Windows Analysis Report
(No subject) - 2024-10-31T090531.704.eml

Overview

General Information

Sample name:	(No subject) - 2024-10-31T090531.704.eml
Analysis ID:	1546260
MD5:	970633fc2ac75fdf0d4dce1d003186f4
SHA1:	6205eacd288c674abfd0097a250cbb735f267f20
SHA256:	5c4aea1d1371875afb976f58def88de89763eb0f122321c801313743603b9378
Infos:

Detection

Score:	52
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

AI detected landing page (webpage, office document or email)

AI detected potential phishing Email

Suspicious MSG / EML detected (based on various text indicators)

Detected suspicious crossdomain redirect

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

Queries the volume information (name, serial number etc) of a device

Sigma detected: Office Autorun Keys Modification

Stores files to the Windows start menu directory

Suricata IDS alerts with low severity for network traffic

Classification

Signatures

Phishing

Suspicious MSG / EML detected (based on various text indicators)

Source: MSG / EML

OCR Text: You don't often get email from dse_na4@docusign.net. Learn why this is important @docusign Caitlin Tharp (Gilmore) sent you a document to review and sign. REVIEW DOCUMENT Caitlin Tharp (Gilmore) zskeiemm3@consultant.com Thanks! got em. Caitlin Tharp (Gilmore), PE I Vice President Schaaf and Wheeler Consulting Civil Engineers 10232 Donner Pass Road #4, Truckee, CA 96161 Do Not Share This Email This email contains a secure link to Docusign. Please do not share this email, link, or access code with others. Alternate Signing Method Visit Docusign.com, click 'Access Documents', and enter the security code: A6F8F68FE0764337AAC3C42F41 EBF6CC7 About Docusign Sign documents electronically in just minutes. It's safe, secure, and legally binding. Whether you're in an office, at home, on-the-go -- or even across the globe -- Docusign provides a professional trusted solution for Digital Transaction ManagementTM. Questions about the Document? If you need to modify the document or have questions about the details in the document, please reach out to the sender by emailing them directly. Stop receiving this email Report this email or read more about Declining to sign and Managing notifications. If you have trouble signing, visit "How to Sign a Document" on our Docusign Support Center, or browse our Docusign Community for more information.

Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.16:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.16:49711 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.109.210.53:443 -> 192.168.2.16:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.12.23.50:443 -> 192.168.2.16:49748 version: TLS 1.2

Detected suspicious crossdomain redirect

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

HTTP traffic: Redirect from: gcc02.safelinks.protection.outlook.com to https://na4.docusign.net/signing/emailstart.aspx?a=a6f8f68f-e076-4337-aac3-c42f41ebf6cc&etti=24&acct=7e9e0095-f41c-42f4-b219-3be2b992a461&er=449d3c4f-dbee-4c6e-a043-8f2682f3079d

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 239.255.255.250 239.255.255.250
Source: Joe Sandbox View	IP Address: 104.47.64.28 104.47.64.28

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4

Suricata IDS alerts with low severity for network traffic

Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.12.23.50:443 -> 192.168.2.16:49748
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.109.210.53:443 -> 192.168.2.16:49712

Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.160.14
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.160.14
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.160.14
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.160.14
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.160.14
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.160.14
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.160.14
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50

Source: global traffic	HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: /Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic	HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=fGLw7rl8KtPeAcX&MD=AeeMNrPN HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /?url=https%3A%2F%2Fna4.docusign.net%2FSigning%2FEmailStart.aspx%3Fa%3Da6f8f68f-e076-4337-aac3-c42f41ebf6cc%26etti%3D24%26acct%3D7e9e0095-f41c-42f4-b219-3be2b992a461%26er%3D449d3c4f-dbee-4c6e-a043-8f2682f3079d&data=05%7C02%7Ckhickey%40santaclaraca.gov%7Cac1bfe3680ab4b4bc88008dcf9c3a7ca%7C28ea354810694e81aa0b6e4b3271a5cb%7C0%7C0%7C638659866425908855%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C20000%7C%7C%7C&sdata=hiibBlRjS07Ot%2Fn9qwgC1lvq2U9kAt%2BMFXtGA%2BOSu5U%3D&reserved=0 HTTP/1.1Host: gcc02.safelinks.protection.outlook.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /track/?data=eyJldmVudCI6ICJtcF9wYWdlX3ZpZXciLCJwcm9wZXJ0aWVzIjogeyIkb3MiOiAiV2luZG93cyIsIiRicm93c2VyIjogIkNocm9tZSIsIiRyZWZlcnJpbmdfZG9tYWluIjogIm5hNC5kb2N1c2lnbi5uZXQiLCIkc2NyZWVuX2hlaWdodCI6IDEwMjQsIiRzY3JlZW5fd2lkdGgiOiAxMjgwLCJtcF9saWIiOiAid2ViIiwiZGlzdGluY3RfaWQiOiAiNTM4QzA5Mzc0QTEyM0I4RjZCOERBOEZEMDk4QTlDOTk4MTQwRjdEMiIsIiRpbml0aWFsX3JlZmVycmluZ19kb21haW4iOiAibmE0LmRvY3VzaWduLm5ldCIsIm1wX3BhZ2UiOiAibmE0LmRvY3VzaWduLm5ldCIsIm1wX3JlZmVycmVyIjogIm5hNC5kb2N1c2lnbi5uZXQiLCJtcF9icm93c2VyIjogIkNocm9tZSIsIm1wX3BsYXRmb3JtIjogIldpbmRvd3MiLCJ0b2tlbiI6ICIzMDRjY2JkZTI0ZDNiMTVmZmUyZDVkZTMwYzEwZGFiMiJ9fQ%3D%3D&ip=1&_=1730390993043 HTTP/1.1Host: api.mixpanel.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Origin: https://na4.docusign.netSec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://na4.docusign.net/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /track/?data=eyJldmVudCI6ICJtcF9wYWdlX3ZpZXciLCJwcm9wZXJ0aWVzIjogeyIkb3MiOiAiV2luZG93cyIsIiRicm93c2VyIjogIkNocm9tZSIsIiRyZWZlcnJpbmdfZG9tYWluIjogIm5hNC5kb2N1c2lnbi5uZXQiLCIkc2NyZWVuX2hlaWdodCI6IDEwMjQsIiRzY3JlZW5fd2lkdGgiOiAxMjgwLCJtcF9saWIiOiAid2ViIiwiZGlzdGluY3RfaWQiOiAiNTM4QzA5Mzc0QTEyM0I4RjZCOERBOEZEMDk4QTlDOTk4MTQwRjdEMiIsIiRpbml0aWFsX3JlZmVycmluZ19kb21haW4iOiAibmE0LmRvY3VzaWduLm5ldCIsIm1wX3BhZ2UiOiAibmE0LmRvY3VzaWduLm5ldCIsIm1wX3JlZmVycmVyIjogIm5hNC5kb2N1c2lnbi5uZXQiLCJtcF9icm93c2VyIjogIkNocm9tZSIsIm1wX3BsYXRmb3JtIjogIldpbmRvd3MiLCJ0b2tlbiI6ICIzMDRjY2JkZTI0ZDNiMTVmZmUyZDVkZTMwYzEwZGFiMiJ9fQ%3D%3D&ip=1&_=1730390993043 HTTP/1.1Host: api.mixpanel.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=fGLw7rl8KtPeAcX&MD=AeeMNrPN HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com

Source: global traffic	DNS traffic detected: DNS query: gcc02.safelinks.protection.outlook.com
Source: global traffic	DNS traffic detected: DNS query: na4.docusign.net
Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: docucdn-a.akamaihd.net
Source: global traffic	DNS traffic detected: DNS query: api.mixpanel.com

Source: chromecache_72.11.dr	String found in binary or memory: http://blog.55minutes.com/2012/04/iphone-text-resizing/
Source: chromecache_68.11.dr, chromecache_70.11.dr	String found in binary or memory: http://dbj.org/dbj/?p=286
Source: chromecache_68.11.dr, chromecache_70.11.dr	String found in binary or memory: http://dean.edwards.name/weblog/2005/10/add-event/
Source: chromecache_68.11.dr, chromecache_70.11.dr	String found in binary or memory: http://documentcloud.github.com/underscore/
Source: chromecache_68.11.dr, chromecache_70.11.dr	String found in binary or memory: http://hacks.mozilla.org/2009/07/cross-site-xmlhttprequest-with-cors/
Source: chromecache_68.11.dr, chromecache_70.11.dr	String found in binary or memory: http://mixpanel.com/
Source: (No subject) - 2024-10-31T090531.704.eml	String found in binary or memory: http://schema.org/Creat=
Source: (No subject) - 2024-10-31T090531.704.eml	String found in binary or memory: http://schema.org/EmailMessage
Source: chromecache_68.11.dr, chromecache_70.11.dr	String found in binary or memory: http://www.ecma-international.org/ecma-262/5.1/#sec-12.4
Source: (No subject) - 2024-10-31T090531.704.eml	String found in binary or memory: https://NA4.docusign.net/member/Imag=
Source: ~WRS{0A6D8DF3-6320-4094-AAF6-4C38E47FCA82}.tmp.0.dr	String found in binary or memory: https://NA4.docusign.net/member/Images/email/docInvite-white.png
Source: (No subject) - 2024-10-31T090531.704.eml, ~WRS{0A6D8DF3-6320-4094-AAF6-4C38E47FCA82}.tmp.0.dr	String found in binary or memory: https://aka.ms/LearnAboutSenderIdentification
Source: (No subject) - 2024-10-31T090531.704.eml	String found in binary or memory: https://community.docusign.com/esignature-111?utm_campaign=3DGBL_=
Source: chromecache_68.11.dr, chromecache_70.11.dr	String found in binary or memory: https://developer.mozilla.org/en-US/docs/DOM/XMLHttpRequest#withCredentials
Source: (No subject) - 2024-10-31T090531.704.eml	String found in binary or memory: https://docucdn-a.akamaihd.net/olive/images/2.62.0/glob=
Source: (No subject) - 2024-10-31T090531.704.eml	String found in binary or memory: https://docucdn-a.akamaihd.net/olive/images/2.62.0/global-assets/ema=
Source: (No subject) - 2024-10-31T090531.704.eml	String found in binary or memory: https://docucdn-a.akamaihd.net/olive/images/2.62.0/global-assets/email-tem=
Source: ~WRS{0A6D8DF3-6320-4094-AAF6-4C38E47FCA82}.tmp.0.dr	String found in binary or memory: https://docucdn-a.akamaihd.net/olive/images/2.62.0/global-assets/email-templates/email-logo.png
Source: (No subject) - 2024-10-31T090531.704.eml	String found in binary or memory: https://gcc02.safelin=
Source: (No subject) - 2024-10-31T090531.704.eml	String found in binary or memory: https://gcc02.safelinks.pro=
Source: (No subject) - 2024-10-31T090531.704.eml	String found in binary or memory: https://gcc02.safelinks.prote=
Source: (No subject) - 2024-10-31T090531.704.eml	String found in binary or memory: https://gcc02.safelinks.protection.out=
Source: (No subject) - 2024-10-31T090531.704.eml	String found in binary or memory: https://gcc02.safelinks.protection.outlook.com/?url=3Dhttps%3A%2=
Source: ~WRS{0A6D8DF3-6320-4094-AAF6-4C38E47FCA82}.tmp.0.dr	String found in binary or memory: https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcommunity.docusign.com%2Fesignatur
Source: ~WRS{0A6D8DF3-6320-4094-AAF6-4C38E47FCA82}.tmp.0.dr	String found in binary or memory: https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fna4.docusign.net%2FSigning%2FEmail
Source: ~WRS{0A6D8DF3-6320-4094-AAF6-4C38E47FCA82}.tmp.0.dr	String found in binary or memory: https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fprotect.docusign.net%2Freport-abus
Source: ~WRS{0A6D8DF3-6320-4094-AAF6-4C38E47FCA82}.tmp.0.dr	String found in binary or memory: https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsupport.docusign.com%2F&data=05%7C
Source: ~WRS{0A6D8DF3-6320-4094-AAF6-4C38E47FCA82}.tmp.0.dr	String found in binary or memory: https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsupport.docusign.com%2Fen%2Farticl
Source: ~WRS{0A6D8DF3-6320-4094-AAF6-4C38E47FCA82}.tmp.0.dr	String found in binary or memory: https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsupport.docusign.com%2Fen%2Fguides
Source: ~WRS{0A6D8DF3-6320-4094-AAF6-4C38E47FCA82}.tmp.0.dr	String found in binary or memory: https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsupport.docusign.com%2Fs%2Farticle
Source: ~WRS{0A6D8DF3-6320-4094-AAF6-4C38E47FCA82}.tmp.0.dr	String found in binary or memory: https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.docusign.com%2Ffeatures-and-be
Source: (No subject) - 2024-10-31T090531.704.eml	String found in binary or memory: https://gcc02.safelinks=
Source: chromecache_68.11.dr, chromecache_70.11.dr	String found in binary or memory: https://gist.github.com/1930440
Source: chromecache_68.11.dr, chromecache_70.11.dr	String found in binary or memory: https://github.com/douglascrockford/JSON-js/blob/master/json_parse.js
Source: (No subject) - 2024-10-31T090531.704.eml	String found in binary or memory: https://na4.docusign.net/Signing/EmailSta=
Source: (No subject) - 2024-10-31T090531.704.eml	String found in binary or memory: https://na4.docusign.net/Signing/EmailStart.aspx?a=3D=
Source: (No subject) - 2024-10-31T090531.704.eml	String found in binary or memory: https://na4.docusign.net/Signing/EmailStart.aspx?a=3Da6f8f=
Source: (No subject) - 2024-10-31T090531.704.eml	String found in binary or memory: https://protect.docusign.net/report-abus=
Source: (No subject) - 2024-10-31T090531.704.eml	String found in binary or memory: https://protect.docusign.net/report-abuse?e=3DAUtomjpFak9=
Source: (No subject) - 2024-10-31T090531.704.eml	String found in binary or memory: https://support.=
Source: (No subject) - 2024-10-31T090531.704.eml	String found in binary or memory: https://support.docusign.com/
Source: (No subject) - 2024-10-31T090531.704.eml	String found in binary or memory: https://support.docusign.com/en/articles/How-do-I-manage-my-email-no=
Source: (No subject) - 2024-10-31T090531.704.eml	String found in binary or memory: https://support.docusign.com/en/guide=
Source: (No subject) - 2024-10-31T090531.704.eml	String found in binary or memory: https://support.docusign.com/en/guides/Declining-to-sign-DocuS=
Source: (No subject) - 2024-10-31T090531.704.eml	String found in binary or memory: https://support.docusign.com/s/articles/How-do-I-sign-a-DocuSi=

Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49695 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49678 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49693 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49695
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49693
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.16:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.16:49711 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.109.210.53:443 -> 192.168.2.16:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.12.23.50:443 -> 192.168.2.16:49748 version: TLS 1.2

Source: classification engine

Classification label: mal52.phis.winEML@18/48@16/7

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

File created: C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmp

Source: unknown	Process created: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\(No subject) - 2024-10-31T090531.704.eml"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "A3EA6518-C531-4DE7-BC7D-22EC5B6727F8" "C28E0983-BCA6-49DB-A7D6-E768A78B37F2" "6644" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fna4.docusign.net%2FSigning%2FEmailStart.aspx%3Fa%3Da6f8f68f-e076-4337-aac3-c42f41ebf6cc%26etti%3D24%26acct%3D7e9e0095-f41c-42f4-b219-3be2b992a461%26er%3D449d3c4f-dbee-4c6e-a043-8f2682f3079d&data=05%7C02%7Ckhickey%40santaclaraca.gov%7Cac1bfe3680ab4b4bc88008dcf9c3a7ca%7C28ea354810694e81aa0b6e4b3271a5cb%7C0%7C0%7C638659866425908855%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C20000%7C%7C%7C&sdata=hiibBlRjS07Ot%2Fn9qwgC1lvq2U9kAt%2BMFXtGA%2BOSu5U%3D&reserved=0
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1588 --field-trial-handle=2024,i,12387921056704305798,15199288670711883833,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "A3EA6518-C531-4DE7-BC7D-22EC5B6727F8" "C28E0983-BCA6-49DB-A7D6-E768A78B37F2" "6644" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fna4.docusign.net%2FSigning%2FEmailStart.aspx%3Fa%3Da6f8f68f-e076-4337-aac3-c42f41ebf6cc%26etti%3D24%26acct%3D7e9e0095-f41c-42f4-b219-3be2b992a461%26er%3D449d3c4f-dbee-4c6e-a043-8f2682f3079d&data=05%7C02%7Ckhickey%40santaclaraca.gov%7Cac1bfe3680ab4b4bc88008dcf9c3a7ca%7C28ea354810694e81aa0b6e4b3271a5cb%7C0%7C0%7C638659866425908855%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C20000%7C%7C%7C&sdata=hiibBlRjS07Ot%2Fn9qwgC1lvq2U9kAt%2BMFXtGA%2BOSu5U%3D&reserved=0	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1588 --field-trial-handle=2024,i,12387921056704305798,15199288670711883833,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: c2r64.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: gpapi.dll	Jump to behavior

Source: Google Drive.lnk.10.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: YouTube.lnk.10.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Sheets.lnk.10.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Gmail.lnk.10.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Slides.lnk.10.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Docs.lnk.10.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe

Source: Email	LLM: Page contains button: 'REVIEW DOCUMENT' Source: 'Email'
Source: Email	LLM: Email contains prominent button: 'review document'

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk	Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

IP	Domain	Country	ASN	ASN Name	Malicious
35.186.241.51	unknown	United States	15169	GOOGLEUS	false
130.211.34.183	api.mixpanel.com	United States	15169	GOOGLEUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
104.47.64.28	gcc02.safelinks.eop-tm2.outlook.com	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
142.250.186.132	www.google.com	United States	15169	GOOGLEUS	false

Name	IP	Active
gcc02.safelinks.eop-tm2.outlook.com	104.47.64.28	true
www.google.com	142.250.186.132	true
api.mixpanel.com	130.211.34.183	true
na4.docusign.net	unknown	unknown
docucdn-a.akamaihd.net	unknown	unknown
gcc02.safelinks.protection.outlook.com	unknown	unknown

Name	Malicious	Antivirus Detection	Reputation
https://na4.docusign.net/Signing/Error.aspx?e=ec8e592e-79f3-440a-9824-0fb2d21626e9&scope=05ac77a9-331f-4027-8c9d-22e8dfb23b8f	false		unknown
https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fna4.docusign.net%2FSigning%2FEmailStart.aspx%3Fa%3Da6f8f68f-e076-4337-aac3-c42f41ebf6cc%26etti%3D24%26acct%3D7e9e0095-f41c-42f4-b219-3be2b992a461%26er%3D449d3c4f-dbee-4c6e-a043-8f2682f3079d&data=05%7C02%7Ckhickey%40santaclaraca.gov%7Cac1bfe3680ab4b4bc88008dcf9c3a7ca%7C28ea354810694e81aa0b6e4b3271a5cb%7C0%7C0%7C638659866425908855%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C20000%7C%7C%7C&sdata=hiibBlRjS07Ot%2Fn9qwgC1lvq2U9kAt%2BMFXtGA%2BOSu5U%3D&reserved=0	true		unknown

ID:	1546260
Product:	CloudBasic
Start time:	17:09:02
Start date:	31.10.2024
Sample:	(No subject) - 2024-10-31T090531.704.eml
Cookbook:	defaultwindowsinteractivecookbook.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	970633fc2ac75fdf0d4dce1d003186f4
SHA1:	6205eacd288c674abfd0097a250cbb735f267f20
SHA256:	5c4aea1d1371875afb976f58def88de89763eb0f122321c801313743603b9378
Filetype:	E-Mail message (Var. 5) (54515/1) 100.00%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT	data	76328A98D1A79B8558E77EE12BB5035C	381D4DF2C1A5707E8096BAB946082E0F3DBC4440	4F87650E03F3FEAA058C0E7BEE5F22202AC55D9F49B1C1577632ED477F8FBF6D
C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-shm	data	2B53A9D3DD59CDE42DBFD2CCB27D1418	E0194B04E44D465FACBFE7C6E793034DF9834BDA	82EC2268A1EEE74B2153B7800464C5C57BDFE07681668421C1235E0468D993E9
C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-wal	SQLite Write-Ahead Log, version 3007000	528A7EF019C80D80B60899FEBD445581	20656A0DA85C12E242438C805EB4F0719257AFDD	88B3531DEA49AD7FBE374E4E5280C2E30ED12A1F870267B5A63950960B9DB583
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{0A6D8DF3-6320-4094-AAF6-4C38E47FCA82}.tmp	data	D786BE21923BB2616771D3C6721D36AD	21F6AE29F8504E6302F250D1C8ED58749C6755B6	18279A933A53323A5A90F6BA464C203B33536D84F57283813EE7FD89A5AA98F8
C:\Users\user\AppData\Local\Temp\Diagnostics\OUTLOOK\App1730390973785818400_2843F15A-A046-4E40-8493-39B4179C9EF6.log	ASCII text, with very long lines (28769), with CRLF line terminators	C3176F0875A29E9B365E4FA19065C3B6	C213DF53B12AF48A82D94B7085A6201B005ACBFA	D8175FD85F368982F9D3F3DE0B086BAA9B0CC72A792BCA7D6285476B2B5B728D
C:\Users\user\AppData\Local\Temp\Diagnostics\OUTLOOK\App1730390973786560500_2843F15A-A046-4E40-8493-39B4179C9EF6.log	data	8F4E33F3DC3E414FF94E5FB6905CBA8C	9674344C90C2F0646F0B78026E127C9B86E3AD77	CD52D81E25F372E6FA4DB2C0DFCEB59862C1969CAB17096DA352B34950C973CC
C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20241031T1209330586-6644.etl	data	3F158A237527FF0C9849C0BCA2AB3585	1726C156F62BA24E6E7B492918A62F235159BF92	9F558C3C5A7E080A86367726937FA2BCEAF44A2272E5269102C47BC31241DEA4
C:\Users\user\AppData\Roaming\Microsoft\Office\MSO3072.acl	data	811126A730B2F975DA08BCDA25233CC0	FADA3E80880C0146DB5280D76B1B7A9E6D66E934	7C5078B0DDC6316DED95F9B8B4C3791F409444261663E6B41A2CF51925B98FC5
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Thu Oct 31 15:09:46 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide	6A78238E79D7BDFAFF469DCA455CCE26	1FB75856D80EC74237D8B16630E836D39FBE2F34	8E4952676945716DB703A87D2766FD0DCAEB59FD77A1B44EF49D00A29AC46896
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Thu Oct 31 15:09:45 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide	24089AC5823B21C5AD03E5945AB53C19	68DC3830C391C8F9D92DFD45FE914F7917D20792	4B756A858C2945F329AD482D9BEB93C74BAC371684AB353C881F02363F549CED
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Oct 6 08:05:01 2023, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide	E12A54D6E70282EEE2B526C570350D8B	7AF8E42AC3ACC2124C377E3B13A09E1D3AEC6343	ED980B2556DFE8168D2E7D598668EE7157355C11B1904759544767D5427E795D
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Thu Oct 31 15:09:45 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide	113FC2A10773A102CDA45AA51F18C45D	CCD1BB4433B6E607C82FE1E169BA3BAD2B89D136	3A7E66384F709EE4E0BE2F9B12E2ECF9C2AD07C2A1F81A0ACE5CC5AC666CBE0D
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Thu Oct 31 15:09:46 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide	6CE603EBB11B863FBA94F9D045EB34DE	6F18563CC79425F27A15FE9368F6E712494A7661	580368B33FA839317516BA56455413806B1100D590C793A5AFB2582C9F9F9064
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Thu Oct 31 15:09:45 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide	FDDB6621DC5ECFE68DAB9A3F8279E641	99086E246E298AE2DCDCD77194C89F1358D66FD9	6324EBBFA94569485598F47DF0C6B0E2378D964C98925C67CDFD97859DF7FE10
C:\Users\user\Documents\Outlook Files\Outlook Data File - NoEmail.pst	Microsoft Outlook email folder (>=2003)	3C47833C859C1266707E524585F84EEF	E5075948D85D17D4C4E78FB4BA834997B52F7868	C66F3EE1B0ADDCC879E434845FC17D755E48DF5CD9B0D3C97E9426FDF101504C
C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmp	data	B017B0341670F04FB02BC923EE3C0868	39B4C8E21EA1C52CF76A811E4A9AE8E411B235BE	0E128135C87C410CC7F6BFED9D891E60F1A454924BA002A37B84E218326E2249
Chrome Cache Entry: 66	ASCII text, with very long lines (13479), with CRLF line terminators	2779F5D2F1F22353C726240E530016CC	2B3F380F212C8C64E79DB1F47FA25C114AFE6FBB	16496529F57AC8915F194E00479B04AF942C33D7897BCFD9A55DD072BBEC1411
Chrome Cache Entry: 67	SVG Scalable Vector Graphics image	855476199961A10981ADCA7432CEC048	7995725A0CAC73EB6A2A1B5A8D5B162DBF47988E	6DD60FAA0E35F2DFE342C452ED414A084D384D11793BD0F0EB03C2B1C6F1405C
Chrome Cache Entry: 68	ASCII text	ECE7A224F69AB2205D90900589AE1D05	3D861B816A5DA892C8A88D5755A5537C036239DE	FFA8C6A4CE199BFD9E32B05E0E4DECE330C6A577FB3A0E8518291619C658C486
Chrome Cache Entry: 69	SVG Scalable Vector Graphics image	855476199961A10981ADCA7432CEC048	7995725A0CAC73EB6A2A1B5A8D5B162DBF47988E	6DD60FAA0E35F2DFE342C452ED414A084D384D11793BD0F0EB03C2B1C6F1405C
Chrome Cache Entry: 70	ASCII text	ECE7A224F69AB2205D90900589AE1D05	3D861B816A5DA892C8A88D5755A5537C036239DE	FFA8C6A4CE199BFD9E32B05E0E4DECE330C6A577FB3A0E8518291619C658C486
Chrome Cache Entry: 71	Web Open Font Format, CFF, length 33752, version 0.0	4DE7535F6F5DF8D5437C21C068DDB0EC	3553204B4624CA41CF1C4F3BD9B37D8C968CBA23	8F6A520A392FF62149E5FC5AA87BFAB9B3816CD6010D4D4FCA194E8683CA498B
Chrome Cache Entry: 72	ASCII text, with CRLF line terminators	4B86605C4B80FA75342703878E7DFF13	6EF59F904C58E88B3E143BA3DA464AFE63FDC188	2F186CDFA13B6CA51F69D44BAC8A7D5B69E1D5409A68D21F5768A87C6DFDB3A1
Chrome Cache Entry: 73	ASCII text, with very long lines (65446), with CRLF line terminators	954F70F07F05742168ADCEBA796DDA72	EDF8A6A066F201B1FFAD32C585BD79C9982D4433	4DA87C258ECA460D39CDB0F6158CBF69AF539D05A1D14F1BC011518511D02228
Chrome Cache Entry: 74	PNG image data, 10 x 10, 8-bit/color RGBA, non-interlaced	C863DB426897325CB4805B2C20F51F30	A426FE43F0CE1A489CE091CC27768CDCC2991210	2A5179B8851C8E3DFC77D7DCB33B3963AFA037608336D6AE412ACAA38AD59D22
Chrome Cache Entry: 75	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	3165AF715E6BA5CA2B00F9AB5277CC8C	99697540AAC85B979624E1A09483418A4C30BD11	08034C30A67418DD7BFF599A0EA4ECB87315D485ADB3BD1774AFC36B33705317
Chrome Cache Entry: 76	ASCII text, with very long lines (13479), with CRLF line terminators	2779F5D2F1F22353C726240E530016CC	2B3F380F212C8C64E79DB1F47FA25C114AFE6FBB	16496529F57AC8915F194E00479B04AF942C33D7897BCFD9A55DD072BBEC1411
Chrome Cache Entry: 77	PNG image data, 643 x 261, 8-bit/color RGB, non-interlaced	5CC1977B21BF780731B87028942FFD6D	80D7113EF2323BC839FC79BF43FD37C4D7E03993	CDFA2C94A06FA985649F2853A1D1BC2C64CD1B487B5EB6EBB2DCFAAEA5DE2FB9
Chrome Cache Entry: 78	PNG image data, 10 x 10, 8-bit/color RGBA, non-interlaced	C863DB426897325CB4805B2C20F51F30	A426FE43F0CE1A489CE091CC27768CDCC2991210	2A5179B8851C8E3DFC77D7DCB33B3963AFA037608336D6AE412ACAA38AD59D22
Chrome Cache Entry: 79	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced	AFE00DB89CE086B91A541C227EDBF136	961B2EE6FB39C4D515BDC49EC1BA688B0916F104	E11827C678AF8519E702F364E525AC34509CAD49F8D839677E089949EDDA060E
Chrome Cache Entry: 80	ASCII text, with very long lines (65446), with CRLF line terminators	954F70F07F05742168ADCEBA796DDA72	EDF8A6A066F201B1FFAD32C585BD79C9982D4433	4DA87C258ECA460D39CDB0F6158CBF69AF539D05A1D14F1BC011518511D02228
Chrome Cache Entry: 81	PNG image data, 643 x 261, 8-bit/color RGB, non-interlaced	5CC1977B21BF780731B87028942FFD6D	80D7113EF2323BC839FC79BF43FD37C4D7E03993	CDFA2C94A06FA985649F2853A1D1BC2C64CD1B487B5EB6EBB2DCFAAEA5DE2FB9
Chrome Cache Entry: 82	SVG Scalable Vector Graphics image	EC396047518A7FEF11D53D1B4F6BE65B	E3BEC4CDAF5567641517A23019ADBFA2328B0A7F	8F77CFC832517C619BC1B8D82A6A478EE18D97442B4C78B006B0286CEC91E1A8
Chrome Cache Entry: 83	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced	AFE00DB89CE086B91A541C227EDBF136	961B2EE6FB39C4D515BDC49EC1BA688B0916F104	E11827C678AF8519E702F364E525AC34509CAD49F8D839677E089949EDDA060E
Chrome Cache Entry: 84	ASCII text	CB4FD3AF4DEEBD7277FCD75A576BF633	71A7BC5DE0F92581F2A9F8DCED86578E01B4856C	F6C29AE65E37D866FEFB836DB488C4D044414798EC995B2B69CD067949938DD9
Chrome Cache Entry: 85	SVG Scalable Vector Graphics image	EC396047518A7FEF11D53D1B4F6BE65B	E3BEC4CDAF5567641517A23019ADBFA2328B0A7F	8F77CFC832517C619BC1B8D82A6A478EE18D97442B4C78B006B0286CEC91E1A8

Windows Analysis Report (No subject) - 2024-10-31T090531.704.eml

Overview

General Information

Detection

Signatures

Classification

Signatures

Phishing

Compliance

Networking

System Summary

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs

Windows Analysis Report
(No subject) - 2024-10-31T090531.704.eml