Windows Analysis Report
TR_ Completed_ Please DocuSign_ 22220.01 Sinclair Hille CCO 4.eml

Overview

General Information

Sample name: TR_ Completed_ Please DocuSign_ 22220.01 Sinclair Hille CCO 4.eml
Analysis ID: 1416066
MD5: 93e464f6262ab8405077adb654fdac5d
SHA1: 8fe42c00800fb3f4ecd9007d7343c8bb93274baa
SHA256: 6850713c1901fb166426101d036615000bc5d8b181585f599b334321f9c34871
Infos:

Detection

Score: 23
Range: 0 - 100
Whitelisted: false
Confidence: 80%

Signatures

Suspicious MSG / EML detected (based on various text indicators)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Queries the volume information (name, serial number etc) of a device
Sigma detected: Office Autorun Keys Modification
Stores files to the Windows start menu directory
Tries to load missing DLLs

Classification

Phishing
barindex
Suspicious MSG / EML detected (based on various text indicators)
Source: MSG / EML OCR Text: DocuSign Your document has been completed VIEW COMPLETED DOCUMENT Lizabeth A Bavitz All parties have completed Please DocuSign: 22220.01 Sinclair Hille CCO 4. Please sign the attached change order. LIZABETH A. BAVITZ, AIA, Architect I Principal T 402-476-7331 EXT. 153 | C 402-450-2243 SINCLAIRHILLE.COM I FACEBOOK I INSTAGRAM I LINKEDIN Do Not Share This Email This email contains a secure link to DocuSign. Please do not share this email, link, or access code with others. Alternate Signing Method Visit DocuSign.com, click 'Access Documents', and enter the security code: B706FA46B120497F98B11ACF93D7439F7 About DocuSign Sign documents electronically in just minutes. It's safe, secure, and legally binding. Whether you're in an office, at home, on-the-go or even across the globe DocuSign provides a professional trusted solution for Digital Transaction ManagementTM. Questions about the Document? If you need to modify the document or have questions about the details in the document, please reach out to the sender by emailing them directly. Stop receiving this email Report this email or read more about Declining to sign and Managing notifications. If you are having trouble signing the document, please visit the Help with Signing page on our Support Center. Download the DocuSign App This message was sent to you by Mary Jo Hamik who is using the DocuSign Electronic Signature Service. If you would rather not receive email from this sender you may contact the sender with your request.
Source: unknown HTTPS traffic detected: 20.190.151.67:443 -> 192.168.2.16:49707 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.221.242.90:443 -> 192.168.2.16:49708 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.221.242.90:443 -> 192.168.2.16:49709 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.85.23.86:443 -> 192.168.2.16:49720 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.85.23.86:443 -> 192.168.2.16:49743 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.71.55.58:443 -> 192.168.2.16:49747 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.190.152.21:443 -> 192.168.2.16:49748 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.71.55.58:443 -> 192.168.2.16:49749 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.71.55.58:443 -> 192.168.2.16:49750 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.71.55.58:443 -> 192.168.2.16:49751 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.71.55.58:443 -> 192.168.2.16:49752 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.89.179.9:443 -> 192.168.2.16:49753 version: TLS 1.2
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: POST /OneCollector/1.0/ HTTP/1.1Accept: */*APIKey: cd836626611c4caaa8fc5b2e728ee81d-3b6d6c45-6377-4bf5-9792-dbf8e1881088-7521AuthMsaDeviceTicket: t=GwAWAbuEBAAU2qcZHJoKGNizGOeyqM4OaIoSZ0MOZgAAEApwChWQq5lNmBKsEPWGpnTgALtq6cu/9Dlxsars2jaiEPTBfZ1quoJbcAwU8Txaa8q3M1HduY4uLm+fCw8/qqsWP12ZUjUg7jK/RADXyVTCS49Jp/bOkotugNvMLEhFQWKroL6wTlvyng19/rY4p0GnonDOuwK1985i5xy4VbGZmqShzB9JWOn//Nn9jTG8fCy74/dR0vdzR9b3S6M2QnDehkJzz6WScdv103BPiylwOU0KubJRggyyddYCzzL6HvnUNKXvoIX+E4S+NgNS+6vR1WSTXxQJG89QgTb4nWlKoLIU4nqqAwUmlb93DzHEGNgbHQE=&p=Client-Id: NO_AUTHContent-Encoding: deflateContent-Type: application/bond-compact-binaryExpect: 100-continueSDK-Version: EVT-Windows-C++-No-3.4.15.1Upload-Time: 1711479997774Host: self.events.data.microsoft.comContent-Length: 8091Connection: Keep-AliveCache-Control: no-cache
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 239.255.255.250 239.255.255.250
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
Source: Joe Sandbox View JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown TCP traffic detected without corresponding DNS query: 20.190.151.67
Source: unknown TCP traffic detected without corresponding DNS query: 20.190.151.67
Source: unknown TCP traffic detected without corresponding DNS query: 20.190.151.67
Source: unknown TCP traffic detected without corresponding DNS query: 20.190.151.67
Source: unknown TCP traffic detected without corresponding DNS query: 20.190.151.67
Source: unknown TCP traffic detected without corresponding DNS query: 20.190.151.67
Source: unknown TCP traffic detected without corresponding DNS query: 20.190.151.67
Source: unknown TCP traffic detected without corresponding DNS query: 20.190.151.67
Source: unknown TCP traffic detected without corresponding DNS query: 20.190.151.67
Source: unknown TCP traffic detected without corresponding DNS query: 20.190.151.67
Source: unknown TCP traffic detected without corresponding DNS query: 20.190.151.67
Source: unknown TCP traffic detected without corresponding DNS query: 23.221.242.90
Source: unknown TCP traffic detected without corresponding DNS query: 23.221.242.90
Source: unknown TCP traffic detected without corresponding DNS query: 23.221.242.90
Source: unknown TCP traffic detected without corresponding DNS query: 23.221.242.90
Source: unknown TCP traffic detected without corresponding DNS query: 23.221.242.90
Source: unknown TCP traffic detected without corresponding DNS query: 23.221.242.90
Source: unknown TCP traffic detected without corresponding DNS query: 23.221.242.90
Source: unknown TCP traffic detected without corresponding DNS query: 23.221.242.90
Source: unknown TCP traffic detected without corresponding DNS query: 23.221.242.90
Source: unknown TCP traffic detected without corresponding DNS query: 23.221.242.90
Source: unknown TCP traffic detected without corresponding DNS query: 23.221.242.90
Source: unknown TCP traffic detected without corresponding DNS query: 23.221.242.90
Source: unknown TCP traffic detected without corresponding DNS query: 23.221.242.90
Source: unknown TCP traffic detected without corresponding DNS query: 23.221.242.90
Source: unknown TCP traffic detected without corresponding DNS query: 23.221.242.90
Source: unknown TCP traffic detected without corresponding DNS query: 23.221.242.90
Source: unknown TCP traffic detected without corresponding DNS query: 23.221.242.90
Source: unknown TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: global traffic HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic HTTP traffic detected: GET /?url=https%3A%2F%2Fna4.docusign.net%2FMember%2FEmailStart.aspx%3Fa%3Db706fa46-b120-497f-98b1-1acf93d7439f%26r%3D905a3632-fc6c-40dd-8c74-118c89ffa7e3&data=05%7C02%7Cainzodda%40eti-engineers.com%7Cefe511bd40e842b08d6d08dc4db459af%7C61e321000ec946df94d955c5b7c8c933%7C0%7C0%7C638470684529130553%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C20000%7C%7C%7C&sdata=cRAO31DeUdt%2ByQmti5d2tyFpF4aDt0NXlO8Ph8LOXyI%3D&reserved=0 HTTP/1.1Host: nam12.safelinks.protection.outlook.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=hufsGv4WPtwT7cx&MD=+TbmuvAW HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic HTTP traffic detected: GET /track/?data=eyJldmVudCI6ICJtcF9wYWdlX3ZpZXciLCJwcm9wZXJ0aWVzIjogeyIkb3MiOiAiV2luZG93cyIsIiRicm93c2VyIjogIkNocm9tZSIsIiRzY3JlZW5faGVpZ2h0IjogMTAyNCwiJHNjcmVlbl93aWR0aCI6IDEyODAsIm1wX2xpYiI6ICJ3ZWIiLCJkaXN0aW5jdF9pZCI6ICJFREQ1RDY0M0Y0MDBEMkY0QkQwMkJGNTIzNTkyRUFEQ0U2QUUyNTdCIiwiJGluaXRpYWxfcmVmZXJyaW5nX2RvbWFpbiI6ICIkZGlyZWN0IiwibXBfcGFnZSI6ICJuYTQuZG9jdXNpZ24ubmV0IiwibXBfYnJvd3NlciI6ICJDaHJvbWUiLCJtcF9wbGF0Zm9ybSI6ICJXaW5kb3dzIiwidG9rZW4iOiAiMzA0Y2NiZGUyNGQzYjE1ZmZlMmQ1ZGUzMGMxMGRhYjIifX0%3D&ip=1&_=1711479710672 HTTP/1.1Host: api.mixpanel.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: */*Origin: https://na4.docusign.netSec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://na4.docusign.net/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /track/?data=eyJldmVudCI6ICJtcF9wYWdlX3ZpZXciLCJwcm9wZXJ0aWVzIjogeyIkb3MiOiAiV2luZG93cyIsIiRicm93c2VyIjogIkNocm9tZSIsIiRzY3JlZW5faGVpZ2h0IjogMTAyNCwiJHNjcmVlbl93aWR0aCI6IDEyODAsIm1wX2xpYiI6ICJ3ZWIiLCJkaXN0aW5jdF9pZCI6ICJFREQ1RDY0M0Y0MDBEMkY0QkQwMkJGNTIzNTkyRUFEQ0U2QUUyNTdCIiwiJGluaXRpYWxfcmVmZXJyaW5nX2RvbWFpbiI6ICIkZGlyZWN0IiwibXBfcGFnZSI6ICJuYTQuZG9jdXNpZ24ubmV0IiwibXBfYnJvd3NlciI6ICJDaHJvbWUiLCJtcF9wbGF0Zm9ybSI6ICJXaW5kb3dzIiwidG9rZW4iOiAiMzA0Y2NiZGUyNGQzYjE1ZmZlMmQ1ZGUzMGMxMGRhYjIifX0%3D&ip=1&_=1711479710672 HTTP/1.1Host: api.mixpanel.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=hufsGv4WPtwT7cx&MD=+TbmuvAW HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: TR_ Completed_ Please DocuSign_ 22220.01 Sinclair Hille CCO 4.eml String found in binary or memory: %2Fwww.facebook.com%2Fsinclairhille&data=3D05%7C02%7Cainzodda%40eti-eng= equals www.facebook.com (Facebook)
Source: TR_ Completed_ Please DocuSign_ 22220.01 Sinclair Hille CCO 4.eml String found in binary or memory: 0" originalsrc=3D"https://www.linkedin.com/company/sinclair-hille-architect= equals www.linkedin.com (Linkedin)
Source: TR_ Completed_ Please DocuSign_ 22220.01 Sinclair Hille CCO 4.eml String found in binary or memory: =3D0" originalsrc=3D"https://www.linkedin.com/company/sinclair-hille-archit= equals www.linkedin.com (Linkedin)
Source: TR_ Completed_ Please DocuSign_ 22220.01 Sinclair Hille CCO 4.eml String found in binary or memory: _architects/> | LINKEDIN<https://www.linkedin.com/company/sinclair-hille-ar= equals www.linkedin.com (Linkedin)
Source: TR_ Completed_ Please DocuSign_ 22220.01 Sinclair Hille CCO 4.eml String found in binary or memory: com/?url=3Dhttps%3A%2F%2Fwww.linkedin.com%2Fcompany%2Fsinclair-hille-archit= equals www.linkedin.com (Linkedin)
Source: TR_ Completed_ Please DocuSign_ 22220.01 Sinclair Hille CCO 4.eml String found in binary or memory: nalsrc=3D"http://www.facebook.com/sinclairhille" shash=3D"vCfhBiWAssa/q0y3n= equals www.facebook.com (Facebook)
Source: TR_ Completed_ Please DocuSign_ 22220.01 Sinclair Hille CCO 4.eml String found in binary or memory: riginalsrc=3D"http://www.facebook.com/sinclairhille" shash=3D"bqS3fWWL+Z5A1= equals www.facebook.com (Facebook)
Source: unknown DNS traffic detected: queries for: nam12.safelinks.protection.outlook.com
Source: unknown HTTP traffic detected: POST /RST2.srf HTTP/1.0Connection: Keep-AliveContent-Type: application/soap+xmlAccept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 10.0; Win64; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; IDCRL 24.10.0.19045.0.0; IDCRL-cfg 16.000.29743.00; App svchost.exe, 10.0.19041.1806, {DF60E2DF-88AD-4526-AE21-83D130EF0F68})Content-Length: 4738Host: login.live.com
Source: TR_ Completed_ Please DocuSign_ 22220.01 Sinclair Hille CCO 4.eml String found in binary or memory: http://www.sinclairhille.com/
Source: TR_ Completed_ Please DocuSign_ 22220.01 Sinclair Hille CCO 4.eml String found in binary or memory: https://na4.docus=
Source: TR_ Completed_ Please DocuSign_ 22220.01 Sinclair Hille CCO 4.eml String found in binary or memory: https://na4.docusign.=
Source: TR_ Completed_ Please DocuSign_ 22220.01 Sinclair Hille CCO 4.eml String found in binary or memory: https://na4.docusign.net/M=
Source: TR_ Completed_ Please DocuSign_ 22220.01 Sinclair Hille CCO 4.eml String found in binary or memory: https://na4.docusign.net/Member/EmailStart.aspx?a=
Source: TR_ Completed_ Please DocuSign_ 22220.01 Sinclair Hille CCO 4.eml String found in binary or memory: https://na4.docusign.net/Member/Images/email/icon-DownloadApp-18x18
Source: TR_ Completed_ Please DocuSign_ 22220.01 Sinclair Hille CCO 4.eml String found in binary or memory: https://na4.docusign.net/Signing/Images/email/Email_L=
Source: TR_ Completed_ Please DocuSign_ 22220.01 Sinclair Hille CCO 4.eml String found in binary or memory: https://na4.docusign.net/member/Images/email/docComplete-whit=
Source: TR_ Completed_ Please DocuSign_ 22220.01 Sinclair Hille CCO 4.eml String found in binary or memory: https://na4.docusign.net/member/Images/email/docComplete-white.png
Source: TR_ Completed_ Please DocuSign_ 22220.01 Sinclair Hille CCO 4.eml String found in binary or memory: https://nam12.safelinks.prot=
Source: TR_ Completed_ Please DocuSign_ 22220.01 Sinclair Hille CCO 4.eml String found in binary or memory: https://nam12.safelinks.protection.outloo=
Source: TR_ Completed_ Please DocuSign_ 22220.01 Sinclair Hille CCO 4.eml String found in binary or memory: https://nam12.safelinks.protection.outlook.=
Source: TR_ Completed_ Please DocuSign_ 22220.01 Sinclair Hille CCO 4.eml String found in binary or memory: https://nam12.safelinks.protection.outlook.c=
Source: TR_ Completed_ Please DocuSign_ 22220.01 Sinclair Hille CCO 4.eml String found in binary or memory: https://nam12.safelinks.protection.outlook.com/?url=3Dht=
Source: TR_ Completed_ Please DocuSign_ 22220.01 Sinclair Hille CCO 4.eml String found in binary or memory: https://nam12.safelinks.protection.outlook.com/?url=3Dhttp%3A%2F=
Source: TR_ Completed_ Please DocuSign_ 22220.01 Sinclair Hille CCO 4.eml String found in binary or memory: https://nam12.safelinks.protection.outlook.com/?url=3Dhttps%3A%2=
Source: TR_ Completed_ Please DocuSign_ 22220.01 Sinclair Hille CCO 4.eml String found in binary or memory: https://nam12.safelinks.protection.outlook.com/?url=3Dhttps%3A%2F%2Fs=
Source: TR_ Completed_ Please DocuSign_ 22220.01 Sinclair Hille CCO 4.eml String found in binary or memory: https://nam12.safelinks=
Source: TR_ Completed_ Please DocuSign_ 22220.01 Sinclair Hille CCO 4.eml String found in binary or memory: https://protect.docusign.net/r=
Source: TR_ Completed_ Please DocuSign_ 22220.01 Sinclair Hille CCO 4.eml String found in binary or memory: https://protect.docusign.net/report-abuse?e=3DAUtomjpFak9=
Source: TR_ Completed_ Please DocuSign_ 22220.01 Sinclair Hille CCO 4.eml String found in binary or memory: https://protect.docusign.net/report-abuse?e=3DAUtomjpFak9GlbPL0zFFi12eg=
Source: TR_ Completed_ Please DocuSign_ 22220.01 Sinclair Hille CCO 4.eml String found in binary or memory: https://support.do=
Source: TR_ Completed_ Please DocuSign_ 22220.01 Sinclair Hille CCO 4.eml String found in binary or memory: https://support.docusign.c=
Source: TR_ Completed_ Please DocuSign_ 22220.01 Sinclair Hille CCO 4.eml String found in binary or memory: https://support.docusign.com/en/articl=
Source: TR_ Completed_ Please DocuSign_ 22220.01 Sinclair Hille CCO 4.eml String found in binary or memory: https://support.docusign.com/en/guides/Declining-to-sign-DocuSign-Sign=
Source: TR_ Completed_ Please DocuSign_ 22220.01 Sinclair Hille CCO 4.eml String found in binary or memory: https://support.docusign.com/s/articles/How-do-I-sign-a-DocuSign-do=
Source: TR_ Completed_ Please DocuSign_ 22220.01 Sinclair Hille CCO 4.eml String found in binary or memory: https://support.docusign.com/s=
Source: TR_ Completed_ Please DocuSign_ 22220.01 Sinclair Hille CCO 4.eml String found in binary or memory: https://support.docusign=
Source: TR_ Completed_ Please DocuSign_ 22220.01 Sinclair Hille CCO 4.eml String found in binary or memory: https://www.docusign.com/features-and-bene=
Source: TR_ Completed_ Please DocuSign_ 22220.01 Sinclair Hille CCO 4.eml String found in binary or memory: https://www.docusign.com/features-and-benefits/m=
Source: TR_ Completed_ Please DocuSign_ 22220.01 Sinclair Hille CCO 4.eml String found in binary or memory: https://www.docusign.com/support
Source: TR_ Completed_ Please DocuSign_ 22220.01 Sinclair Hille CCO 4.eml String found in binary or memory: https://www.instagram.com/s=
Source: TR_ Completed_ Please DocuSign_ 22220.01 Sinclair Hille CCO 4.eml String found in binary or memory: https://www.instagram.com/sinclairhille=
Source: TR_ Completed_ Please DocuSign_ 22220.01 Sinclair Hille CCO 4.eml String found in binary or memory: https://www.instagram.com=
Source: TR_ Completed_ Please DocuSign_ 22220.01 Sinclair Hille CCO 4.eml String found in binary or memory: https://www.linkedin.com/company/sinclair-hille-ar=
Source: TR_ Completed_ Please DocuSign_ 22220.01 Sinclair Hille CCO 4.eml String found in binary or memory: https://www.linkedin.com/company/sinclair-hille-archit=
Source: TR_ Completed_ Please DocuSign_ 22220.01 Sinclair Hille CCO 4.eml String found in binary or memory: https://www.linkedin.com/company/sinclair-hille-architect=
Source: unknown Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown Network traffic detected: HTTP traffic on port 49678 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49688 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown HTTPS traffic detected: 20.190.151.67:443 -> 192.168.2.16:49707 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.221.242.90:443 -> 192.168.2.16:49708 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.221.242.90:443 -> 192.168.2.16:49709 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.85.23.86:443 -> 192.168.2.16:49720 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.85.23.86:443 -> 192.168.2.16:49743 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.71.55.58:443 -> 192.168.2.16:49747 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.190.152.21:443 -> 192.168.2.16:49748 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.71.55.58:443 -> 192.168.2.16:49749 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.71.55.58:443 -> 192.168.2.16:49750 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.71.55.58:443 -> 192.168.2.16:49751 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.71.55.58:443 -> 192.168.2.16:49752 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.89.179.9:443 -> 192.168.2.16:49753 version: TLS 1.2
Tries to load missing DLLs
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe Section loaded: c2r64.dll Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe Section loaded: gpapi.dll Jump to behavior
Source: classification engine Classification label: sus23.phis.winEML@20/19@16/6
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE File created: C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmp Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE File created: C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20240326T2001330650-4540.etl Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: unknown Process created: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\TR_ Completed_ Please DocuSign_ 22220.01 Sinclair Hille CCO 4.eml"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE Process created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "E0A48322-1D0D-4993-9B0A-389FB445AD7D" "99D55FB5-685D-456E-8572-A92B4A134364" "4540" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fna4.docusign.net%2FMember%2FEmailStart.aspx%3Fa%3Db706fa46-b120-497f-98b1-1acf93d7439f%26r%3D905a3632-fc6c-40dd-8c74-118c89ffa7e3&data=05%7C02%7Cainzodda%40eti-engineers.com%7Cefe511bd40e842b08d6d08dc4db459af%7C61e321000ec946df94d955c5b7c8c933%7C0%7C0%7C638470684529130553%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C20000%7C%7C%7C&sdata=cRAO31DeUdt%2ByQmti5d2tyFpF4aDt0NXlO8Ph8LOXyI%3D&reserved=0
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2100 --field-trial-handle=2044,i,10511135610608330330,4923106288413674305,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: unknown Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" /b /id 7828_2057699842 /if pdfshell_prev59f66281-abcf-4c0f-a8c6-e8e8cadbd75d /CR
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE Process created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "E0A48322-1D0D-4993-9B0A-389FB445AD7D" "99D55FB5-685D-456E-8572-A92B4A134364" "4540" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx" Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fna4.docusign.net%2FMember%2FEmailStart.aspx%3Fa%3Db706fa46-b120-497f-98b1-1acf93d7439f%26r%3D905a3632-fc6c-40dd-8c74-118c89ffa7e3&data=05%7C02%7Cainzodda%40eti-engineers.com%7Cefe511bd40e842b08d6d08dc4db459af%7C61e321000ec946df94d955c5b7c8c933%7C0%7C0%7C638470684529130553%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C20000%7C%7C%7C&sdata=cRAO31DeUdt%2ByQmti5d2tyFpF4aDt0NXlO8Ph8LOXyI%3D&reserved=0 Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2100 --field-trial-handle=2044,i,10511135610608330330,4923106288413674305,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{F959DBBB-3867-41F2-8E5F-3B8BEFAA81B3}\InprocServer32 Jump to behavior
Source: Slides.lnk.12.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Docs.lnk.12.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Google Drive.lnk.12.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: YouTube.lnk.12.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Sheets.lnk.12.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Gmail.lnk.12.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE Window found: window name: SysTabControl32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common Jump to behavior
Stores files to the Windows start menu directory
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE File Volume queried: C:\Windows\SysWOW64 FullSizeInformation Jump to behavior
Source: TR_ Completed_ Please DocuSign_ 22220.01 Sinclair Hille CCO 4.eml Binary or memory string: mzPFhx4b6K2QH1yyqeMUe8uaCm16nEZ+545O5pxDU1LkAyb1D1jf7rovH+25/gXD6covyQ1aV/O8
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE Process information queried: ProcessInformation Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe Queries volume information: C:\Program Files (x86)\Microsoft Office\root\Office16\AI\WordCombinedFloatieLreOnline.onnx VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1416066 Sample: TR_ Completed_ Please DocuS... Startdate: 26/03/2024 Architecture: WINDOWS Score: 23 29 Suspicious MSG / EML detected (based on various text indicators) 2->29 7 OUTLOOK.EXE 513 151 2->7         started        9 Acrobat.exe 37 2->9         started        process3 process4 11 chrome.exe 9 7->11         started        14 ai.exe 7->14         started        dnsIp5 25 192.168.2.16, 138, 443, 49249 unknown unknown 11->25 27 239.255.255.250 unknown Reserved 11->27 16 chrome.exe 11->16         started        process6 dnsIp7 19 nam12.safelinks.protection.outlook.com 104.47.55.156, 443, 49712, 49713 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 16->19 21 api.mixpanel.com 107.178.240.159, 443, 49740 GOOGLEUS United States 16->21 23 4 other IPs or domains 16->23
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
130.211.34.183
 unknown United States
15169 GOOGLEUS false
107.178.240.159
 api.mixpanel.com United States
15169 GOOGLEUS false
239.255.255.250
 unknown Reserved
unknown unknown false
104.47.55.156
 nam12.safelinks.protection.outlook.com United States
8075 MICROSOFT-CORP-MSN-AS-BLOCKUS false
142.251.163.99
 www.google.com United States
15169 GOOGLEUS false

Private

IP
192.168.2.16

Contacted Domains

Name IP Active
nam12.safelinks.protection.outlook.com 104.47.55.156 true
www.google.com 142.251.163.99 true
api.mixpanel.com 107.178.240.159 true
na4.docusign.net unknown unknown
docucdn-a.akamaihd.net unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://na4.docusign.net/Signing/Error.aspx?e=dd154723-2527-4ad2-86de-ba69b25fbffb&scope=683f5f37-89ea-4d3c-8f74-e8472462813d false
    		high
    https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fna4.docusign.net%2FMember%2FEmailStart.aspx%3Fa%3Db706fa46-b120-497f-98b1-1acf93d7439f%26r%3D905a3632-fc6c-40dd-8c74-118c89ffa7e3&data=05%7C02%7Cainzodda%40eti-engineers.com%7Cefe511bd40e842b08d6d08dc4db459af%7C61e321000ec946df94d955c5b7c8c933%7C0%7C0%7C638470684529130553%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C20000%7C%7C%7C&sdata=cRAO31DeUdt%2ByQmti5d2tyFpF4aDt0NXlO8Ph8LOXyI%3D&reserved=0 false
      		high