IOC Report
Salary Increment.eml

Files

File Path

Type

Category

Malicious

Salary Increment.eml

RFC 822 mail, ASCII text, with very long lines (2605), with CRLF line terminators

initial sample

C:\Users\user\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

data

dropped

C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\AB36553B-113B-4FC0-8717-141CCFCB4A92

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-shm

data

dropped

C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-wal

SQLite Write-Ahead Log, version 3007000

modified

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{2E692B08-ADC1-427A-B043-AA533C88DD47}.tmp

data

dropped

C:\Users\user\AppData\Local\Temp\Diagnostics\OUTLOOK\App1724782392370735200_49B920F3-1C52-40CE-93C5-B72621957C81.log

ASCII text, with very long lines (28758), with CRLF line terminators

dropped

C:\Users\user\AppData\Local\Temp\Diagnostics\OUTLOOK\App1724782392372650800_49B920F3-1C52-40CE-93C5-B72621957C81.log

data

dropped

C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20240827T1413120126-6884.etl

data

modified

C:\Users\user\AppData\Roaming\Microsoft\Office\MSO3072.acl

data

dropped

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Tue Aug 27 17:13:27 2024, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide

dropped

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Tue Aug 27 17:13:27 2024, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide

dropped

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Oct 6 08:54:41 2023, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide

dropped

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Tue Aug 27 17:13:27 2024, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide

dropped

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Tue Aug 27 17:13:27 2024, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide

dropped

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Tue Aug 27 17:13:27 2024, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide

dropped

C:\Users\user\Documents\Outlook Files\Outlook Data File - NoEmail.pst

Microsoft Outlook email folder (>=2003)

dropped

C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmp

data

dropped

Chrome Cache Entry: 101

Web Open Font Format, CFF, length 34820, version 0.0

downloaded

Chrome Cache Entry: 102

ASCII text, with very long lines (65446), with CRLF line terminators

dropped

Chrome Cache Entry: 103

Unicode text, UTF-8 (with BOM) text, with CRLF line terminators

downloaded

Chrome Cache Entry: 104

ASCII text, with very long lines (13479), with CRLF line terminators

dropped

Chrome Cache Entry: 105

PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced

downloaded

Chrome Cache Entry: 107

SVG Scalable Vector Graphics image

downloaded

Chrome Cache Entry: 87

SVG Scalable Vector Graphics image

downloaded

Chrome Cache Entry: 88

ASCII text, with CRLF line terminators

downloaded

Chrome Cache Entry: 90

Web Open Font Format, CFF, length 33752, version 0.0

downloaded

Chrome Cache Entry: 92

ASCII text

downloaded

Chrome Cache Entry: 93

Web Open Font Format, TrueType, length 37560, version 1.0

downloaded

Chrome Cache Entry: 94

Web Open Font Format, TrueType, length 47748, version 1.0

downloaded

Chrome Cache Entry: 95

PNG image data, 10 x 10, 8-bit/color RGBA, non-interlaced

downloaded

Chrome Cache Entry: 96

ASCII text

downloaded

There are 22 hidden files, click here to show them.

URLs

Name

IP

Malicious

https://ca.docusign.net/Signing/Error.aspx?scope=e6fb5c34-17d2-4062-9499-68bfb8add554

Domains

Name

IP

Malicious

www.google.com

142.250.185.164

Details

Name:	www.google.com
IP:	142.250.185.164
TargetID:	14
Current Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

api.mixpanel.com

35.186.241.51

Details

Name:	api.mixpanel.com
IP:	35.186.241.51
TargetID:	14
Current Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

linkprotect.cudasvc.com

3.121.135.153

Details

Name:	linkprotect.cudasvc.com
IP:	3.121.135.153
TargetID:	14
Current Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
Spawns processes	System Summary	Process Injection

docucdn-a.akamaihd.net

unknown

ca.docusign.net

unknown

Details

Name:	ca.docusign.net
TargetID:	14
Current Path:	C:\Program Files\Google\Chrome\Application\chrome.exe

Signature Hits	Behavior Group	Mitre Attack
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
Spawns processes	System Summary	Process Injection

IPs

IP

Domain

Country

Malicious

52.113.194.132

unknown

United States

35.186.241.51

api.mixpanel.com

United States

142.250.185.206

unknown

United States

1.1.1.1

unknown

Australia

23.47.50.225

unknown

United States

2.16.238.157

unknown

European Union

192.168.2.17

unknown

unknown

173.194.76.84

unknown

United States

192.168.2.18

unknown

unknown

142.250.181.227

unknown

United States

20.50.201.200

unknown

United States

107.178.240.159

unknown

United States

108.177.122.139

unknown

United States

239.255.255.250

unknown

Reserved

142.250.185.163

unknown

United States

142.250.185.164

www.google.com

United States

52.109.28.46

unknown

United States

3.121.135.153

linkprotect.cudasvc.com

United States

52.235.63.109

unknown

United States

There are 9 hidden IPs, click here to show them.