped

C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-shm

data

dropped

C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-wal

SQLite Write-Ahead Log, version 3007000

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\D3B21138.dat

PNG image data, 143 x 100, 8-bit/color RGBA, non-interlaced

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{9F2E08F0-7F45-4E81-979F-62F59CE0056E}.tmp

data

dropped

C:\Users\user\AppData\Local\Temp\Diagnostics\OUTLOOK\App1730223700375821000_32EEF9AE-71C5-40E8-ADBF-0EE29DFE2CF1.log

ASCII text, with very long lines (28743), with CRLF line terminators

dropped

C:\Users\user\AppData\Local\Temp\Diagnostics\OUTLOOK\App1730223700376644700_32EEF9AE-71C5-40E8-ADBF-0EE29DFE2CF1.log

data

dropped

C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20241029T1341400150-6596.etl

data

dropped

C:\Users\user\AppData\Roaming\Microsoft\Office\MSO3072.acl

data

dropped

C:\Users\user\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Tue Oct 29 16:42:02 2024, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide

dropped

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

dropped

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Oct 6 08:54:41 2023, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide

dropped

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

dropped

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

dropped

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

dropped

Chrome Cache Entry: 248

ASCII text, with very long lines (6455)

downloaded

Chrome Cache Entry: 249

ASCII text, with very long lines (21847)

downloaded

Chrome Cache Entry: 250

HTML document, ASCII text, with very long lines (65448)

dropped

Chrome Cache Entry: 251

ASCII text, with very long lines (16718)

downloaded

Chrome Cache Entry: 252

Unicode text, UTF-8 text, with very long lines (65452)

downloaded

Chrome Cache Entry: 253

ASCII text, with very long lines (65448)

dropped

Chrome Cache Entry: 254

ASCII text, with very long lines (52240)

dropped

Chrome Cache Entry: 255

ASCII text, with very long lines (65448)

dropped

Chrome Cache Entry: 256

ASCII text, with very long lines (65447)

dropped

Chrome Cache Entry: 257

PNG image data, 79 x 79, 8-bit/color RGB, non-interlaced

dropped

Chrome Cache Entry: 258

ASCII text

dropped

Chrome Cache Entry: 259

ASCII text, with very long lines (57931)

dropped

Chrome Cache Entry: 260

ASCII text, with very long lines (65448)

downloaded

Chrome Cache Entry: 261

ASCII text, with very long lines (3670)

downloaded

Chrome Cache Entry: 262

ASCII text, with very long lines (9377)

dropped

Chrome Cache Entry: 263

ASCII text, with very long lines (57931)

downloaded

Chrome Cache Entry: 264

Unicode text, UTF-8 text, with very long lines (63087)

dropped

Chrome Cache Entry: 265

ASCII text, with very long lines (631), with no line terminators

downloaded

Chrome Cache Entry: 266

Unicode text, UTF-8 text, with very long lines (65439)

dropped

Chrome Cache Entry: 267

Unicode text, UTF-8 text, with very long lines (30984)

dropped

Chrome Cache Entry: 268

ASCII text, with very long lines (65448)

dropped

Chrome Cache Entry: 269

ASCII text, with very long lines (19766)

dropped

Chrome Cache Entry: 270

ASCII text, with very long lines (65440)

downloaded

Chrome Cache Entry: 271

GIF image data, version 89a, 145 x 60

downloaded

Chrome Cache Entry: 272

ASCII text

downloaded

Chrome Cache Entry: 273

Unicode text, UTF-8 text, with very long lines (63087)

downloaded

Chrome Cache Entry: 274

SVG Scalable Vector Graphics image

downloaded

Chrome Cache Entry: 275

ASCII text, with no line terminators

downloaded

Chrome Cache Entry: 276

Unicode text, UTF-8 text, with very long lines (16888)

downloaded

Chrome Cache Entry: 277

ASCII text

downloaded

Chrome Cache Entry: 278

Unicode text, UTF-8 text, with very long lines (65439)

downloaded

Chrome Cache Entry: 279

ASCII text, with very long lines (65448)

dropped

Chrome Cache Entry: 280

ASCII text, with very long lines (27974)

dropped

Chrome Cache Entry: 281

Unicode text, UTF-8 text, with very long lines (65446)

downloaded

Chrome Cache Entry: 282

ASCII text, with very long lines (6455)

dropped

Chrome Cache Entry: 283

ASCII text, with very long lines (12839)

downloaded

Chrome Cache Entry: 284

ASCII text, with very long lines (65448)

dropped

Chrome Cache Entry: 285

SVG Scalable Vector Graphics image

dropped

Chrome Cache Entry: 286

ASCII text, with very long lines (19766)

downloaded

Chrome Cache Entry: 287

PNG image data, 79 x 79, 8-bit/color RGB, non-interlaced

downloaded

Chrome Cache Entry: 288

ASCII text, with very long lines (7965)

dropped

Chrome Cache Entry: 289

ASCII text, with very long lines (20560)

dropped

Chrome Cache Entry: 290

ASCII text, with very long lines (65448)

dropped

Chrome Cache Entry: 291

Unicode text, UTF-8 text, with very long lines (13863)

downloaded

Chrome Cache Entry: 292

ASCII text, with very long lines (65536), with no line terminators

downloaded

Chrome Cache Entry: 293

Unicode text, UTF-8 text, with very long lines (30984)

downloaded

Chrome Cache Entry: 294

Unicode text, UTF-8 text, with very long lines (65452)

dropped

Chrome Cache Entry: 295

JSON data

downloaded

Chrome Cache Entry: 296

ASCII text, with very long lines (65448)

downloaded

Chrome Cache Entry: 297

ASCII text, with very long lines (65447)

downloaded

Chrome Cache Entry: 298

ASCII text, with very long lines (65446)

downloaded

Chrome Cache Entry: 299

ASCII text, with very long lines (17950)

downloaded

Chrome Cache Entry: 300

PNG image data, 80 x 80, 8-bit/color RGBA, non-interlaced

downloaded

Chrome Cache Entry: 301

ASCII text, with very long lines (46070)

dropped

Chrome Cache Entry: 302

ASCII text, with very long lines (32844)

dropped

Chrome Cache Entry: 303

ASCII text, with very long lines (65443)

dropped

Chrome Cache Entry: 304

Unicode text, UTF-8 text, with very long lines (13863)

dropped

Chrome Cache Entry: 305

ASCII text, with very long lines (65448)

downloaded

Chrome Cache Entry: 306

ASCII text, with very long lines (65448)

dropped

Chrome Cache Entry: 307

Web Open Font Format (Version 2), TrueType, length 29516, version 1.0

downloaded

Chrome Cache Entry: 308

ASCII text, with very long lines (65448)

downloaded

Chrome Cache Entry: 309

ASCII text, with very long lines (65448)

downloaded

Chrome Cache Entry: 310

ASCII text, with very long lines (17329)

downloaded

Chrome Cache Entry: 311

ASCII text, with very long lines (46070)

downloaded

Chrome Cache Entry: 312

ASCII text, with very long lines (65447)

downloaded

Chrome Cache Entry: 313

ASCII text, with no line terminators

downloaded

Chrome Cache Entry: 314

Web Open Font Format (Version 2), TrueType, length 31468, version 1.0

downloaded

Chrome Cache Entry: 315

ASCII text, with very long lines (65440)

dropped

Chrome Cache Entry: 316

ASCII text, with very long lines (65448)

dropped

Chrome Cache Entry: 317

ASCII text, with very long lines (65448)

downloaded

Chrome Cache Entry: 318

JSON data

dropped

Chrome Cache Entry: 319

ASCII text, with very long lines (17329)

dropped

Chrome Cache Entry: 320

PNG image data, 80 x 80, 8-bit/color RGBA, non-interlaced

dropped

Chrome Cache Entry: 321

ASCII text

downloaded

Chrome Cache Entry: 322

Unicode text, UTF-8 text, with very long lines (65169)

dropped

Chrome Cache Entry: 323

ASCII text, with very long lines (65446)

dropped

Chrome Cache Entry: 324

ASCII text, with very long lines (27974)

downloaded

Chrome Cache Entry: 325

PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced

dropped

Chrome Cache Entry: 326

Unicode text, UTF-8 text, with very long lines (65169)

downloaded

Chrome Cache Entry: 327

Unicode text, UTF-8 text, with very long lines (65446)

dropped

Chrome Cache Entry: 328

Unicode text, UTF-8 text, with very long lines (65433)

downloaded

Chrome Cache Entry: 329

Unicode text, UTF-8 text, with very long lines (65433)

dropped

Chrome Cache Entry: 330

ASCII text, with very long lines (7965)

downloaded

Chrome Cache Entry: 331

SVG Scalable Vector Graphics image

downloaded

Chrome Cache Entry: 332

ASCII text

dropped

Chrome Cache Entry: 333

ASCII text, with very long lines (65438)

dropped

Chrome Cache Entry: 334

ASCII text, with very long lines (20560)

downloaded

Chrome Cache Entry: 335

GIF image data, version 89a, 145 x 60

dropped

Chrome Cache Entry: 336

ASCII text, with very long lines (9667)

downloaded

Chrome Cache Entry: 337

SVG Scalable Vector Graphics image

dropped

Chrome Cache Entry: 338

ASCII text, with very long lines (65438)

downloaded

Chrome Cache Entry: 339

ASCII text, with very long lines (631), with no line terminators

dropped

Chrome Cache Entry: 340

ASCII text, with very long lines (9377)

downloaded

Chrome Cache Entry: 341

ASCII text, with very long lines (30012)

downloaded

Chrome Cache Entry: 342

ASCII text, with very long lines (65448)

downloaded

Chrome Cache Entry: 343

ASCII text, with very long lines (52240)

downloaded

Chrome Cache Entry: 344

ASCII text, with very long lines (16718)

dropped

Chrome Cache Entry: 345

ASCII text, with very long lines (65448)

downloaded

Chrome Cache Entry: 346

Unicode text, UTF-8 text, with very long lines (16888)

dropped

Chrome Cache Entry: 347

ASCII text, with very long lines (11612)

downloaded

Chrome Cache Entry: 348

PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced

downloaded

Chrome Cache Entry: 349

ASCII text, with very long lines (9667)

dropped

Chrome Cache Entry: 350

HTML document, ASCII text, with very long lines (65448)

downloaded

Chrome Cache Entry: 351

Web Open Font Format, TrueType, length 13780, version 1.0

downloaded

Chrome Cache Entry: 352

ASCII text, with very long lines (65447)

dropped

Chrome Cache Entry: 353

ASCII text, with very long lines (32844)

downloaded

Chrome Cache Entry: 354

ASCII text, with no line terminators

dropped

Chrome Cache Entry: 355

ASCII text, with very long lines (30012)

dropped

Chrome Cache Entry: 356

ASCII text, with very long lines (65443)

downloaded

Chrome Cache Entry: 357

ASCII text, with very long lines (21847)

dropped

Chrome Cache Entry: 358

Web Open Font Format, CFF, length 33752, version 0.0

downloaded

Chrome Cache Entry: 359

SVG Scalable Vector Graphics image

dropped

Chrome Cache Entry: 360

ASCII text

downloaded

Chrome Cache Entry: 361

SVG Scalable Vector Graphics image

downloaded

There are 131 hidden files, click here to show them.

Processes

Path

Cmdline

Malicious

C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

"C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\FW Complete with Docusign Remittance Advice .pdf.eml"

Details

Is windows:	true
Is dropped:	false
PID:	6596
Target ID:	0
Parent PID:	4552
Name:	OUTLOOK.EXE
Class:	outlook
Path:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
Commandline:	"C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\FW Complete with Docusign Remittance Advice .pdf.eml"
Size:	34446744
MD5:	91A5292942864110ED734005B7E005C0
Time:	13:41:39
Date:	29/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x4c0000
Modulesize:	34492416
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Office Autorun Keys Modification	System Summary
Spawns processes	System Summary	Process Injection

C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe

"C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "7E7FA1BA-512F-4CCF-8F61-DF637BCA2188" "D055BBE0-2A76-4964-99CF-CA7FF91E9606" "6596" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"

Details

Is windows:	true
Is dropped:	false
PID:	6796
Target ID:	2
Parent PID:	6596
Name:	ai.exe
Class:	office
Path:	C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe
Commandline:	"C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "7E7FA1BA-512F-4CCF-8F61-DF637BCA2188" "D055BBE0-2A76-4964-99CF-CA7FF91E9606" "6596" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
Size:	710048
MD5:	EC652BEDD90E089D9406AFED89A8A8BD
Time:	13:41:41
Date:	29/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff705790000
Modulesize:	737280
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://eu.docusign.net/Signing/EmailStart.aspx?a=9eb1232d-b669-47cc-b565-df3c91f4d5f7&etti=24&acct=abba683f-186c-4f9e-8ab2-ac0f68fbe569&er=ad16d7d0-2faa-44b9-8c84-a75ce167beb2

Details

Is windows:	true
Is dropped:	false
PID:	4816
Target ID:	10
Parent PID:	6596
Name:	chrome.exe
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://eu.docusign.net/Signing/EmailStart.aspx?a=9eb1232d-b669-47cc-b565-df3c91f4d5f7&etti=24&acct=abba683f-186c-4f9e-8ab2-ac0f68fbe569&er=ad16d7d0-2faa-44b9-8c84-a75ce167beb2
Size:	3242272
MD5:	83395EAB5B03DEA9720F8D7AC0D15CAA
Time:	13:41:59
Date:	29/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff7d6f10000
Modulesize:	3325952
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2080 --field-trial-handle=1936,i,15758972476710016793,5887170265366060308,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8

Details

Is windows:	true
Is dropped:	false
PID:	1388
Target ID:	11
Parent PID:	4816
Name:	chrome.exe
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2080 --field-trial-handle=1936,i,15758972476710016793,5887170265366060308,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Size:	3242272
MD5:	83395EAB5B03DEA9720F8D7AC0D15CAA
Time:	13:41:59
Date:	29/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff7d6f10000
Modulesize:	3325952
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Program Files\Google\Chrome\Application\chrome.exe

Details

Is windows:	true
Is dropped:	false
PID:	4576
Target ID:	17
Parent PID:	6596
Name:	chrome.exe
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://eu.docusign.net/Signing/EmailStart.aspx?a=9eb1232d-b669-47cc-b565-df3c91f4d5f7&etti=24&acct=abba683f-186c-4f9e-8ab2-ac0f68fbe569&er=ad16d7d0-2faa-44b9-8c84-a75ce167beb2
Size:	3242272
MD5:	83395EAB5B03DEA9720F8D7AC0D15CAA
Time:	13:42:31
Date:	29/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff7d6f10000
Modulesize:	3325952
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2228 --field-trial-handle=2052,i,16609491160001603012,7619728538762915141,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8

Details

Is windows:	true
Is dropped:	false
PID:	1820
Target ID:	18
Parent PID:	4576
Name:	chrome.exe
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2228 --field-trial-handle=2052,i,16609491160001603012,7619728538762915141,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Size:	3242272
MD5:	83395EAB5B03DEA9720F8D7AC0D15CAA
Time:	13:42:31
Date:	29/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff7d6f10000
Modulesize:	3325952
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

https://eu.docusign.net/Signing/EmailStart.aspx?a=9eb1232d-b669-47cc-b565-df3c91f4d5f7&etti=24&acct=

unknown

https://docucdn-a.akamaihd.net/olive/images/2.62.0/global-assets/email-templates/email-logo.png

unknown

https://developer.mozilla.org/en-US/docs/DOM/XMLHttpRequest#withCredentials

unknown

https://github.com/douglascrockford/JSON-js/blob/master/json_parse.js

unknown

https://support.docusign.com/

unknown

https://eu.docusign.net/Signing/?ti=3b85fab354684bb7979f0e8197110601

https://gist.github.com/1930440

unknown

https://github.com/zloirock/core-js

unknown

https://www.google.com/async/newtab_promos

142.250.184.196

https://eu.docusign.net/member/Images/email/docInvite-white.png

unknown

https://eu.docusign.net/Signing/?ti=462f8735578042e2863447312431c2e9

http://dean.edwards.name/weblog/2005/10/add-event/

unknown

https://aka.ms/LearnAboutSenderIdentification

unknown

https://support.docusign.com/s/articles/How-do-I-sign-a-DocuSign-document-Basic-Signing?language=en_

unknown

https://www.google.com/async/ddljson?async=ntp:2

142.250.184.196

https://community.docusign.com/esignature-111?utm_campaign=GBL_US_PRD_AWA_2405_CommunityCTA&utm_medi

unknown

http://documentcloud.github.com/underscore/

unknown

https://www.google.com/complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw

142.250.184.196

http://www.ecma-international.org/ecma-262/5.1/#sec-12.4

unknown

https://protect.docusign.net/report-abuse?e=AUtomjpFak9GlbPL0zFFi11QWZPQRVAXy0-T2ps_NbUh_ZoXBfZPath_

unknown

https://www.google.com/async/newtab_ogb?hl=en-US&async=fixed:0

142.250.184.196

http://dbj.org/dbj/?p=286

unknown

http://hacks.mozilla.org/2009/07/cross-site-xmlhttprequest-with-cors/

unknown

https://support.docusign.com/en/articles/How-do-I-manage-my-email-notifications

unknown

https://www.docusign.com/features-and-benefits/mobile?utm_campaign=GBL_XX_DBU_UPS_2211_SignNotificat

unknown

https://support.docusign.com/en/guides/Declining-to-sign-DocuSign-Signer-Guide

unknown

https://cdn.optimizely.com/datafiles/MUGKFLCdCtxUSgrSTyhbw.json

104.18.65.57

https://a.docusign.com/ds_arya_wrapper.min.js?f=1

34.223.160.188

https://github.com/zloirock/core-js/blob/v3.30.2/LICENSE

unknown

There are 19 hidden URLs, click here to show them.

Domains

Name

Malicious

cdn.optimizely.com

104.18.65.57

Details

Name:	cdn.optimizely.com
IP:	104.18.65.57
TargetID:	11
Current Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

www.google.com

142.250.186.68

Details

Name:	www.google.com
IP:	142.250.186.68
TargetID:	11
Current Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

api.mixpanel.com

130.211.34.183

Details

Name:	api.mixpanel.com
IP:	130.211.34.183
TargetID:	11
Current Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

arya-1323461286.us-west-2.elb.amazonaws.com

34.223.160.188

eu.docusign.net

unknown

Details

Name:	eu.docusign.net
TargetID:	18
Current Path:	C:\Program Files\Google\Chrome\Application\chrome.exe

Signature Hits	Behavior Group	Mitre Attack
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking

a.docusign.com

unknown

Details

Name:	a.docusign.com
TargetID:	11
Current Path:	C:\Program Files\Google\Chrome\Application\chrome.exe

Signature Hits	Behavior Group	Mitre Attack
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

docucdn-a.akamaihd.net

unknown

Details

Name:	docucdn-a.akamaihd.net
TargetID:	18
Current Path:	C:\Program Files\Google\Chrome\Application\chrome.exe

Signature Hits	Behavior Group	Mitre Attack
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

IPs

Domain

Country

Malicious

142.250.186.68

www.google.com

United States

35.186.241.51

unknown

United States

130.211.34.183

api.mixpanel.com

United States

192.168.2.17

unknown

142.250.184.196

unknown

United States

34.223.160.188

arya-1323461286.us-west-2.elb.amazonaws.com

United States

104.18.65.57

cdn.optimizely.com

United States

35.190.25.25

unknown

United States

239.255.255.250

unknown

Reserved

54.187.212.170

unknown

United States

Registry

Path

Value

Malicious

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\NoEmail\0a0d020000000000c000000000000046

000b046b

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\NoEmail\3517490d76624c419a828607e2a54604

001f6000

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\NoEmail\0a0d020000000000c000000000000046

000b049c

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\NoEmail\0a0d020000000000c000000000000046

001f0433

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\NoEmail\0a0d020000000000c000000000000046

000b0465

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\NoEmail\9207f3e0a3b11019908b08002b2a56c2

11023d05

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\NoEmail\0a0d020000000000c000000000000046

00030429

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\NoEmail\9375CFF0413111d3B88A00104B2A6676

{ED475418-B0D6-11D2-8C3B-00104B2A6676}

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\NoEmail\9375CFF0413111d3B88A00104B2A6676

LastChangeVer

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\NoEmail\9375CFF0413111d3B88A00104B2A6676

{ED475418-B0D6-11D2-8C3B-00104B2A6676}

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\NoEmail\9375CFF0413111d3B88A00104B2A6676

LastChangeVer

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\NoEmail\9375CFF0413111d3B88A00104B2A6676

{ED475418-B0D6-11D2-8C3B-00104B2A6676}

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\NoEmail\9375CFF0413111d3B88A00104B2A6676

LastChangeVer

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\NoEmail\9375CFF0413111d3B88A00104B2A6676

LastChangeVer

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\OUTLOOK\6596

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Diagnostics\BootDiagnosticsDataPreviousSession

CantBootResolution

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Diagnostics\BootDiagnosticsDataPreviousSession

ProfileBeingOpened

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Diagnostics\BootDiagnosticsDataPreviousSession

SessionId

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Diagnostics\BootDiagnosticsDataPreviousSession

BootDiagnosticsLogFile

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Diagnostics

OutlookBootFlag

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Resiliency\StartupItems

h0;

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Diagnostics\BootDiagnosticsData

SessionId

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Diagnostics\BootDiagnosticsData

ProfileBeingOpened

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Outlook\Settings

Accounts

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\Licensing

EligibleForExtendedGrace

HKEY_CURRENT_USER_Classes\Local Settings\MuiCache\1f\417C44EB

@%SystemRoot%\system32\mlang.dll,-4612

HKEY_CURRENT_USER_Classes\Local Settings\MuiCache\1f\417C44EB

@%SystemRoot%\system32\mlang.dll,-4608

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\Wizards

PageSize

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\MailSettings

Template

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\Options

WMACUpdated

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Options

DefaultKerningLigatures

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F10090400000000000F01FEC\Usage

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F10090400000000000F01FEC\Usage

HyphenationFiles_1033

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Diagnostics\BootDiagnosticsData

BootDiagnosticsLogFile

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Diagnostics\BootDiagnosticsData

CantBootResolution

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Outlook\Settings\Data

global_AccountSignaturesDialogOpen

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Display Types\Balloons

HWND64ForOrphanedNotIcon

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Resiliency\StartupItems

"9;

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Addins\ColleagueImport.ColleagueImportAddin

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Addins\Microsoft.VbaAddinForOutlook.1

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Resiliency\StartupItems

29;

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Addins\OneNote.OutlookAddin

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Resiliency\StartupItems

!9;

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Addins\OscAddin.Connect

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Resiliency\StartupItems

!9;

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Addins\UCAddin.LyncAddin.1

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Resiliency\StartupItems

19;

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Resiliency\StartupItems

19;

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Resiliency\StartupItems

`9;

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Resiliency\StartupItems

`9;

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Resiliency\StartupItems

`9;

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Search

IndexAvailableBody

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Outlook\Settings\Data

global_AccountsNeedResyncingWithOwnershipV5

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Outlook\Settings\Data

global_AccountsNeedResyncingWithOwnershipV4

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Outlook\Settings\Data

global_AccountsNeedResyncingWithOwnershipV3

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Outlook\Settings\Data

global_AccountsNeedResyncingWithOwnership

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\Roaming

RoamingLastSyncTimeOutlook

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\Roaming

RoamingLastWriteTimeOutlook

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F10090400000000000F01FEC\Usage

SpellingAndGrammarFiles_1033

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F100C0400000000000F01FEC\Usage

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F100C0400000000000F01FEC\Usage

SpellingAndGrammarFiles_1036

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F100A0C00000000000F01FEC\Usage

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F100A0C00000000000F01FEC\Usage

SpellingAndGrammarFiles_3082

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Shared Tools\Proofing Tools\1.0\Custom Dictionaries

UpdateComplete

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\IdentityCRL\ClockData

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\IdentityCRL\ClockData

ClockTimeSeconds

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\IdentityCRL\ClockData

TickCount

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\AddinClassifier

a4922304f05a0caf296a5dab7d32866b

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\AddinClassifier

a1907cf74a0e723ae4d6d10c2be13b22

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\AddinClassifier

5f7af7540aa81b0933473148ec658dad

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\AddinClassifier

76e17cf74d1871db022de719ec047c24

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\AddinClassifier

a534c6b591e8e4482771367da0dfc1a5

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\AddinClassifier

6b5ad615dd992da766ae34dec0713a44

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\UserInfo

SharingMachineID

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\ClientTelemetry\Volatile

MsaDevice

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\Internet

UseRWHlinkNavigation

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\Internet

UseRWOSHlinkNavigation

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\Security\Trusted Documents

LastPurgeTime

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\ClientTelemetry\Sampling

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Logging

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F00000000000000000F01FEC\Usage

OutlookMAPI2

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages

en-CH

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages

en-GB

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages

en-CH

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages

en-GB

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\Experiment\outlook

EcsRequestPending

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\OUTLOOK\6596

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109A10090400000000000F01FEC\Usage

OutlookMAPI2Intl_1033

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\OUTLOOK\6596

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Exchange\Forms Registry

CacheSyncCount

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\outlook

Expires

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\outlook

ETag

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\OUTLOOK\6596

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F10090400000000000F01FEC\Usage

HyphenationFiles_1033

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F10090400000000000F01FEC\Usage

HyphenationFiles_1033

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F10090400000000000F01FEC\Usage

HyphenationFiles_1033

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F10090400000000000F01FEC\Usage

HyphenationFiles_1033

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F10090400000000000F01FEC\Usage

HyphenationFiles_1033

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F10090400000000000F01FEC\Usage

HyphenationFiles_1033

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F10090400000000000F01FEC\Usage

HyphenationFiles_1033

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F10090400000000000F01FEC\Usage

HyphenationFiles_1033

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F10090400000000000F01FEC\Usage

HyphenationFiles_1033

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F10090400000000000F01FEC\Usage

HyphenationFiles_1033

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F10090400000000000F01FEC\Usage

HyphenationFiles_1033

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F10090400000000000F01FEC\Usage

HyphenationFiles_1033

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F10090400000000000F01FEC\Usage

HyphenationFiles_1033

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F10090400000000000F01FEC\Usage

HyphenationFiles_1033

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F10090400000000000F01FEC\Usage

HyphenationFiles_1033

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F10090400000000000F01FEC\Usage

HyphenationFiles_1033

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F10090400000000000F01FEC\Usage

HyphenationFiles_1033

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F10090400000000000F01FEC\Usage

HyphenationFiles_1033

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F10090400000000000F01FEC\Usage

HyphenationFiles_1033

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\OUTLOOK\6596

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Outlook\AddinsData\ColleagueImport.ColleagueImportAddin

LoadCount

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\AddInLoadTimes

ColleagueImport.ColleagueImportAddin

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\OUTLOOK\6596

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common

SessionId

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\OUTLOOK\6596

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Outlook\AddinsData\OneNote.OutlookAddin

LoadCount

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages

en-CH

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages

en-GB

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages

en-CH

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages

en-GB

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\AddInLoadTimes

OneNote.OutlookAddin

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\OUTLOOK\6596

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Outlook\AddinsData\OscAddin.Connect

LoadCount

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\AddInLoadTimes

OscAddin.Connect

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\OUTLOOK\6596

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Outlook\AddinsData\UCAddin.LyncAddin.1

LoadCount

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\AddInLoadTimes

UCAddin.LyncAddin.1

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\OUTLOOK\6596

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Outlook\AddinsData\UmOutlookAddin.FormRegionAddin

LoadCount

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\AddInLoadTimes

UmOutlookAddin.FormRegionAddin

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\OUTLOOK\6596

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\UserInfo

CountQuickSteps

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\Roaming

RoamingConfigurableSettings

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\Roaming

RoamingConfigurableSettings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F10090400000000000F01FEC\Usage

SpellingAndGrammarFiles_1033

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F10090400000000000F01FEC\Usage

SpellingAndGrammarFiles_1033

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F100C0400000000000F01FEC\Usage

SpellingAndGrammarFiles_1036

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F100C0400000000000F01FEC\Usage

SpellingAndGrammarFiles_1036

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F100A0C00000000000F01FEC\Usage

SpellingAndGrammarFiles_3082

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F100A0C00000000000F01FEC\Usage

SpellingAndGrammarFiles_3082

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F10090400000000000F01FEC\Usage

SpellingAndGrammarFiles_1033

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F10090400000000000F01FEC\Usage

SpellingAndGrammarFiles_1033

HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Property

0018C00B92EA0FCD

HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{2B379600-B42B-4FE9-A59C-A312FB934935}

DeviceTicket

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Search\Catalog

C:\Users\user\Documents\Outlook Files\Outlook Data File - NoEmail.pst

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Outlook\Settings

Accounts

There are 154 hidden registries, click here to show them.

DOM / HTML

URL

Malicious

https://eu.docusign.net/Signing/?ti=462f8735578042e2863447312431c2e9

https://eu.docusign.net/Signing/?ti=3b85fab354684bb7979f0e8197110601

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
FW Complete with Docusign Remittance Advice .pdf.eml

Files

Processes

URLs

Domains

IPs

Registry

DOM / HTML

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportFW Complete with Docusign Remittance Advice .pdf.eml

Files

Processes

URLs

Domains

IPs

Registry

DOM / HTML

IOC Report
FW Complete with Docusign Remittance Advice .pdf.eml