Windows Analysis Report
securedoc_20240327T095809.html

Overview

General Information

Sample name:	securedoc_20240327T095809.html
Analysis ID:	1417555
MD5:	44455a91f72ab9e8d685aa703cde01cd
SHA1:	c9bdb93cf8b00e1ab0367c88f826c069af0ba0d4
SHA256:	4155158042b58e1c8d6522ad0017658e84a3847ce5c8217f720015c69dc25ff6
Infos:

Detection

Score:	23
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Suspicious Javascript code found in HTML file

Detected hidden input values containing email addresses (often used in phishing pages)

HTML title does not match URL

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

Stores files to the Windows start menu directory

Classification

Signatures

Phishing

Suspicious Javascript code found in HTML file

Source: securedoc_20240327T095809.html	HTTP Parser: document.write
Source: securedoc_20240327T095809.html	HTTP Parser: location.href
Source: securedoc_20240327T095809.html	HTTP Parser: window.location

Detected hidden input values containing email addresses (often used in phishing pages)

Source: securedoc_20240327T095809.html	HTTP Parser: "Carruthers, Crystal" <crystal.carruthers@optum.com>
Source: securedoc_20240327T095809.html	HTTP Parser: Secure Message from crystal.carruthers@optum.com
Source: file:///C:/Users/user/Desktop/securedoc_20240327T095809.html	HTTP Parser: {'name':null,'msgID':'\|1__012393150000018e806b24aa956f8f48f98e19c2@ovarp0688.corpmailsvcs.com','keysize':24,'flags':3073,'rid':'YWNjb3VudHNwYXlhYmxlIDxhY2NvdW50c3BheWFibGVAY3JhbmV3YXJlLmNvbT4sICJwaGFybWFjeWJpbGxpbmdhZG1pbkBjaGFuZ2VoZWFsdGhjYXJlLmNvbSIgPHBoYXJtYWN5YmlsbGluZ2FkbWluQGNoYW5nZWhlYWx0aGNhcmUuY29tPg==','algnames':{'encryption':{'data':'AES'}},'algparams':{'encryption':{'data':{'IV':'LHCijzkUvfOdEEtnk6xpAw=='}}},'keyserverhost':'res.cisco.com:443','securereplyhost':'res.cisco.com:443','openerhost':'res.cisco.com:443','toc':[['Body-1711551489199.txt',1,'','',13,[0,43824],'Body-1711551489199.txt','UTF-16'],['image002.png',2,'','image002.png',21,[43824,3817],'image002.png','ISO-8859-1'],['image003.png',2,'','image003.png',21,[47641,5468],'image003.png','ISO-8859-1'],['MessageBar.html',4,'','',1,[53109,63586],'MessageBar.html','UTF-16']],'salt':'frfzhcw7G/NdlMuvS+fQLm5CkoE=','data':['','','']}

HTML title does not match URL

Source: securedoc_20240327T095809.html

HTTP Parser: Title: Secure Registered Envelope:Secure Message from crystal.carruthers@optum.com does not match URL

Source: securedoc_20240327T095809.html

HTTP Parser: <input type="password" .../> found

Source: securedoc_20240327T095809.html	HTTP Parser: No favicon
Source: file:///C:/Users/user/Desktop/securedoc_20240327T095809.html	HTTP Parser: No favicon

Source: securedoc_20240327T095809.html

HTTP Parser: No <meta name="author".. found

Source: unknown	HTTPS traffic detected: 20.114.59.183:443 -> 192.168.2.16:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.221.242.90:443 -> 192.168.2.16:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.221.242.90:443 -> 192.168.2.16:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.114.59.183:443 -> 192.168.2.16:49737 version: TLS 1.2

HTTP GET or POST without a user agent

Source: global traffic

HTTP traffic detected: GET /envelopeopener/pf/ZGJAVG9rZW4zMzcxOjEzNTk2/qqjZBFuv.ItibTT6WGs4TKRTMy5HM1s9Og5FScWoIX8HSOlD-T5Z5mfGe6y5Crm60-L9VYKHBc1CQifQaF0UuKtCP6TgMRwuuw!!/?p=0&d=%7B%27name%27%3Anull,%0D%0A%27msgID%27%3A%27%7C1__012393150000018e806b24aa956f8f48f98e19c2%40ovarp0688%2Ecorpmailsvcs%2Ecom%27,%0D%0A%27keysize%27%3A24,%0D%0A%27flags%27%3A3073,%0D%0A%27rid%27%3A%27YWNjb3VudHNwYXlhYmxlIDxhY2NvdW50c3BheWFibGVAY3JhbmV3YXJlLmNvbT4sICJwaGFybWFjeWJpbGxpbmdhZG1pbkBjaGFuZ2VoZWFsdGhjYXJlLmNvbSIgPHBoYXJtYWN5YmlsbGluZ2FkbWluQGNoYW5nZWhlYWx0aGNhcmUuY29tPg%3D%3D%27,%0D%0A%27algnames%27%3A%7B%27encryption%27%3A%7B%27data%27%3A%27AES%27%7D%7D,%0D%0A%27algparams%27%3A%7B%27encryption%27%3A%7B%27data%27%3A%7B%27IV%27%3A%27LHCijzkUvfOdEEtnk6xpAw%3D%3D%27%7D%7D%7D,%0D%0A%27keyserverhost%27%3A%27res%2Ecisco%2Ecom%3A443%27,%0D%0A%27securereplyhost%27%3A%27res%2Ecisco%2Ecom%3A443%27,%0D%0A%27openerhost%27%3A%27res%2Ecisco%2Ecom%3A443%27,%0D%0A%27toc%27%3A%5B%0D%0A%5B%27Body-1711551489199%2Etxt%27,1,%0D%0A%27%27,%0D%0A%27%27,%0D%0A13,%5B0,43824%5D,%27Body-1711551489199%2Etxt%27,%0D%0A%27UTF-16%27%5D,%0D%0A%5B%27image002%2Epng%27,2,%0D%0A%27%27,%0D%0A%27image002%2Epng%27,%0D%0A21,%5B43824,3817%5D,%27image002%2Epng%27,%0D%0A%27ISO-8859-1%27%5D,%0D%0A%5B%27image003%2Epng%27,2,%0D%0A%27%27,%0D%0A%27image003%2Epng%27,%0D%0A21,%5B47641,5468%5D,%27image003%2Epng%27,%0D%0A%27ISO-8859-1%27%5D,%0D%0A%5B%27MessageBar%2Ehtml%27,4,%0D%0A%27%27,%0D%0A%27%27,%0D%0A1,%5B53109,63586%5D,%27MessageBar%2Ehtml%27,%0D%0A%27UTF-16%27%5D%0D%0A%5D,%0D%0A%27salt%27%3A%27frfzhcw7G%2FNdlMuvS%2BfQLm5CkoE%3D%27,%0D%0A%27data%27%3A%5B%0D%0A%27%27,%27j3rt2rKVtePYhOdkWuHqAvG5IPgP7XWniwxQo6069G4%2FUd1VX8br2nlNrN%2FfyhxIJFGRvKeVONEaCVW6N5mXAjdjK4Zct33b5Yp26m8kPhxD4TzzWva%2B%2F3%2BMC76krWXVGGGdx2CCsZxmrl30Sn%2FaToDfKjQil6%2FRjJWeT5GCmzjirnek%2Ft0%2FPJl6fd1571mAV0g9fyaegZ1Eo0AouxnxsTs1WtzYkDuF5q%2BWH3zhHCfqjegwpVSU2m0uJ8kq2xj8FIMs%2Bsnr5Ya3yuo7aiem0xMqwkl%2Fr5j2Q7rSn8UBGO%2BzOpCaiO6cM7NbLpzTzrJ%2BI5SjwsiRhHJ8nHGz6G7lIFHnF2WsRGfYZ%2BubPnt4xioEjSYGMsauab95VpoQMAq9dvVh3So0VyGx7I6Cfl7UGAwPqSNWTciWoVYVZfQS7FowRMDPPygldJNaNfVsiBu4ZTho9mfPFKeQg0yJCIJtEzOWq6SPbBojJbDH1OUaVtOeYGedoTtJAI6yUC3ypf56IAEsCPrs1jS8CEXLZ1mOc5umusG0nud0q1OLSLIF5b5iBCnmnMcCbqMhZWCvU0F4Bo%2FeSKZmAAABPsR0vDeTMuFuSKyGmWmmImTnoOvDC9Sbuzo3JqatAse1NSJEdpSP8Qfek9WtRyk9fB9gBE0HcLX2nfEaMsx48j8NIz%2F7%2BiTcMaY0i5ypyXH7plGkABDu2WC3mQecoTQMJrIQcVSSseDP4Mp9YJbyzUIE8xYfRZIKGK6baMcGibkQQYdNcljAVeBML9t6TB9n5a%2FtWUBYa4vZUJLB2ddCLkxYle92snWtpe5ELk%2FsWpQxQbBTjBdGrfeexLHsiUizODJc%2FGxamsOjcbwFamyKwsICM%2BiutEzZlWJyRAWab%2BUUZiinrZBQcyuL7Jj4OsHw6JhrLphOKkZYXKUD2EpUyrGeMyo69G4L9dGsxF%2Bcxu903zE%2F06eYwOc9Ot9ukQ8J427a2gana9Ghe%2FlzVq66qYsGJ9YqkJ%2Bx5P7X9UXd1WaSwn1lQi3jqVNbnePDwOrzl0NlGgT0%2F6v%2Fydd%2B%2F7XDFKJKYKE13d4VImSKxOCApc2XZPc7VwtVqJ3SItbKmHZWAqD99SWMTCoKAPEEDfBnwzm90bTKC9Jd8r0lvHY%2BvdnOTV7DBpyAbBeKSa%2B9fSaiTatQleBMnphHTXkJcC4j%2Br27bx%2BsbcrLbdzHukkXkIlNvfxC7PU93LIw4boxVSOdyGf1H6gI2t1ogDpzTVA1O3YEKrpoI9dtjfZfzT5OywiMG%2Bz0Sf01x%2F46TZ8zkIgq0au86ZDrtf%2BdFzQH61SJI

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 195.130.217.180 195.130.217.180
Source: Joe Sandbox View	IP Address: 239.255.255.250 239.255.255.250
Source: Joe Sandbox View	IP Address: 184.94.241.74 184.94.241.74
Source: Joe Sandbox View	IP Address: 104.17.25.14 104.17.25.14

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4

Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.21.200
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 23.221.242.90
Source: unknown	TCP traffic detected without corresponding DNS query: 23.221.242.90
Source: unknown	TCP traffic detected without corresponding DNS query: 23.221.242.90
Source: unknown	TCP traffic detected without corresponding DNS query: 23.221.242.90
Source: unknown	TCP traffic detected without corresponding DNS query: 23.221.242.90
Source: unknown	TCP traffic detected without corresponding DNS query: 23.221.242.90
Source: unknown	TCP traffic detected without corresponding DNS query: 23.221.242.90
Source: unknown	TCP traffic detected without corresponding DNS query: 23.221.242.90
Source: unknown	TCP traffic detected without corresponding DNS query: 23.221.242.90
Source: unknown	TCP traffic detected without corresponding DNS query: 23.221.242.90
Source: unknown	TCP traffic detected without corresponding DNS query: 23.221.242.90
Source: unknown	TCP traffic detected without corresponding DNS query: 23.221.242.90
Source: unknown	TCP traffic detected without corresponding DNS query: 23.221.242.90
Source: unknown	TCP traffic detected without corresponding DNS query: 23.221.242.90
Source: unknown	TCP traffic detected without corresponding DNS query: 23.221.242.90
Source: unknown	TCP traffic detected without corresponding DNS query: 23.221.242.90
Source: unknown	TCP traffic detected without corresponding DNS query: 23.221.242.90
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203

Source: global traffic	HTTP traffic detected: GET /ajax/libs/select2/4.0.12/css/select2.min.css HTTP/1.1Host: cdnjs.cloudflare.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: text/css,/;q=0.1Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /postx.css HTTP/1.1Host: static.cres-aws.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: text/css,/;q=0.1Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /ajax/libs/select2/4.0.12/js/select2.min.js HTTP/1.1Host: cdnjs.cloudflare.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /envelopeopener/pf/ZGJAVG9rZW4zMzcxOjEzNTk2/qqjZBFuv.ItibTT6WGs4TKRTMy5HM1s9Og5FScWoIX8HSOlD-T5Z5mfGe6y5Crm60-L9VYKHBc1CQifQaF0UuKtCP6TgMRwuuw!!/?lp=en HTTP/1.1Host: res.cisco.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /websafe/logo/qWuRZDIlFFn0Z.ejbun830-rfiY7KGOHGT2q9s4Y9v3gB5g005b.rfoQ7ujVDdQgnEtQdA!!/branding/customer-logo.gif?f=1 HTTP/1.1Host: res.cisco.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /envelopeopener/pf/ZGJAVG9rZW4zMzcxOjEzNTk2/qqjZBFuv.ItibTT6WGs4TKRTMy5HM1s9Og5FScWoIX8HSOlD-T5Z5mfGe6y5Crm60-L9VYKHBc1CQifQaF0UuKtCP6TgMRwuuw!!/?button=google&lp=en HTTP/1.1Host: res.cisco.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /envelopeopener/pf/ZGJAVG9rZW4zMzcxOjEzNTk2/qqjZBFuv.ItibTT6WGs4TKRTMy5HM1s9Og5FScWoIX8HSOlD-T5Z5mfGe6y5Crm60-L9VYKHBc1CQifQaF0UuKtCP6TgMRwuuw!!/?button=ok&lp=en HTTP/1.1Host: res.cisco.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /websafe/logo/qWuRZDIlFFn0Z.ejbun830-rfiY7KGOHGT2q9s4Y9v3gB5g005b.rfoQ7ujVDdQgnEtQdA!!/branding/customer-logo.gif?f=1 HTTP/1.1Host: res.cisco.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: JSESSIONID=E50D505096AD70B0E639F9D86D643C3A
Source: global traffic	HTTP traffic detected: GET /envelopeopener/pf/ZGJAVG9rZW4zMzcxOjEzNTk2/qqjZBFuv.ItibTT6WGs4TKRTMy5HM1s9Og5FScWoIX8HSOlD-T5Z5mfGe6y5Crm60-L9VYKHBc1CQifQaF0UuKtCP6TgMRwuuw!!/?lp=en HTTP/1.1Host: res.cisco.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /CRES_login_bg.jpg HTTP/1.1Host: static.cres-aws.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /websafe/images/loginbg.gif HTTP/1.1Host: res.cisco.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: JSESSIONID=E50D505096AD70B0E639F9D86D643C3A
Source: global traffic	HTTP traffic detected: GET /fonts/Inter/Inter-Regular.ttf HTTP/1.1Host: static.cres-aws.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: nullsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: fontReferer: https://static.cres-aws.com/postx.cssAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /fonts/Inter/Inter-Light.ttf HTTP/1.1Host: static.cres-aws.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: nullsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: fontReferer: https://static.cres-aws.com/postx.cssAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /CRES_login_bg.jpg HTTP/1.1Host: static.cres-aws.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /s/QyNqC73L0cz8jmDskFKI_?domain=res.cisco.com?su=&df=&tf=&lp=en&v=2&m=%7c1__012393150000018e806b24aa956f8f48f98e19c2%40ovarp0688.corpmailsvcs.com&s=1&f=0&d=1711725073246&action=open&j=1&jc=l_&jca=%22RPCRef%22%3apayload.rpc%2c%0a%22callback%22%3aqr&src=1&na=Netscape&nj=0&njs=1&nl=en-US&np=Win32&nu=Mozilla%2f5.0%20%28Windows%20NT%2010.0%3b%20Win64%3b%20x64%29%20AppleWebKit%2f537.36%20%28KHTML%2c%20like%20Gecko%29%20Chrome%2f117.0.0.0%20Safari%2f537.36&nv=5.0%20%28Windows%20NT%2010.0%3b%20Win64%3b%20x64%29%20AppleWebKit%2f537.36%20%28KHTML%2c%20like%20Gecko%29%20Chrome%2f117.0.0.0%20Safari%2f537.36 HTTP/1.1Host: url.uk.m.mimecastprotect.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /fonts/Inter/Inter-SemiBold.ttf HTTP/1.1Host: static.cres-aws.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: nullsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: fontReferer: https://static.cres-aws.com/postx.cssAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /fonts/Inter/Inter-Bold.ttf HTTP/1.1Host: static.cres-aws.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: nullsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: fontReferer: https://static.cres-aws.com/postx.cssAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /r/3F8MFGTLrjLNrGEuoJ9LZYq2CZHs77TvrbWgLybRWK5Cx1YIjrZ5X7EVrtiiQDXJHakcWoQ4l9X_WG_OuHJVgMxr-H05_K-Ch48tBOAAjef8TY7QwNOdendkOtQvA5_NAi1syjbf8k84asafJGw1g3vFMwvOHroINaroUbuwMo3g-pJA0nCTLqLnu1DLQMpuk1XcUDFdHQWwls_CUbLvNUHrVniYrlWnxmur2t3lYUjvpZcpUgJYWVBySL9h1rma7CW94Zwg9HzSCtI_gc7YNhwrhdyPiXSElVE_4ehqZMVehGJOFd-y9Bse49i8G6TLtJIRvbeE_TOefuWfqKTh6hHcIyC74aGYmL5umdWnR7_J2syUjan8A7lIo5T6j0rb25CW4ff7C1WA7kth-MIkisj8XzQOd9PABBu_Qb8LgIKa-_ETrtCC5asVHoidzw6yJQFM1gDw4IO4Rs_Np3U4bjzzRZBswec56uzuYOhxC5x-yukitpxuLqvzNW78STFsHf3D3Wbg7Pv2-nNVRxgXshxFzyls2aQ7UQp4dwIrpTAaW1cic3ZqSnjAM-HamFKdjeqZ-BzpdxoCbf7iMKWlxgc6KVDcarMKvHQQesDRfkE1epCtkLph5djuLReNdSSmosmAVMoOdA4Er9Dohn3UQu_KrG3fHPwaK36U9Lhl2HXsxNRalV5ab5kRrHNYHqp0tvbzKcC203MdXPwGjY4v3PbMYPg2a8BZMTgvji1-rM2gjefw1RCdKMUyhwQuKMLgp7IH3-GH6swleggNzCSaGbye_ZdWJPwNQz9zLP13TKhBNJq1EwArnH8XzPXRoiia2KGc7JHoVVD8dA2pXuDG8oW0I82iTSIiUT8XV5CkUH7ZzgtysD8e0EAlNmsng1S3x9McbYRsODUEvSycfqWEwrzywKWx6gGj-6MR1CtaEG_lLlgc9cbcigsqB_TWL2Y9wh7YuvirIgHHZidMHyuv_oUQgpFw_xH96IJH6esB7XuG-LhJ0c8NMb_1aKvLeK0ffRHo826doemavJ-7CfRGyXRUmjbT-jpl_ZJb_zucrHyr2zvbrtVm1Im89UhhcqkzLWPVWvtJxHoWcViy_20wh4mFzGdq_Ez2oGSy37UL2QSDEXrYKPf3IcYDEhjFPbT8gcjwORpffBDoDvNu-1aFUCUDojxNaDUHRSaPiJOMq6giNomlh8kz_kMvZ1hbOr7hk-9GzYxXI4TnAFas-5l57deKywNh_HLnUbR1kmFXk5uZFizRjZRVB_0PdF1q1lePp1ptcqd8r3OMpjBPfRcyLmLBuOekkwKYt8SH3QhkWmwS8lTffKyHwQvUnuKQc48AeoYgXOFNKLGYt45Uvgli98UDMrZs9HszyU3bhGLr-V1r0d6zwlAmjc7MJtIf5rsALq4OBfyUsICTF_80tMgGDKA4WyvOMq-QtTAVi8PcQIqOlmrVeqeS-UvOJEoI64ZZeuEyirX_Q3aRc61TTiGRho_06-e1GI9bia7Ymv9hO-B5Pn5_QW7W0CgE0nq9i24LeYR6j1i01ULjMzw3rpScPFl4woXB7dEeRO--icJHw-5pK23irtZEca7j8TcfAnCHmEMGr9CYv-O4ZNlbUIJR4qpWylU6rJCkyk50I2kEixU4DMXAVw6r8HamgjZW2e1pcLTxDGjvf_QhMyNs8OVqQGUuN1_ztZhKtL0LzgAEWj-uGwjK5djnCinShO6xiniF3fgwuFdsUesVi9_KRWUYYYhxtgErphsPd56Zu5cyTm8qykzXEAOeRZ0TTEWCISyh7iwkn6kYF4CDAF7GM9JH0KO4uVOxaDWTDj38V6NH4Q2YTtG-LiN3QLcdiplshI2S5IWD0d5gAzBLPq-hFgDNzt8RGqY6EcCsA8HQF5geFaDM2qGE3fFtYLscRRVoUD0jcV3mV70ANDW0CfuIXMS97_qcEQ9vqqBShRANccfwN_kxb-1pejuO59k1HUfYg8spqgbZpQDL-2bAd84L7Ml2Zorst8ofvQNf_wrtvqc9SH_jYHXuIkvfyb5CuA3nfDB7tVhQJXKXLTfuJjKYn2mnQgWj3cATCcrpP1NEYi1cbV2MQx0aMo1E8PERONAAQdQA HTTP/1.1Host: url.uk.m.mimecastprotect.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /websafe/images/loginbg.gif HTTP/1.1Host: res.cisco.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: JSESSIONID=E50D505096AD70B0E639F9D86D643C3A
Source: global traffic	HTTP traffic detected: GET /keyserver/keyserver HTTP/1.1Host: res.cisco.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=K5Bus8xRHxnHaSd&MD=TKPwXKu2 HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: /Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic	HTTP traffic detected: GET /envelopeopener/pf/ZGJAVG9rZW4zMzcxOjEzNTk2/qqjZBFuv.ItibTT6WGs4TKRTMy5HM1s9Og5FScWoIX8HSOlD-T5Z5mfGe6y5Crm60-L9VYKHBc1CQifQaF0UuKtCP6TgMRwuuw!!/?button=google&lp=en&try=1 HTTP/1.1Host: res.cisco.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /envelopeopener/pf/ZGJAVG9rZW4zMzcxOjEzNTk2/qqjZBFuv.ItibTT6WGs4TKRTMy5HM1s9Og5FScWoIX8HSOlD-T5Z5mfGe6y5Crm60-L9VYKHBc1CQifQaF0UuKtCP6TgMRwuuw!!/?button=ok&lp=en&try=1 HTTP/1.1Host: res.cisco.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=K5Bus8xRHxnHaSd&MD=TKPwXKu2 HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /envelopeopener/pf/ZGJAVG9rZW4zMzcxOjEzNTk2/qqjZBFuv.ItibTT6WGs4TKRTMy5HM1s9Og5FScWoIX8HSOlD-T5Z5mfGe6y5Crm60-L9VYKHBc1CQifQaF0UuKtCP6TgMRwuuw!!/?button=google&lp=en&try=1 HTTP/1.1Host: res.cisco.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /envelopeopener/pf/ZGJAVG9rZW4zMzcxOjEzNTk2/qqjZBFuv.ItibTT6WGs4TKRTMy5HM1s9Og5FScWoIX8HSOlD-T5Z5mfGe6y5Crm60-L9VYKHBc1CQifQaF0UuKtCP6TgMRwuuw!!/?button=ok&lp=en&try=1 HTTP/1.1Host: res.cisco.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /envelopeopener/pf/ZGJAVG9rZW4zMzcxOjEzNTk2/qqjZBFuv.ItibTT6WGs4TKRTMy5HM1s9Og5FScWoIX8HSOlD-T5Z5mfGe6y5Crm60-L9VYKHBc1CQifQaF0UuKtCP6TgMRwuuw!!/?lp=en HTTP/1.1Host: res.cisco.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /envelopeopener/pf/ZGJAVG9rZW4zMzcxOjEzNTk2/qqjZBFuv.ItibTT6WGs4TKRTMy5HM1s9Og5FScWoIX8HSOlD-T5Z5mfGe6y5Crm60-L9VYKHBc1CQifQaF0UuKtCP6TgMRwuuw!!/?p=0&d=%7B%27name%27%3Anull,%0D%0A%27msgID%27%3A%27%7C1__012393150000018e806b24aa956f8f48f98e19c2%40ovarp0688%2Ecorpmailsvcs%2Ecom%27,%0D%0A%27keysize%27%3A24,%0D%0A%27flags%27%3A3073,%0D%0A%27rid%27%3A%27YWNjb3VudHNwYXlhYmxlIDxhY2NvdW50c3BheWFibGVAY3JhbmV3YXJlLmNvbT4sICJwaGFybWFjeWJpbGxpbmdhZG1pbkBjaGFuZ2VoZWFsdGhjYXJlLmNvbSIgPHBoYXJtYWN5YmlsbGluZ2FkbWluQGNoYW5nZWhlYWx0aGNhcmUuY29tPg%3D%3D%27,%0D%0A%27algnames%27%3A%7B%27encryption%27%3A%7B%27data%27%3A%27AES%27%7D%7D,%0D%0A%27algparams%27%3A%7B%27encryption%27%3A%7B%27data%27%3A%7B%27IV%27%3A%27LHCijzkUvfOdEEtnk6xpAw%3D%3D%27%7D%7D%7D,%0D%0A%27keyserverhost%27%3A%27res%2Ecisco%2Ecom%3A443%27,%0D%0A%27securereplyhost%27%3A%27res%2Ecisco%2Ecom%3A443%27,%0D%0A%27openerhost%27%3A%27res%2Ecisco%2Ecom%3A443%27,%0D%0A%27toc%27%3A%5B%0D%0A%5B%27Body-1711551489199%2Etxt%27,1,%0D%0A%27%27,%0D%0A%27%27,%0D%0A13,%5B0,43824%5D,%27Body-1711551489199%2Etxt%27,%0D%0A%27UTF-16%27%5D,%0D%0A%5B%27image002%2Epng%27,2,%0D%0A%27%27,%0D%0A%27image002%2Epng%27,%0D%0A21,%5B43824,3817%5D,%27image002%2Epng%27,%0D%0A%27ISO-8859-1%27%5D,%0D%0A%5B%27image003%2Epng%27,2,%0D%0A%27%27,%0D%0A%27image003%2Epng%27,%0D%0A21,%5B47641,5468%5D,%27image003%2Epng%27,%0D%0A%27ISO-8859-1%27%5D,%0D%0A%5B%27MessageBar%2Ehtml%27,4,%0D%0A%27%27,%0D%0A%27%27,%0D%0A1,%5B53109,63586%5D,%27MessageBar%2Ehtml%27,%0D%0A%27UTF-16%27%5D%0D%0A%5D,%0D%0A%27salt%27%3A%27frfzhcw7G%2FNdlMuvS%2BfQLm5CkoE%3D%27,%0D%0A%27data%27%3A%5B%0D%0A%27%27,%27j3rt2rKVtePYhOdkWuHqAvG5IPgP7XWniwxQo6069G4%2FUd1VX8br2nlNrN%2FfyhxIJFGRvKeVONEaCVW6N5mXAjdjK4Zct33b5Yp26m8kPhxD4TzzWva%2B%2F3%2BMC76krWXVGGGdx2CCsZxmrl30Sn%2FaToDfKjQil6%2FRjJWeT5GCmzjirnek%2Ft0%2FPJl6fd1571mAV0g9fyaegZ1Eo0AouxnxsTs1WtzYkDuF5q%2BWH3zhHCfqjegwpVSU2m0uJ8kq2xj8FIMs%2Bsnr5Ya3yuo7aiem0xMqwkl%2Fr5j2Q7rSn8UBGO%2BzOpCaiO6cM7NbLpzTzrJ%2BI5SjwsiRhHJ8nHGz6G7lIFHnF2WsRGfYZ%2BubPnt4xioEjSYGMsauab95VpoQMAq9dvVh3So0VyGx7I6Cfl7UGAwPqSNWTciWoVYVZfQS7FowRMDPPygldJNaNfVsiBu4ZTho9mfPFKeQg0yJCIJtEzOWq6SPbBojJbDH1OUaVtOeYGedoTtJAI6yUC3ypf56IAEsCPrs1jS8CEXLZ1mOc5umusG0nud0q1OLSLIF5b5iBCnmnMcCbqMhZWCvU0F4Bo%2FeSKZmAAABPsR0vDeTMuFuSKyGmWmmImTnoOvDC9Sbuzo3JqatAse1NSJEdpSP8Qfek9WtRyk9fB9gBE0HcLX2nfEaMsx48j8NIz%2F7%2BiTcMaY0i5ypyXH7plGkABDu2WC3mQecoTQMJrIQcVSSseDP4Mp9YJbyzUIE8xYfRZIKGK6baMcGibkQQYdNcljAVeBML9t6TB9n5a%2FtWUBYa4vZUJLB2ddCLkxYle92snWtpe5ELk%2FsWpQxQbBTjBdGrfeexLHsiUizODJc%2FGxamsOjcbwFamyKwsICM%2BiutEzZlWJyRAWab%2BUUZiinrZBQcyuL7Jj4OsHw6JhrLphOKkZYXKUD2EpUyrGeMyo69G4L9dGsxF%2Bcxu903zE%2F06eYwOc9Ot9ukQ8J427a2gana9Ghe%2FlzVq66qYsGJ9YqkJ%2Bx5P7X9UXd1WaSwn1lQi3jqVNbnePDwOrzl0NlGgT0%2F6v%2Fydd%2B%2F7XDFKJKYKE13d4VImSKxOCApc2XZPc7VwtVqJ3SItbKmHZWAqD99SWMTCoKAPEEDfBnwzm90bTKC9Jd8r0lvHY%2BvdnOTV7DBpyAbBeKSa%2B9fSaiTatQleBMnphHTXkJcC4j%2Br27bx%2BsbcrLbdzHukkXkIlNvfxC7PU93LIw4boxVSOdyGf1H6gI2t1ogDpzTVA1O3YEKrpoI9dtjfZfzT5OywiMG%2Bz0Sf01x%2F46TZ8zkIgq0au86ZDrtf%2BdFzQH61SJI
Source: global traffic	HTTP traffic detected: GET /envelopeopener/pf/ZGJAVG9rZW4zMzcxOjEzNTk2/qqjZBFuv.ItibTT6WGs4TKRTMy5HM1s9Og5FScWoIX8HSOlD-T5Z5mfGe6y5Crm60-L9VYKHBc1CQifQaF0UuKtCP6TgMRwuuw!!/?button=google&lp=en HTTP/1.1Host: res.cisco.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /envelopeopener/pf/ZGJAVG9rZW4zMzcxOjEzNTk2/qqjZBFuv.ItibTT6WGs4TKRTMy5HM1s9Og5FScWoIX8HSOlD-T5Z5mfGe6y5Crm60-L9VYKHBc1CQifQaF0UuKtCP6TgMRwuuw!!/?button=ok&lp=en HTTP/1.1Host: res.cisco.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9

Source: unknown

DNS traffic detected: queries for: static.cres-aws.com

Source: securedoc_20240327T095809.html	String found in binary or memory: http://res.cisco.com/envelopeopener/pf/ZGJAVG9rZW4zMzcxOjEzNTk2/qqjZBFuv.ItibTT6WGs4TKRTMy5HM1s9Og5F
Source: chromecache_68.2.dr	String found in binary or memory: http://scripts.sil.org/OFLInterLightWeightSlant
Source: chromecache_80.2.dr	String found in binary or memory: http://scripts.sil.org/OFLInterSemiBoldWeightSlant
Source: chromecache_72.2.dr	String found in binary or memory: http://scripts.sil.org/OFLWeightSlant
Source: chromecache_79.2.dr	String found in binary or memory: http://scripts.sil.org/OFLWeightSlantRegular
Source: securedoc_20240327T095809.html	String found in binary or memory: https://ajax.googleapis.com/ajax/libs/jquery/3.4.1/jquery.min.js
Source: securedoc_20240327T095809.html	String found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/select2/4.0.12/css/select2.min.css
Source: securedoc_20240327T095809.html	String found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/select2/4.0.12/js/select2.min.js
Source: chromecache_80.2.dr, chromecache_68.2.dr	String found in binary or memory: https://github.com/rsms/inter)Inter
Source: chromecache_79.2.dr	String found in binary or memory: https://github.com/rsms/inter)InterBold3.019;RSMS;Inter-BoldInter
Source: chromecache_72.2.dr	String found in binary or memory: https://github.com/rsms/inter)InterRegular3.019;RSMS;Inter-RegularInter
Source: chromecache_74.2.dr	String found in binary or memory: https://github.com/select2/select2/blob/master/LICENSE.md
Source: securedoc_20240327T095809.html	String found in binary or memory: https://res.cisco.com/websafe/custom.action?cmd=authFrame
Source: securedoc_20240327T095809.html	String found in binary or memory: https://res.cisco.com/websafe/images/loginbg.gif
Source: securedoc_20240327T095809.html	String found in binary or memory: https://res.cisco.com/websafe/images/pullFeature/arrowDown.svg
Source: securedoc_20240327T095809.html	String found in binary or memory: https://res.cisco.com/websafe/logo/qWuRZDIlFFn0Z.ejbun830-rfiY7KGOHGT2q9s4Y9v3gB5g005b.rfoQ7ujVDdQgn
Source: securedoc_20240327T095809.html	String found in binary or memory: https://res.cisco.com:443
Source: securedoc_20240327T095809.html	String found in binary or memory: https://res.cisco.com:443/envelopeopener/decrypt_envelope.jsp
Source: securedoc_20240327T095809.html	String found in binary or memory: https://res.cisco.com:443/keyserver/keyserver
Source: securedoc_20240327T095809.html	String found in binary or memory: https://res.cisco.com:443/websafe/help?topic=PPNotShown
Source: securedoc_20240327T095809.html	String found in binary or memory: https://res.cisco.com:443/websafe/help?topic=RegEnvelope
Source: securedoc_20240327T095809.html	String found in binary or memory: https://res.cisco.com:443/websafe/pswdForgot.action
Source: securedoc_20240327T095809.html	String found in binary or memory: https://static.cres-aws.com/CRES_login_bg.jpg
Source: securedoc_20240327T095809.html	String found in binary or memory: https://static.cres-aws.com/postx.css
Source: securedoc_20240327T095809.html	String found in binary or memory: https://url.uk.m.mimecastprotect.com/s/9_gNC1wrNT6PwpVtXssXg?domain=res.cisco.com
Source: securedoc_20240327T095809.html	String found in binary or memory: https://url.uk.m.mimecastprotect.com/s/Dp--C4xR3HzDAJXsjPJbG?domain=res.cisco.com
Source: securedoc_20240327T095809.html	String found in binary or memory: https://url.uk.m.mimecastprotect.com/s/QyNqC73L0cz8jmDskFKI_?domain=res.cisco.com
Source: securedoc_20240327T095809.html	String found in binary or memory: https://url.uk.m.mimecastprotect.com/s/aKDOC2kvNhVBokMh95_gc?domain=res.cisco.com
Source: securedoc_20240327T095809.html	String found in binary or memory: https://url.uk.m.mimecastprotect.com/s/c5z9C5y94uMXY0BCli2pa?domain=res.cisco.com
Source: securedoc_20240327T095809.html	String found in binary or memory: https://url.uk.m.mimecastprotect.com/s/iBBRCZ6VnS7knMJHKXwvL?domain=res.cisco.com
Source: securedoc_20240327T095809.html	String found in binary or memory: https://url.uk.m.mimecastprotect.com/s/vjFtC312XtXyYmnhvrGnN?domain=res.cisco.com

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49678 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49688 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443

Source: unknown	HTTPS traffic detected: 20.114.59.183:443 -> 192.168.2.16:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.221.242.90:443 -> 192.168.2.16:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.221.242.90:443 -> 192.168.2.16:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.114.59.183:443 -> 192.168.2.16:49737 version: TLS 1.2

Source: classification engine

Classification label: sus23.phis.winHTML@14/33@16/8

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps

Jump to behavior

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument C:\Users\user\Desktop\securedoc_20240327T095809.html
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2244 --field-trial-handle=2016,i,12304014152104362397,15301322850232453726,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2244 --field-trial-handle=2016,i,12304014152104362397,15301322850232453726,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Source: Google Drive.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: YouTube.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Sheets.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Gmail.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Slides.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Docs.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe

Source: Window Recorder

Window detected: More than 3 window changes detected

Stores files to the Windows start menu directory

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk	Jump to behavior

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
172.253.122.106	www.google.com	United States	15169	GOOGLEUS	false
195.130.217.180	url.uk.m.mimecastprotect.com	United Kingdom	42427	MIMECAST-UKGB	false
108.138.85.60	d2qj7djftjbj85.cloudfront.net	United States	16509	AMAZON-02US	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
184.94.241.74	res.cisco.com	United States	16417	IRONPORT-SYSTEMS-INCUS	false
108.138.85.84	unknown	United States	16509	AMAZON-02US	false
104.17.25.14	cdnjs.cloudflare.com	United States	13335	CLOUDFLARENETUS	false

Private

IP
192.168.2.16

Contacted Domains

Name	IP	Active
res.cisco.com	184.94.241.74	true
url.uk.m.mimecastprotect.com	195.130.217.180	true
cdnjs.cloudflare.com	104.17.25.14	true
www.google.com	172.253.122.106	true
d2qj7djftjbj85.cloudfront.net	108.138.85.60	true
static.cres-aws.com	unknown	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
file:///C:/Users/user/Desktop/securedoc_20240327T095809.html	false	Avira URL Cloud: safe	low
https://static.cres-aws.com/fonts/Inter/Inter-Light.ttf	false	Avira URL Cloud: safe	unknown
https://res.cisco.com/websafe/images/loginbg.gif	false		high
https://cdnjs.cloudflare.com/ajax/libs/select2/4.0.12/css/select2.min.css	false		high
https://res.cisco.com/envelopeopener/pf/ZGJAVG9rZW4zMzcxOjEzNTk2/qqjZBFuv.ItibTT6WGs4TKRTMy5HM1s9Og5FScWoIX8HSOlD-T5Z5mfGe6y5Crm60-L9VYKHBc1CQifQaF0UuKtCP6TgMRwuuw!!/?button=google&lp=en	false		high
https://static.cres-aws.com/fonts/Inter/Inter-Regular.ttf	false	Avira URL Cloud: safe	unknown
https://res.cisco.com/keyserver/keyserver	false		high
https://res.cisco.com/websafe/logo/qWuRZDIlFFn0Z.ejbun830-rfiY7KGOHGT2q9s4Y9v3gB5g005b.rfoQ7ujVDdQgnEtQdA!!/branding/customer-logo.gif?f=1	false		high
https://static.cres-aws.com/fonts/Inter/Inter-SemiBold.ttf	false	Avira URL Cloud: safe	unknown
https://res.cisco.com/envelopeopener/pf/ZGJAVG9rZW4zMzcxOjEzNTk2/qqjZBFuv.ItibTT6WGs4TKRTMy5HM1s9Og5FScWoIX8HSOlD-T5Z5mfGe6y5Crm60-L9VYKHBc1CQifQaF0UuKtCP6TgMRwuuw!!/?button=ok&lp=en	false		high
https://res.cisco.com/envelopeopener/pf/ZGJAVG9rZW4zMzcxOjEzNTk2/qqjZBFuv.ItibTT6WGs4TKRTMy5HM1s9Og5FScWoIX8HSOlD-T5Z5mfGe6y5Crm60-L9VYKHBc1CQifQaF0UuKtCP6TgMRwuuw!!/?button=ok&lp=en&try=1	false		high
https://static.cres-aws.com/postx.css	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://url.uk.m.mimecastprotect.com/s/QyNqC73L0cz8jmDskFKI_?domain=res.cisco.com?su=&df=&tf=&lp=en&v=2&m=%7c1__012393150000018e806b24aa956f8f48f98e19c2%40ovarp0688.corpmailsvcs.com&s=1&f=0&d=1711725073246&action=open&j=1&jc=l_&jca=%22RPCRef%22%3apayload.rpc%2c%0a%22callback%22%3aqr&src=1&na=Netscape&nj=0&njs=1&nl=en-US&np=Win32&nu=Mozilla%2f5.0%20%28Windows%20NT%2010.0%3b%20Win64%3b%20x64%29%20AppleWebKit%2f537.36%20%28KHTML%2c%20like%20Gecko%29%20Chrome%2f117.0.0.0%20Safari%2f537.36&nv=5.0%20%28Windows%20NT%2010.0%3b%20Win64%3b%20x64%29%20AppleWebKit%2f537.36%20%28KHTML%2c%20like%20Gecko%29%20Chrome%2f117.0.0.0%20Safari%2f537.36	false	Avira URL Cloud: safe	unknown
http://res.cisco.com/envelopeopener/pf/ZGJAVG9rZW4zMzcxOjEzNTk2/qqjZBFuv.ItibTT6WGs4TKRTMy5HM1s9Og5FScWoIX8HSOlD-T5Z5mfGe6y5Crm60-L9VYKHBc1CQifQaF0UuKtCP6TgMRwuuw!!/?button=google&lp=en	false		high
http://res.cisco.com/envelopeopener/pf/ZGJAVG9rZW4zMzcxOjEzNTk2/qqjZBFuv.ItibTT6WGs4TKRTMy5HM1s9Og5FScWoIX8HSOlD-T5Z5mfGe6y5Crm60-L9VYKHBc1CQifQaF0UuKtCP6TgMRwuuw!!/?button=ok&lp=en	false		high
https://static.cres-aws.com/CRES_login_bg.jpg	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://cdnjs.cloudflare.com/ajax/libs/select2/4.0.12/js/select2.min.js	false		high
https://res.cisco.com/envelopeopener/pf/ZGJAVG9rZW4zMzcxOjEzNTk2/qqjZBFuv.ItibTT6WGs4TKRTMy5HM1s9Og5FScWoIX8HSOlD-T5Z5mfGe6y5Crm60-L9VYKHBc1CQifQaF0UuKtCP6TgMRwuuw!!/?lp=en	false		high
http://res.cisco.com/envelopeopener/pf/ZGJAVG9rZW4zMzcxOjEzNTk2/qqjZBFuv.ItibTT6WGs4TKRTMy5HM1s9Og5FScWoIX8HSOlD-T5Z5mfGe6y5Crm60-L9VYKHBc1CQifQaF0UuKtCP6TgMRwuuw!!/?lp=en	false		high
https://res.cisco.com/envelopeopener/pf/ZGJAVG9rZW4zMzcxOjEzNTk2/qqjZBFuv.ItibTT6WGs4TKRTMy5HM1s9Og5FScWoIX8HSOlD-T5Z5mfGe6y5Crm60-L9VYKHBc1CQifQaF0UuKtCP6TgMRwuuw!!/?button=google&lp=en&try=1	false		high
https://static.cres-aws.com/fonts/Inter/Inter-Bold.ttf	false	Avira URL Cloud: safe	unknown

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Mar 29 14:11:12 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide	427258E1D08A0E74AF08C3553BAF73CA	E3329AFCE4A3C54BEA28EFB455AD2E96068E11EF	671B1DFAFBF0EDCAA519BEA7D43623D989D6108F0D70F1735BB44DA0E1870281
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Mar 29 14:11:12 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide	FE43839728681C00E270079B48EE20AB	0F7A656DD99A80212682DFDEE76A335B0D52CC5C	50F097CF22307CB8ACDC7C84AD3159AB0B659CE36C06ADF81E1B7C4C2D2E18A3
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Oct 6 08:05:01 2023, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide	C9EA06DEE292AF7A49B9883A9361478A	BAFC83EC777A2EDF6B755325F62FEA860307FDB0	4BBC08DA217756DB0CD3744F819A518B405F925AEDBFF2DB54C9931F9F79A42A
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Mar 29 14:11:12 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide	B1B9DEAB27F8B29749F627A35A1A9B76	C132053957EC25EDFC80109CB1BAD85BDC6104A7	5AB02416138E97595EA9A7A31F16FC082F8DE78BF4BFA554A246CAF532B784E6
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Mar 29 14:11:12 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide	940CD3C49D2EDD5216F10DE0613C0096	055BBCE7E960A61BD8ABE7DD74903035EC6F4BAC	BC7C901DEF83F88B9930DB477C7130AC4682C913B4B5166C4330AD037E6ED93D
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Mar 29 14:11:12 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide	209EB068DCC81F5CBD2675B883D284E3	03E5CADA9B9DA78E50A4820EF4E9887FFCB04ECC	71D5473C2E785FD0A616899D3E7FF08AC24AD60E3733C8BF13B61AECB0722EFD
Chrome Cache Entry: 67	assembler source, ASCII text, with very long lines (532)	1444470212C91839F71D8F970716C08E	221878F028DFAECEA3C2C51E8EA8037BD6A29FE8	1A5395EF53168235A0738B5133B5EA056B6982627CB95BCA76C74EAE87586FCD
Chrome Cache Entry: 68	TrueType Font data, 16 tables, 1st "GDEF", 14 names, Microsoft, language 0x409, Copyright 2020 The Inter Project Authors (https://github.com/rsms/inter)Inter LightRegular3.019;	60C8F64064078554B6469EEDA25944EB	732E278A85762A0EDFB4E077E44E3EB39D8AF92E	7FB161BBEB1C03F21D9A80601400D803E7EA7DD6FC8EA164F2B2A073E7722953
Chrome Cache Entry: 69	GIF image data, version 89a, 1280 x 808	C22D6210FC87C4743002CEA8A581D766	F0050B25B3FCBF863695CFD025E611A98A353CC8	A0DF8C2C2AAF954F3F45E88A82B2F15AB918BA9DA08EB7BE21569C6143BA5262
Chrome Cache Entry: 70	JPEG image data, Exif standard: [TIFF image data, little-endian, direntries=1, copyright=sandra cifo. www.cifography.com. 2016], baseline, precision 8, 1440x960, components 3	E38D601F1F6EF6663954EC55183C5FDE	63D466158889D3043056ACDFBF330F16E55DA498	9B8699D04D29EC9D28E06E4953C40AADE72619EF9813F25632E25DD5FFDBC89C
Chrome Cache Entry: 71	GIF image data, version 89a, 1280 x 808	C22D6210FC87C4743002CEA8A581D766	F0050B25B3FCBF863695CFD025E611A98A353CC8	A0DF8C2C2AAF954F3F45E88A82B2F15AB918BA9DA08EB7BE21569C6143BA5262
Chrome Cache Entry: 72	TrueType Font data, 16 tables, 1st "GDEF", 11 names, Microsoft, language 0x409, Copyright 2020 The Inter Project Authors (https://github.com/rsms/inter)InterRegular3.019;RSMS;I	A4A7379505CD554EA9523594B7C28B2A	C2767D146C3C10FE6C9B8AC0F181EF907C111F19	EEAB48280AACD4FC83C1C7E735681DF9EDD1B59588DDE23D0339BCF6552FB788
Chrome Cache Entry: 73	JPEG image data, Exif standard: [TIFF image data, little-endian, direntries=1, copyright=sandra cifo. www.cifography.com. 2016], baseline, precision 8, 1920x1280, components 3	C3598F2D3BF6694DF3378AAFC792BFEE	BBCA95477B9B15A41E4EDC59784D76F621A27263	A7842139A79734699FB6BD749733DA53E30B3634FB8C2695B57FD1A017DD1FE2
Chrome Cache Entry: 74	Unicode text, UTF-8 text, with very long lines (64131)	7C909F6DD07BED69C9CDABC9DEE2C131	7EF0ABFDB5935CDC2D50953FC0CEE43ABB501C28	C1F5534ED276A1EAA57B106C7DADCC994A01EFBC033513EA4F5435580D8C327E
Chrome Cache Entry: 75	JPEG image data, Exif standard: [TIFF image data, little-endian, direntries=1, copyright=sandra cifo. www.cifography.com. 2016], baseline, precision 8, 1920x1280, components 3	C3598F2D3BF6694DF3378AAFC792BFEE	BBCA95477B9B15A41E4EDC59784D76F621A27263	A7842139A79734699FB6BD749733DA53E30B3634FB8C2695B57FD1A017DD1FE2
Chrome Cache Entry: 76	JPEG image data, Exif standard: [TIFF image data, little-endian, direntries=1, copyright=sandra cifo. www.cifography.com. 2016], baseline, precision 8, 1440x960, components 3	E38D601F1F6EF6663954EC55183C5FDE	63D466158889D3043056ACDFBF330F16E55DA498	9B8699D04D29EC9D28E06E4953C40AADE72619EF9813F25632E25DD5FFDBC89C
Chrome Cache Entry: 77	ASCII text, with CRLF line terminators	72BEF4E675B4491B22D656CCA2A681E6	46BC734C490EB4F655FB3E80BC38A7D2F92BDE0A	7080B289264E090FB81351773F06D063EAAEDBCA4E0B1F9176AD1CE7DC3B91AB
Chrome Cache Entry: 78	ASCII text, with very long lines (14965)	9F54E6414F87E0D14B9E966F19A174F9	AE5735562FAABD1A2D9803BBD7BF4C502B5E4F51	15D6AD4DFDB43D0AFFAD683E70029F97A8F8FC8637A28845009EE0542DCCDF81
Chrome Cache Entry: 79	TrueType Font data, 16 tables, 1st "GDEF", 12 names, Microsoft, language 0x409, Copyright 2020 The Inter Project Authors (https://github.com/rsms/inter)InterBold3.019;RSMS;Inte	D17C0274915408CEE0308D5476DF9F45	444CDCA680F8CE64C16FE5A606DCFBE4B33E7925	F9342F2D916AA89C924BC2ADCC1D3BFBB6EB54675E48953BACC49024FC768F76
Chrome Cache Entry: 80	TrueType Font data, 16 tables, 1st "GDEF", 14 names, Microsoft, language 0x409, Copyright 2020 The Inter Project Authors (https://github.com/rsms/inter)Inter SemiBoldRegular3.0	1753A05196ABEEF95C32F10246BD6473	ACDA92ADC6CF8C67C89395C65F371A4D2B05A783	F5595839DEBDB0D028116ED8A7579F31D1C2F712677A2E794459A5DCE6ECA929
Chrome Cache Entry: 81	ASCII text, with very long lines (65451)	220AFD743D9E9643852E31A135A9F3AE	88523924351BAC0B5D560FE0C5781E2556E7693D	0925E8AD7BD971391A8B1E98BE8E87A6971919EB5B60C196485941C3C1DF089A

Phishing

Suspicious Javascript code found in HTML file

Source: securedoc_20240327T095809.html	HTTP Parser: document.write
Source: securedoc_20240327T095809.html	HTTP Parser: location.href
Source: securedoc_20240327T095809.html	HTTP Parser: window.location

Detected hidden input values containing email addresses (often used in phishing pages)

Source: securedoc_20240327T095809.html	HTTP Parser: "Carruthers, Crystal" <crystal.carruthers@optum.com>
Source: securedoc_20240327T095809.html	HTTP Parser: Secure Message from crystal.carruthers@optum.com
Source: file:///C:/Users/user/Desktop/securedoc_20240327T095809.html	HTTP Parser: {'name':null,'msgID':'\|1__012393150000018e806b24aa956f8f48f98e19c2@ovarp0688.corpmailsvcs.com','keysize':24,'flags':3073,'rid':'YWNjb3VudHNwYXlhYmxlIDxhY2NvdW50c3BheWFibGVAY3JhbmV3YXJlLmNvbT4sICJwaGFybWFjeWJpbGxpbmdhZG1pbkBjaGFuZ2VoZWFsdGhjYXJlLmNvbSIgPHBoYXJtYWN5YmlsbGluZ2FkbWluQGNoYW5nZWhlYWx0aGNhcmUuY29tPg==','algnames':{'encryption':{'data':'AES'}},'algparams':{'encryption':{'data':{'IV':'LHCijzkUvfOdEEtnk6xpAw=='}}},'keyserverhost':'res.cisco.com:443','securereplyhost':'res.cisco.com:443','openerhost':'res.cisco.com:443','toc':[['Body-1711551489199.txt',1,'','',13,[0,43824],'Body-1711551489199.txt','UTF-16'],['image002.png',2,'','image002.png',21,[43824,3817],'image002.png','ISO-8859-1'],['image003.png',2,'','image003.png',21,[47641,5468],'image003.png','ISO-8859-1'],['MessageBar.html',4,'','',1,[53109,63586],'MessageBar.html','UTF-16']],'salt':'frfzhcw7G/NdlMuvS+fQLm5CkoE=','data':['','','']}

HTML title does not match URL

Source: securedoc_20240327T095809.html

HTTP Parser: Title: Secure Registered Envelope:Secure Message from crystal.carruthers@optum.com does not match URL

Source: securedoc_20240327T095809.html

HTTP Parser: <input type="password" .../> found

Source: securedoc_20240327T095809.html	HTTP Parser: No favicon
Source: file:///C:/Users/user/Desktop/securedoc_20240327T095809.html	HTTP Parser: No favicon

Source: securedoc_20240327T095809.html

HTTP Parser: No <meta name="author".. found

Source: unknown	HTTPS traffic detected: 20.114.59.183:443 -> 192.168.2.16:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.221.242.90:443 -> 192.168.2.16:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.221.242.90:443 -> 192.168.2.16:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.114.59.183:443 -> 192.168.2.16:49737 version: TLS 1.2

HTTP GET or POST without a user agent

Source: global traffic

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 195.130.217.180 195.130.217.180
Source: Joe Sandbox View	IP Address: 239.255.255.250 239.255.255.250
Source: Joe Sandbox View	IP Address: 184.94.241.74 184.94.241.74
Source: Joe Sandbox View	IP Address: 104.17.25.14 104.17.25.14

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4

Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.21.200
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 23.221.242.90
Source: unknown	TCP traffic detected without corresponding DNS query: 23.221.242.90
Source: unknown	TCP traffic detected without corresponding DNS query: 23.221.242.90
Source: unknown	TCP traffic detected without corresponding DNS query: 23.221.242.90
Source: unknown	TCP traffic detected without corresponding DNS query: 23.221.242.90
Source: unknown	TCP traffic detected without corresponding DNS query: 23.221.242.90
Source: unknown	TCP traffic detected without corresponding DNS query: 23.221.242.90
Source: unknown	TCP traffic detected without corresponding DNS query: 23.221.242.90
Source: unknown	TCP traffic detected without corresponding DNS query: 23.221.242.90
Source: unknown	TCP traffic detected without corresponding DNS query: 23.221.242.90
Source: unknown	TCP traffic detected without corresponding DNS query: 23.221.242.90
Source: unknown	TCP traffic detected without corresponding DNS query: 23.221.242.90
Source: unknown	TCP traffic detected without corresponding DNS query: 23.221.242.90
Source: unknown	TCP traffic detected without corresponding DNS query: 23.221.242.90
Source: unknown	TCP traffic detected without corresponding DNS query: 23.221.242.90
Source: unknown	TCP traffic detected without corresponding DNS query: 23.221.242.90
Source: unknown	TCP traffic detected without corresponding DNS query: 23.221.242.90
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203

Source: global traffic	HTTP traffic detected: GET /ajax/libs/select2/4.0.12/css/select2.min.css HTTP/1.1Host: cdnjs.cloudflare.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: text/css,/;q=0.1Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /postx.css HTTP/1.1Host: static.cres-aws.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: text/css,/;q=0.1Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /ajax/libs/select2/4.0.12/js/select2.min.js HTTP/1.1Host: cdnjs.cloudflare.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /envelopeopener/pf/ZGJAVG9rZW4zMzcxOjEzNTk2/qqjZBFuv.ItibTT6WGs4TKRTMy5HM1s9Og5FScWoIX8HSOlD-T5Z5mfGe6y5Crm60-L9VYKHBc1CQifQaF0UuKtCP6TgMRwuuw!!/?lp=en HTTP/1.1Host: res.cisco.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /websafe/logo/qWuRZDIlFFn0Z.ejbun830-rfiY7KGOHGT2q9s4Y9v3gB5g005b.rfoQ7ujVDdQgnEtQdA!!/branding/customer-logo.gif?f=1 HTTP/1.1Host: res.cisco.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /envelopeopener/pf/ZGJAVG9rZW4zMzcxOjEzNTk2/qqjZBFuv.ItibTT6WGs4TKRTMy5HM1s9Og5FScWoIX8HSOlD-T5Z5mfGe6y5Crm60-L9VYKHBc1CQifQaF0UuKtCP6TgMRwuuw!!/?button=google&lp=en HTTP/1.1Host: res.cisco.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /envelopeopener/pf/ZGJAVG9rZW4zMzcxOjEzNTk2/qqjZBFuv.ItibTT6WGs4TKRTMy5HM1s9Og5FScWoIX8HSOlD-T5Z5mfGe6y5Crm60-L9VYKHBc1CQifQaF0UuKtCP6TgMRwuuw!!/?button=ok&lp=en HTTP/1.1Host: res.cisco.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /websafe/logo/qWuRZDIlFFn0Z.ejbun830-rfiY7KGOHGT2q9s4Y9v3gB5g005b.rfoQ7ujVDdQgnEtQdA!!/branding/customer-logo.gif?f=1 HTTP/1.1Host: res.cisco.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: JSESSIONID=E50D505096AD70B0E639F9D86D643C3A
Source: global traffic	HTTP traffic detected: GET /envelopeopener/pf/ZGJAVG9rZW4zMzcxOjEzNTk2/qqjZBFuv.ItibTT6WGs4TKRTMy5HM1s9Og5FScWoIX8HSOlD-T5Z5mfGe6y5Crm60-L9VYKHBc1CQifQaF0UuKtCP6TgMRwuuw!!/?lp=en HTTP/1.1Host: res.cisco.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /CRES_login_bg.jpg HTTP/1.1Host: static.cres-aws.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /websafe/images/loginbg.gif HTTP/1.1Host: res.cisco.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: JSESSIONID=E50D505096AD70B0E639F9D86D643C3A
Source: global traffic	HTTP traffic detected: GET /fonts/Inter/Inter-Regular.ttf HTTP/1.1Host: static.cres-aws.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: nullsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: fontReferer: https://static.cres-aws.com/postx.cssAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /fonts/Inter/Inter-Light.ttf HTTP/1.1Host: static.cres-aws.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: nullsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: fontReferer: https://static.cres-aws.com/postx.cssAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /CRES_login_bg.jpg HTTP/1.1Host: static.cres-aws.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /s/QyNqC73L0cz8jmDskFKI_?domain=res.cisco.com?su=&df=&tf=&lp=en&v=2&m=%7c1__012393150000018e806b24aa956f8f48f98e19c2%40ovarp0688.corpmailsvcs.com&s=1&f=0&d=1711725073246&action=open&j=1&jc=l_&jca=%22RPCRef%22%3apayload.rpc%2c%0a%22callback%22%3aqr&src=1&na=Netscape&nj=0&njs=1&nl=en-US&np=Win32&nu=Mozilla%2f5.0%20%28Windows%20NT%2010.0%3b%20Win64%3b%20x64%29%20AppleWebKit%2f537.36%20%28KHTML%2c%20like%20Gecko%29%20Chrome%2f117.0.0.0%20Safari%2f537.36&nv=5.0%20%28Windows%20NT%2010.0%3b%20Win64%3b%20x64%29%20AppleWebKit%2f537.36%20%28KHTML%2c%20like%20Gecko%29%20Chrome%2f117.0.0.0%20Safari%2f537.36 HTTP/1.1Host: url.uk.m.mimecastprotect.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /fonts/Inter/Inter-SemiBold.ttf HTTP/1.1Host: static.cres-aws.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: nullsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: fontReferer: https://static.cres-aws.com/postx.cssAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /fonts/Inter/Inter-Bold.ttf HTTP/1.1Host: static.cres-aws.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: nullsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: fontReferer: https://static.cres-aws.com/postx.cssAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /r/3F8MFGTLrjLNrGEuoJ9LZYq2CZHs77TvrbWgLybRWK5Cx1YIjrZ5X7EVrtiiQDXJHakcWoQ4l9X_WG_OuHJVgMxr-H05_K-Ch48tBOAAjef8TY7QwNOdendkOtQvA5_NAi1syjbf8k84asafJGw1g3vFMwvOHroINaroUbuwMo3g-pJA0nCTLqLnu1DLQMpuk1XcUDFdHQWwls_CUbLvNUHrVniYrlWnxmur2t3lYUjvpZcpUgJYWVBySL9h1rma7CW94Zwg9HzSCtI_gc7YNhwrhdyPiXSElVE_4ehqZMVehGJOFd-y9Bse49i8G6TLtJIRvbeE_TOefuWfqKTh6hHcIyC74aGYmL5umdWnR7_J2syUjan8A7lIo5T6j0rb25CW4ff7C1WA7kth-MIkisj8XzQOd9PABBu_Qb8LgIKa-_ETrtCC5asVHoidzw6yJQFM1gDw4IO4Rs_Np3U4bjzzRZBswec56uzuYOhxC5x-yukitpxuLqvzNW78STFsHf3D3Wbg7Pv2-nNVRxgXshxFzyls2aQ7UQp4dwIrpTAaW1cic3ZqSnjAM-HamFKdjeqZ-BzpdxoCbf7iMKWlxgc6KVDcarMKvHQQesDRfkE1epCtkLph5djuLReNdSSmosmAVMoOdA4Er9Dohn3UQu_KrG3fHPwaK36U9Lhl2HXsxNRalV5ab5kRrHNYHqp0tvbzKcC203MdXPwGjY4v3PbMYPg2a8BZMTgvji1-rM2gjefw1RCdKMUyhwQuKMLgp7IH3-GH6swleggNzCSaGbye_ZdWJPwNQz9zLP13TKhBNJq1EwArnH8XzPXRoiia2KGc7JHoVVD8dA2pXuDG8oW0I82iTSIiUT8XV5CkUH7ZzgtysD8e0EAlNmsng1S3x9McbYRsODUEvSycfqWEwrzywKWx6gGj-6MR1CtaEG_lLlgc9cbcigsqB_TWL2Y9wh7YuvirIgHHZidMHyuv_oUQgpFw_xH96IJH6esB7XuG-LhJ0c8NMb_1aKvLeK0ffRHo826doemavJ-7CfRGyXRUmjbT-jpl_ZJb_zucrHyr2zvbrtVm1Im89UhhcqkzLWPVWvtJxHoWcViy_20wh4mFzGdq_Ez2oGSy37UL2QSDEXrYKPf3IcYDEhjFPbT8gcjwORpffBDoDvNu-1aFUCUDojxNaDUHRSaPiJOMq6giNomlh8kz_kMvZ1hbOr7hk-9GzYxXI4TnAFas-5l57deKywNh_HLnUbR1kmFXk5uZFizRjZRVB_0PdF1q1lePp1ptcqd8r3OMpjBPfRcyLmLBuOekkwKYt8SH3QhkWmwS8lTffKyHwQvUnuKQc48AeoYgXOFNKLGYt45Uvgli98UDMrZs9HszyU3bhGLr-V1r0d6zwlAmjc7MJtIf5rsALq4OBfyUsICTF_80tMgGDKA4WyvOMq-QtTAVi8PcQIqOlmrVeqeS-UvOJEoI64ZZeuEyirX_Q3aRc61TTiGRho_06-e1GI9bia7Ymv9hO-B5Pn5_QW7W0CgE0nq9i24LeYR6j1i01ULjMzw3rpScPFl4woXB7dEeRO--icJHw-5pK23irtZEca7j8TcfAnCHmEMGr9CYv-O4ZNlbUIJR4qpWylU6rJCkyk50I2kEixU4DMXAVw6r8HamgjZW2e1pcLTxDGjvf_QhMyNs8OVqQGUuN1_ztZhKtL0LzgAEWj-uGwjK5djnCinShO6xiniF3fgwuFdsUesVi9_KRWUYYYhxtgErphsPd56Zu5cyTm8qykzXEAOeRZ0TTEWCISyh7iwkn6kYF4CDAF7GM9JH0KO4uVOxaDWTDj38V6NH4Q2YTtG-LiN3QLcdiplshI2S5IWD0d5gAzBLPq-hFgDNzt8RGqY6EcCsA8HQF5geFaDM2qGE3fFtYLscRRVoUD0jcV3mV70ANDW0CfuIXMS97_qcEQ9vqqBShRANccfwN_kxb-1pejuO59k1HUfYg8spqgbZpQDL-2bAd84L7Ml2Zorst8ofvQNf_wrtvqc9SH_jYHXuIkvfyb5CuA3nfDB7tVhQJXKXLTfuJjKYn2mnQgWj3cATCcrpP1NEYi1cbV2MQx0aMo1E8PERONAAQdQA HTTP/1.1Host: url.uk.m.mimecastprotect.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /websafe/images/loginbg.gif HTTP/1.1Host: res.cisco.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: JSESSIONID=E50D505096AD70B0E639F9D86D643C3A
Source: global traffic	HTTP traffic detected: GET /keyserver/keyserver HTTP/1.1Host: res.cisco.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=K5Bus8xRHxnHaSd&MD=TKPwXKu2 HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: /Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic	HTTP traffic detected: GET /envelopeopener/pf/ZGJAVG9rZW4zMzcxOjEzNTk2/qqjZBFuv.ItibTT6WGs4TKRTMy5HM1s9Og5FScWoIX8HSOlD-T5Z5mfGe6y5Crm60-L9VYKHBc1CQifQaF0UuKtCP6TgMRwuuw!!/?button=google&lp=en&try=1 HTTP/1.1Host: res.cisco.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /envelopeopener/pf/ZGJAVG9rZW4zMzcxOjEzNTk2/qqjZBFuv.ItibTT6WGs4TKRTMy5HM1s9Og5FScWoIX8HSOlD-T5Z5mfGe6y5Crm60-L9VYKHBc1CQifQaF0UuKtCP6TgMRwuuw!!/?button=ok&lp=en&try=1 HTTP/1.1Host: res.cisco.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=K5Bus8xRHxnHaSd&MD=TKPwXKu2 HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /envelopeopener/pf/ZGJAVG9rZW4zMzcxOjEzNTk2/qqjZBFuv.ItibTT6WGs4TKRTMy5HM1s9Og5FScWoIX8HSOlD-T5Z5mfGe6y5Crm60-L9VYKHBc1CQifQaF0UuKtCP6TgMRwuuw!!/?button=google&lp=en&try=1 HTTP/1.1Host: res.cisco.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /envelopeopener/pf/ZGJAVG9rZW4zMzcxOjEzNTk2/qqjZBFuv.ItibTT6WGs4TKRTMy5HM1s9Og5FScWoIX8HSOlD-T5Z5mfGe6y5Crm60-L9VYKHBc1CQifQaF0UuKtCP6TgMRwuuw!!/?button=ok&lp=en&try=1 HTTP/1.1Host: res.cisco.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /envelopeopener/pf/ZGJAVG9rZW4zMzcxOjEzNTk2/qqjZBFuv.ItibTT6WGs4TKRTMy5HM1s9Og5FScWoIX8HSOlD-T5Z5mfGe6y5Crm60-L9VYKHBc1CQifQaF0UuKtCP6TgMRwuuw!!/?lp=en HTTP/1.1Host: res.cisco.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /envelopeopener/pf/ZGJAVG9rZW4zMzcxOjEzNTk2/qqjZBFuv.ItibTT6WGs4TKRTMy5HM1s9Og5FScWoIX8HSOlD-T5Z5mfGe6y5Crm60-L9VYKHBc1CQifQaF0UuKtCP6TgMRwuuw!!/?p=0&d=%7B%27name%27%3Anull,%0D%0A%27msgID%27%3A%27%7C1__012393150000018e806b24aa956f8f48f98e19c2%40ovarp0688%2Ecorpmailsvcs%2Ecom%27,%0D%0A%27keysize%27%3A24,%0D%0A%27flags%27%3A3073,%0D%0A%27rid%27%3A%27YWNjb3VudHNwYXlhYmxlIDxhY2NvdW50c3BheWFibGVAY3JhbmV3YXJlLmNvbT4sICJwaGFybWFjeWJpbGxpbmdhZG1pbkBjaGFuZ2VoZWFsdGhjYXJlLmNvbSIgPHBoYXJtYWN5YmlsbGluZ2FkbWluQGNoYW5nZWhlYWx0aGNhcmUuY29tPg%3D%3D%27,%0D%0A%27algnames%27%3A%7B%27encryption%27%3A%7B%27data%27%3A%27AES%27%7D%7D,%0D%0A%27algparams%27%3A%7B%27encryption%27%3A%7B%27data%27%3A%7B%27IV%27%3A%27LHCijzkUvfOdEEtnk6xpAw%3D%3D%27%7D%7D%7D,%0D%0A%27keyserverhost%27%3A%27res%2Ecisco%2Ecom%3A443%27,%0D%0A%27securereplyhost%27%3A%27res%2Ecisco%2Ecom%3A443%27,%0D%0A%27openerhost%27%3A%27res%2Ecisco%2Ecom%3A443%27,%0D%0A%27toc%27%3A%5B%0D%0A%5B%27Body-1711551489199%2Etxt%27,1,%0D%0A%27%27,%0D%0A%27%27,%0D%0A13,%5B0,43824%5D,%27Body-1711551489199%2Etxt%27,%0D%0A%27UTF-16%27%5D,%0D%0A%5B%27image002%2Epng%27,2,%0D%0A%27%27,%0D%0A%27image002%2Epng%27,%0D%0A21,%5B43824,3817%5D,%27image002%2Epng%27,%0D%0A%27ISO-8859-1%27%5D,%0D%0A%5B%27image003%2Epng%27,2,%0D%0A%27%27,%0D%0A%27image003%2Epng%27,%0D%0A21,%5B47641,5468%5D,%27image003%2Epng%27,%0D%0A%27ISO-8859-1%27%5D,%0D%0A%5B%27MessageBar%2Ehtml%27,4,%0D%0A%27%27,%0D%0A%27%27,%0D%0A1,%5B53109,63586%5D,%27MessageBar%2Ehtml%27,%0D%0A%27UTF-16%27%5D%0D%0A%5D,%0D%0A%27salt%27%3A%27frfzhcw7G%2FNdlMuvS%2BfQLm5CkoE%3D%27,%0D%0A%27data%27%3A%5B%0D%0A%27%27,%27j3rt2rKVtePYhOdkWuHqAvG5IPgP7XWniwxQo6069G4%2FUd1VX8br2nlNrN%2FfyhxIJFGRvKeVONEaCVW6N5mXAjdjK4Zct33b5Yp26m8kPhxD4TzzWva%2B%2F3%2BMC76krWXVGGGdx2CCsZxmrl30Sn%2FaToDfKjQil6%2FRjJWeT5GCmzjirnek%2Ft0%2FPJl6fd1571mAV0g9fyaegZ1Eo0AouxnxsTs1WtzYkDuF5q%2BWH3zhHCfqjegwpVSU2m0uJ8kq2xj8FIMs%2Bsnr5Ya3yuo7aiem0xMqwkl%2Fr5j2Q7rSn8UBGO%2BzOpCaiO6cM7NbLpzTzrJ%2BI5SjwsiRhHJ8nHGz6G7lIFHnF2WsRGfYZ%2BubPnt4xioEjSYGMsauab95VpoQMAq9dvVh3So0VyGx7I6Cfl7UGAwPqSNWTciWoVYVZfQS7FowRMDPPygldJNaNfVsiBu4ZTho9mfPFKeQg0yJCIJtEzOWq6SPbBojJbDH1OUaVtOeYGedoTtJAI6yUC3ypf56IAEsCPrs1jS8CEXLZ1mOc5umusG0nud0q1OLSLIF5b5iBCnmnMcCbqMhZWCvU0F4Bo%2FeSKZmAAABPsR0vDeTMuFuSKyGmWmmImTnoOvDC9Sbuzo3JqatAse1NSJEdpSP8Qfek9WtRyk9fB9gBE0HcLX2nfEaMsx48j8NIz%2F7%2BiTcMaY0i5ypyXH7plGkABDu2WC3mQecoTQMJrIQcVSSseDP4Mp9YJbyzUIE8xYfRZIKGK6baMcGibkQQYdNcljAVeBML9t6TB9n5a%2FtWUBYa4vZUJLB2ddCLkxYle92snWtpe5ELk%2FsWpQxQbBTjBdGrfeexLHsiUizODJc%2FGxamsOjcbwFamyKwsICM%2BiutEzZlWJyRAWab%2BUUZiinrZBQcyuL7Jj4OsHw6JhrLphOKkZYXKUD2EpUyrGeMyo69G4L9dGsxF%2Bcxu903zE%2F06eYwOc9Ot9ukQ8J427a2gana9Ghe%2FlzVq66qYsGJ9YqkJ%2Bx5P7X9UXd1WaSwn1lQi3jqVNbnePDwOrzl0NlGgT0%2F6v%2Fydd%2B%2F7XDFKJKYKE13d4VImSKxOCApc2XZPc7VwtVqJ3SItbKmHZWAqD99SWMTCoKAPEEDfBnwzm90bTKC9Jd8r0lvHY%2BvdnOTV7DBpyAbBeKSa%2B9fSaiTatQleBMnphHTXkJcC4j%2Br27bx%2BsbcrLbdzHukkXkIlNvfxC7PU93LIw4boxVSOdyGf1H6gI2t1ogDpzTVA1O3YEKrpoI9dtjfZfzT5OywiMG%2Bz0Sf01x%2F46TZ8zkIgq0au86ZDrtf%2BdFzQH61SJI
Source: global traffic	HTTP traffic detected: GET /envelopeopener/pf/ZGJAVG9rZW4zMzcxOjEzNTk2/qqjZBFuv.ItibTT6WGs4TKRTMy5HM1s9Og5FScWoIX8HSOlD-T5Z5mfGe6y5Crm60-L9VYKHBc1CQifQaF0UuKtCP6TgMRwuuw!!/?button=google&lp=en HTTP/1.1Host: res.cisco.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /envelopeopener/pf/ZGJAVG9rZW4zMzcxOjEzNTk2/qqjZBFuv.ItibTT6WGs4TKRTMy5HM1s9Og5FScWoIX8HSOlD-T5Z5mfGe6y5Crm60-L9VYKHBc1CQifQaF0UuKtCP6TgMRwuuw!!/?button=ok&lp=en HTTP/1.1Host: res.cisco.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9

Source: unknown

DNS traffic detected: queries for: static.cres-aws.com

Source: securedoc_20240327T095809.html	String found in binary or memory: http://res.cisco.com/envelopeopener/pf/ZGJAVG9rZW4zMzcxOjEzNTk2/qqjZBFuv.ItibTT6WGs4TKRTMy5HM1s9Og5F
Source: chromecache_68.2.dr	String found in binary or memory: http://scripts.sil.org/OFLInterLightWeightSlant
Source: chromecache_80.2.dr	String found in binary or memory: http://scripts.sil.org/OFLInterSemiBoldWeightSlant
Source: chromecache_72.2.dr	String found in binary or memory: http://scripts.sil.org/OFLWeightSlant
Source: chromecache_79.2.dr	String found in binary or memory: http://scripts.sil.org/OFLWeightSlantRegular
Source: securedoc_20240327T095809.html	String found in binary or memory: https://ajax.googleapis.com/ajax/libs/jquery/3.4.1/jquery.min.js
Source: securedoc_20240327T095809.html	String found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/select2/4.0.12/css/select2.min.css
Source: securedoc_20240327T095809.html	String found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/select2/4.0.12/js/select2.min.js
Source: chromecache_80.2.dr, chromecache_68.2.dr	String found in binary or memory: https://github.com/rsms/inter)Inter
Source: chromecache_79.2.dr	String found in binary or memory: https://github.com/rsms/inter)InterBold3.019;RSMS;Inter-BoldInter
Source: chromecache_72.2.dr	String found in binary or memory: https://github.com/rsms/inter)InterRegular3.019;RSMS;Inter-RegularInter
Source: chromecache_74.2.dr	String found in binary or memory: https://github.com/select2/select2/blob/master/LICENSE.md
Source: securedoc_20240327T095809.html	String found in binary or memory: https://res.cisco.com/websafe/custom.action?cmd=authFrame
Source: securedoc_20240327T095809.html	String found in binary or memory: https://res.cisco.com/websafe/images/loginbg.gif
Source: securedoc_20240327T095809.html	String found in binary or memory: https://res.cisco.com/websafe/images/pullFeature/arrowDown.svg
Source: securedoc_20240327T095809.html	String found in binary or memory: https://res.cisco.com/websafe/logo/qWuRZDIlFFn0Z.ejbun830-rfiY7KGOHGT2q9s4Y9v3gB5g005b.rfoQ7ujVDdQgn
Source: securedoc_20240327T095809.html	String found in binary or memory: https://res.cisco.com:443
Source: securedoc_20240327T095809.html	String found in binary or memory: https://res.cisco.com:443/envelopeopener/decrypt_envelope.jsp
Source: securedoc_20240327T095809.html	String found in binary or memory: https://res.cisco.com:443/keyserver/keyserver
Source: securedoc_20240327T095809.html	String found in binary or memory: https://res.cisco.com:443/websafe/help?topic=PPNotShown
Source: securedoc_20240327T095809.html	String found in binary or memory: https://res.cisco.com:443/websafe/help?topic=RegEnvelope
Source: securedoc_20240327T095809.html	String found in binary or memory: https://res.cisco.com:443/websafe/pswdForgot.action
Source: securedoc_20240327T095809.html	String found in binary or memory: https://static.cres-aws.com/CRES_login_bg.jpg
Source: securedoc_20240327T095809.html	String found in binary or memory: https://static.cres-aws.com/postx.css
Source: securedoc_20240327T095809.html	String found in binary or memory: https://url.uk.m.mimecastprotect.com/s/9_gNC1wrNT6PwpVtXssXg?domain=res.cisco.com
Source: securedoc_20240327T095809.html	String found in binary or memory: https://url.uk.m.mimecastprotect.com/s/Dp--C4xR3HzDAJXsjPJbG?domain=res.cisco.com
Source: securedoc_20240327T095809.html	String found in binary or memory: https://url.uk.m.mimecastprotect.com/s/QyNqC73L0cz8jmDskFKI_?domain=res.cisco.com
Source: securedoc_20240327T095809.html	String found in binary or memory: https://url.uk.m.mimecastprotect.com/s/aKDOC2kvNhVBokMh95_gc?domain=res.cisco.com
Source: securedoc_20240327T095809.html	String found in binary or memory: https://url.uk.m.mimecastprotect.com/s/c5z9C5y94uMXY0BCli2pa?domain=res.cisco.com
Source: securedoc_20240327T095809.html	String found in binary or memory: https://url.uk.m.mimecastprotect.com/s/iBBRCZ6VnS7knMJHKXwvL?domain=res.cisco.com
Source: securedoc_20240327T095809.html	String found in binary or memory: https://url.uk.m.mimecastprotect.com/s/vjFtC312XtXyYmnhvrGnN?domain=res.cisco.com

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49678 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49688 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443

Source: unknown	HTTPS traffic detected: 20.114.59.183:443 -> 192.168.2.16:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.221.242.90:443 -> 192.168.2.16:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.221.242.90:443 -> 192.168.2.16:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.114.59.183:443 -> 192.168.2.16:49737 version: TLS 1.2

Source: classification engine

Classification label: sus23.phis.winHTML@14/33@16/8

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps

Jump to behavior

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument C:\Users\user\Desktop\securedoc_20240327T095809.html
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2244 --field-trial-handle=2016,i,12304014152104362397,15301322850232453726,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2244 --field-trial-handle=2016,i,12304014152104362397,15301322850232453726,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Source: Google Drive.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: YouTube.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Sheets.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Gmail.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Slides.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Docs.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe

Source: Window Recorder

Window detected: More than 3 window changes detected

Stores files to the Windows start menu directory

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk	Jump to behavior

ID:	1417555
Product:	CloudBasic
Start time:	16:10:43
Start date:	29.03.2024
Sample:	securedoc_20240327T095809.html
Cookbook:	defaultwindowsinteractivecookbook.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	44455a91f72ab9e8d685aa703cde01cd
SHA1:	c9bdb93cf8b00e1ab0367c88f826c069af0ba0d4
SHA256:	4155158042b58e1c8d6522ad0017658e84a3847ce5c8217f720015c69dc25ff6
Filetype:	Scalable Vector Graphics (18501/1) 24.18%

Windows Analysis Report
securedoc_20240327T095809.html

Overview

General Information

Detection

Signatures

Classification

Signatures

Phishing

Compliance

Networking

System Summary

Boot Survival

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs

Windows Analysis Report securedoc_20240327T095809.html

Overview

General Information

Detection

Signatures

Classification

Signatures

Phishing

Compliance

Networking

System Summary

Boot Survival

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs

Windows Analysis Report
securedoc_20240327T095809.html