Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
phish_alert_sp1_1.0.0.0.eml

Overview

General Information

Sample name:phish_alert_sp1_1.0.0.0.eml
Analysis ID:1557670
MD5:fb9691407fb258bda50ae9500985e732
SHA1:563b0e80459032dc2b571d102465f1de6de878bc
SHA256:a1ea0c9614d9e99cb2c59cae8fbcb3f73cd882166462d1d205e9794a5f224378
Infos:

Detection

Score:52
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

AI detected landing page (webpage, office document or email)
AI detected potential phishing Email
Suspicious MSG / EML detected (based on various text indicators)
Queries the volume information (name, serial number etc) of a device
Sigma detected: Office Autorun Keys Modification
Stores files to the Windows start menu directory

Classification

Process Tree

  • System is w10x64_ra
  • OUTLOOK.EXE (PID: 2628 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\phish_alert_sp1_1.0.0.0.eml" MD5: 91A5292942864110ED734005B7E005C0)
    • ai.exe (PID: 1572 cmdline: "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "6111D5E1-0ABC-455E-8D82-23F2E8CC4CFB" "669BE003-4A80-48E6-B1E5-278A10A24CF5" "2628" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx" MD5: EC652BEDD90E089D9406AFED89A8A8BD)
    • chrome.exe (PID: 3340 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://urldefense.proofpoint.com/v2/url?u=https-3A__na4.docusign.net_Signing_EmailStart.aspx-3Fa-3Dc0dbe9f7-2Df7ee-2D4825-2Dafe9-2Dc077fda5793f-26etti-3D24-26acct-3D487a6e12-2D9193-2D4267-2Da77c-2D3e880dfe488b-26er-3D3a53a047-2D168d-2D4667-2D8625-2D6ccd021bbc9f&d=DwMFaQ&c=AbmFZyyDMVrBYLu9z0bfO-H7A0sKUmoCsEUAvVmcgZg&r=DLqoN5pSDZ_g9IIBhfg1GadgDUy4JQHTxGHBPBqm0XnxKB29YXx3aTfWdfxKdxqt&m=TOrMzYU-AZsL7WsaqFVzKE-ijRE0JpkFu-jC-OpDcHacFpnyXJ_3I3i9tgY43igq&s=1y0M7J2xi9v5tbIr_fHHALT_gNd8vExVPl2mHZG5w7k&e= MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
      • chrome.exe (PID: 5912 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 --field-trial-handle=1976,i,73087626863551518,9832237754933868576,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
  • cleanup

Yara Signatures

No yara matches

Sigma Signatures

Sigma detected: Office Autorun Keys Modification
Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE, ProcessId: 2628, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Addins\OneNote.OutlookAddin\1

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Phishing

barindex
AI detected landing page (webpage, office document or email)
Source: EmailJoe Sandbox AI: Page contains button: 'REVIEW DOCUMENT' Source: 'Email'
Source: EmailJoe Sandbox AI: Email contains prominent button: 'review document'
AI detected potential phishing Email
Source: EmailJoe Sandbox AI: Detected potential phishing email: The email uses a generic greeting 'Hello kparks' despite claiming to be from an official source. The sender email address 'dse_NA4@docusign.net' appears suspicious and doesn't match official DocuSign patterns. The email creates urgency around signing a document without specific context about what policy needs review
Suspicious MSG / EML detected (based on various text indicators)
Source: MSG / EMLOCR Text: *WARNING: EXTERNAL EMAIL* docusign Proofpoint Solutions sent you a document to review and sign. REVIEW DOCUMENT Proofpoint Solutions A new policy has been introduced, and you need to review it and fill out the enrollment form. Please go through the provided materials and sign the last three pages. Also, kindly confirm receipt of the form when you receive this email.
Source: chrome.exeMemory has grown: Private usage: 1MB later: 29MB
Source: unknownTCP traffic detected without corresponding DNS query: 40.126.32.134
Source: unknownTCP traffic detected without corresponding DNS query: 40.126.32.134
Source: unknownTCP traffic detected without corresponding DNS query: 40.126.32.134
Source: unknownTCP traffic detected without corresponding DNS query: 40.126.32.134
Source: unknownTCP traffic detected without corresponding DNS query: 40.126.32.134
Source: unknownTCP traffic detected without corresponding DNS query: 40.126.32.134
Source: unknownTCP traffic detected without corresponding DNS query: 40.126.32.134
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownTCP traffic detected without corresponding DNS query: 199.232.214.172
Source: unknownTCP traffic detected without corresponding DNS query: 199.232.214.172
Source: unknownTCP traffic detected without corresponding DNS query: 199.232.214.172
Source: unknownTCP traffic detected without corresponding DNS query: 199.232.214.172
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownTCP traffic detected without corresponding DNS query: 2.19.126.97
Source: unknownTCP traffic detected without corresponding DNS query: 2.19.126.97
Source: unknownTCP traffic detected without corresponding DNS query: 2.19.126.97
Source: unknownTCP traffic detected without corresponding DNS query: 2.19.126.97
Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknownTCP traffic detected without corresponding DNS query: 192.229.221.95
Source: unknownTCP traffic detected without corresponding DNS query: 40.126.32.134
Source: unknownTCP traffic detected without corresponding DNS query: 192.229.221.95
Source: unknownTCP traffic detected without corresponding DNS query: 40.126.32.134
Source: unknownTCP traffic detected without corresponding DNS query: 40.126.32.134
Source: unknownTCP traffic detected without corresponding DNS query: 40.126.32.134
Source: unknownTCP traffic detected without corresponding DNS query: 40.126.32.134
Source: unknownTCP traffic detected without corresponding DNS query: 40.126.32.134
Source: global trafficDNS traffic detected: DNS query: urldefense.proofpoint.com
Source: global trafficDNS traffic detected: DNS query: na4.docusign.net
Source: global trafficDNS traffic detected: DNS query: docucdn-a.akamaihd.net
Source: global trafficDNS traffic detected: DNS query: www.google.com
Source: global trafficDNS traffic detected: DNS query: api.mixpanel.com
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49700
Source: unknownNetwork traffic detected: HTTP traffic on port 49693 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49725 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49701 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49738
Source: unknownNetwork traffic detected: HTTP traffic on port 49755 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49738 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49755
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49711
Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49752
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49750
Source: unknownNetwork traffic detected: HTTP traffic on port 49711 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49693
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49692
Source: unknownNetwork traffic detected: HTTP traffic on port 49692 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49700 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
Source: unknownNetwork traffic detected: HTTP traffic on port 49752 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49750 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49725
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49701
Source: classification engineClassification label: mal52.phis.winEML@18/11@16/223
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile created: C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmp
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile created: C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20241118T0812000183-2628.etl
Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\phish_alert_sp1_1.0.0.0.eml"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "6111D5E1-0ABC-455E-8D82-23F2E8CC4CFB" "669BE003-4A80-48E6-B1E5-278A10A24CF5" "2628" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "6111D5E1-0ABC-455E-8D82-23F2E8CC4CFB" "669BE003-4A80-48E6-B1E5-278A10A24CF5" "2628" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://urldefense.proofpoint.com/v2/url?u=https-3A__na4.docusign.net_Signing_EmailStart.aspx-3Fa-3Dc0dbe9f7-2Df7ee-2D4825-2Dafe9-2Dc077fda5793f-26etti-3D24-26acct-3D487a6e12-2D9193-2D4267-2Da77c-2D3e880dfe488b-26er-3D3a53a047-2D168d-2D4667-2D8625-2D6ccd021bbc9f&d=DwMFaQ&c=AbmFZyyDMVrBYLu9z0bfO-H7A0sKUmoCsEUAvVmcgZg&r=DLqoN5pSDZ_g9IIBhfg1GadgDUy4JQHTxGHBPBqm0XnxKB29YXx3aTfWdfxKdxqt&m=TOrMzYU-AZsL7WsaqFVzKE-ijRE0JpkFu-jC-OpDcHacFpnyXJ_3I3i9tgY43igq&s=1y0M7J2xi9v5tbIr_fHHALT_gNd8vExVPl2mHZG5w7k&e=
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 --field-trial-handle=1976,i,73087626863551518,9832237754933868576,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://urldefense.proofpoint.com/v2/url?u=https-3A__na4.docusign.net_Signing_EmailStart.aspx-3Fa-3Dc0dbe9f7-2Df7ee-2D4825-2Dafe9-2Dc077fda5793f-26etti-3D24-26acct-3D487a6e12-2D9193-2D4267-2Da77c-2D3e880dfe488b-26er-3D3a53a047-2D168d-2D4667-2D8625-2D6ccd021bbc9f&d=DwMFaQ&c=AbmFZyyDMVrBYLu9z0bfO-H7A0sKUmoCsEUAvVmcgZg&r=DLqoN5pSDZ_g9IIBhfg1GadgDUy4JQHTxGHBPBqm0XnxKB29YXx3aTfWdfxKdxqt&m=TOrMzYU-AZsL7WsaqFVzKE-ijRE0JpkFu-jC-OpDcHacFpnyXJ_3I3i9tgY43igq&s=1y0M7J2xi9v5tbIr_fHHALT_gNd8vExVPl2mHZG5w7k&e=
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 --field-trial-handle=1976,i,73087626863551518,9832237754933868576,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: apphelp.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: c2r64.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: userenv.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: msasn1.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: cryptsp.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: rsaenh.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: cryptbase.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: gpapi.dll
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CACAF262-9370-4615-A13B-9F5539DA4C0A}\InProcServer32
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEWindow found: window name: SysTabControl32
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile Volume queried: C:\Windows\SysWOW64 FullSizeInformation
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information queried: ProcessInformation
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeQueries volume information: C:\Program Files (x86)\Microsoft Office\root\Office16\AI\WordCombinedFloatieLreOnline.onnx VolumeInformation
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation2
Browser Extensions		1
Process Injection		1
Masquerading		OS Credential Dumping1
Process Discovery		Remote ServicesData from Local System2
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/Job1
DLL Side-Loading		1
DLL Side-Loading		1
Process Injection		LSASS Memory13
System Information Discovery		Remote Desktop ProtocolData from Removable Media1
Non-Application Layer Protocol		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAt1
Registry Run Keys / Startup Folder		1
Registry Run Keys / Startup Folder		1
DLL Side-Loading		Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared Drive2
Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
Extra Window Memory Injection		1
Extra Window Memory Injection		NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
urldefense.com
52.6.56.188
truefalse
    		high
    www.google.com
    		142.250.185.68
    		truefalse
      		high
      api.mixpanel.com
      		130.211.34.183
      		truefalse
        		high
        na4.docusign.net
        		unknown
        		unknownfalse
          		high
          docucdn-a.akamaihd.net
          		unknown
          		unknownfalse
            		high
            urldefense.proofpoint.com
            		unknown
            		unknownfalse
              		unknown

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              https://na4.docusign.net/Signing/Error.aspx?scope=9dfe5303-2222-4a49-8c37-7c826559453dfalse
                		unknown

                World Map of Contacted IPs

                • No. of IPs < 25%
                • 25% < No. of IPs < 50%
                • 50% < No. of IPs < 75%
                • 75% < No. of IPs

                Public IPs

                IPDomainCountryFlagASNASN NameMalicious
                52.113.194.132
                		unknownUnited States
                		8068MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                142.250.185.68
                		www.google.comUnited States
                		15169GOOGLEUSfalse
                1.1.1.1
                		unknownAustralia
                		13335CLOUDFLARENETUSfalse
                130.211.34.183
                		api.mixpanel.comUnited States
                		15169GOOGLEUSfalse
                52.109.89.18
                		unknownUnited States
                		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                142.250.186.174
                		unknownUnited States
                		15169GOOGLEUSfalse
                173.194.76.84
                		unknownUnited States
                		15169GOOGLEUSfalse
                142.250.185.238
                		unknownUnited States
                		15169GOOGLEUSfalse
                2.19.126.135
                		unknownEuropean Union
                		16625AKAMAI-ASUSfalse
                52.109.32.38
                		unknownUnited States
                		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                142.250.181.227
                		unknownUnited States
                		15169GOOGLEUSfalse
                35.190.25.25
                		unknownUnited States
                		15169GOOGLEUSfalse
                239.255.255.250
                		unknownReserved
                		unknownunknownfalse
                162.248.184.187
                		unknownUnited States
                		62856DOCUS-6-PRODUSfalse
                162.248.184.188
                		unknownUnited States
                		62856DOCUS-6-PRODUSfalse
                52.6.56.188
                		urldefense.comUnited States
                		14618AMAZON-AESUSfalse
                13.89.178.27
                		unknownUnited States
                		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                142.250.184.227
                		unknownUnited States
                		15169GOOGLEUSfalse
                95.101.54.217
                		unknownEuropean Union
                		34164AKAMAI-LONGBfalse
                2.22.242.130
                		unknownEuropean Union
                		20940AKAMAI-ASN1EUfalse

                Private

                IP
                192.168.2.17
                192.168.2.16

                General Information

                Joe Sandbox version:41.0.0 Charoite
                Analysis ID:1557670
                Start date and time:2024-11-18 14:10:52 +01:00
                Joe Sandbox product:CloudBasic
                Overall analysis duration:
                Hypervisor based Inspection enabled:false
                Report type:full
                Cookbook file name:defaultwindowsinteractivecookbook.jbs
                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                Number of analysed new started processes analysed:9
                Number of new started drivers analysed:0
                Number of existing processes analysed:0
                Number of existing drivers analysed:0
                Number of injected processes analysed:0
                Technologies:
                • EGA enabled
                Analysis Mode:stream
                Analysis stop reason:Timeout
                Sample name:phish_alert_sp1_1.0.0.0.eml
                Detection:MAL
                Classification:mal52.phis.winEML@18/11@16/223
                Cookbook Comments:
                • Found application associated with file extension: .eml

                Warnings

                • Exclude process from analysis (whitelisted): dllhost.exe
                • Excluded IPs from analysis (whitelisted): 52.109.89.18, 52.113.194.132, 2.22.242.130, 52.109.32.38, 52.109.32.39, 52.109.32.47, 52.109.32.46, 13.89.178.27, 142.250.181.227, 173.194.76.84, 142.250.186.174, 162.248.184.188, 34.104.35.123, 2.19.126.135, 2.19.126.140
                • Excluded domains from analysis (whitelisted): omex.cdn.office.net, clientservices.googleapis.com, weu-azsc-config.officeapps.live.com, mobile.events.data.microsoft.com, ecs-office.s-0005.s-msedge.net, a1737.b.akamai.net, clients2.google.com, officeclient.microsoft.com, a1864.dscd.akamai.net, ecs.office.com, na4-se.docusign.net.akadns.net, accounts.google.com, prod.configsvc1.live.com.akadns.net, onedscolprdcus03.centralus.cloudapp.azure.com, s-0005-office.config.skype.com, na4.docusign.net.akadns.net, docucdn-a.akamaihd.net.edgesuite.net, prod1.naturallanguageeditorservice.osi.office.net.akadns.net, nleditor.osi.office.net, prod-eu-resolver.naturallanguageeditorservice.osi.office.net.akadns.net, edgedl.me.gvt1.com, s-0005.s-msedge.net, config.officeapps.live.com, ecs.office.trafficmanager.net, clients.l.google.com, omex.cdn.office.net.akamaized.net, europe.configsvc1.live.com.akadns.net, mobile.events.data.trafficmanager.net
                • Not all processes where analyzed, report is missing behavior information
                • Report size getting too big, too many NtQueryValueKey calls found.
                • Report size getting too big, too many NtReadVirtualMemory calls found.
                • VT rate limit hit for: phish_alert_sp1_1.0.0.0.eml

                LLM Input / Output

                InputOutput
                URL: email Model: Joe Sandbox AI
                {
    "explanation": [
        "The email uses a generic greeting 'Hello kparks' despite claiming to be from an official source",
        "The sender email address 'dse_NA4@docusign.net' appears suspicious and doesn't match official DocuSign patterns",
        "The email creates urgency around signing a document without specific context about what policy needs review"
    ],
    "phishing": true,
    "confidence": 9
}
                {
    "date": "Thu, 14 Nov 2024 07:28:30 -0800", 
    "subject": "[External] RE: Important Document", 
    "communications": [
        "*WARNING: EXTERNAL EMAIL*\n\n****************************************************************************************************************************************************************************************************************************************************************************************\nHello kparks,\n\nProofpoint Solutions has sent you a new Docusign document to view and sign. Please click on the link below to begin signing.\n\nA new policy has been introduced, and you need to review it and fill out the enrollment form. Please go through the provided materials and sign the last three pages. Also, kindly confirm receipt of the form when you receive this email.\n\n    \n\nREVIEW DOCUMENT\n\nhttps://urldefense.proofpoint.com/v2/url?u=https-3A__na4.docusign.net_Signing_EmailStart.aspx-3Fa-3Dc0dbe9f7-2Df7ee-2D4825-2Dafe9-2Dc077fda5793f-26etti-3D24-26acct-3D487a6e12-2D9193-2D4267-2Da77c-2D3e880dfe488b-26er-3D3a53a047-2D168d-2D4667-2D8625-2D6ccd021bbc9f&d=DwIFaQ&c=AbmFZyyDMVrBYLu9z0bfO-H7A0sKUmoCsEUAvVmcgZg&r=DLqoN5pSDZ_g9IIBhfg1GadgDUy4JQHTxGHBPBqm0XnxKB29YXx3aTfWdfxKdxqt&m=TOrMzYU-AZsL7WsaqFVzKE-ijRE0JpkFu-jC-OpDcHacFpnyXJ_3I3i9tgY43igq&s=1y0M7J2xi9v5tbIr_fHHALT_gNd8vExVPl2mHZG5w7k&e= \n\nIf clicking the link does not work, you can highlight and copy the entire line above and paste it into your browser to get started.\n\nThis message was sent to you by Proofpoint Solutions who is using the Docusign Electronic Signature Service. If you would rather not receive email from this sender you may contact the sender with your request.\n\nDo Not Share This Email\nThis email contains a secure link to Docusign. Please do not share this email, link, or access code with others.\n\nQuestions about the Document?\nIf you need to modify the document or have questions about the details in the document, please reach out to the sender by emailing them directly.\n\nStop receiving this email\nReport this email https://urldefense.proofpoint.com/v2/url?u=https-3A__protect.docusign.net_report-2Dabuse-3Fe-3DAUtomjpFak9GlbPL0zFFi11XVXBwytLdmpDpy34xHZVcx-2DFCuAWOYNdHEbhU50c9Hqxhg31KAVl7NB6QJiM4wSsECFxG6ZKZ-2DpmxC04uTf2aSBA9GBpeZBP2xT3Z3SymstmpTwikWILwRtm5Wbw7w-2Da3uszZ8OOXOBXmjkhUL54MfGXzLQvDTUIn8FKhORtiXHX4JigGISpjdx-5FMWaDCRzUrn7QYuHkEQgDXr5FHq-2D8GTeg1V2msJW2D2yQCe1UctzlWzqiWbaJQlPOiEQGiIJaFBGdovirzA8smCpVC-5FisOTyH0vg976E-5F8tPO0GFWo13bkRigC-2DHn3nojdk-2DhUv2NlDTMCuknAHATaISvHUFD6M-2D5K-5FEcMWsEi-5Ff22D-2DlmwSKzfEsChmkxddY5-5Ft2aEu98YRCKUtreflfePu875nxDKzyYZlWSP6NUCC0crdTm8XiCbDkcd7YWAjijeJCTk3E-26lang-3Den&d=DwIFaQ&c=AbmFZyyDMVrBYLu9z0bfO-H7A0sKUmoCsEUAvVmcgZg&r=DLqoN5pSDZ_g9IIBhfg1GadgDUy4JQHTxGHBPBqm0XnxKB29YXx3aTfWdfxKdxqt&m=TOrMzYU-AZsL7WsaqFVzKE-ijRE0JpkFu-jC-OpDcHacFpnyXJ_3I3i9tgY43igq&s=Q5_CojUl0Cy0GEaesvrSIIlPnpKcziHNwYznZeMTFSA&e= \nDeclining to sign \nManaging notifications \n\nIf you have trouble signing, visit \"How to Sign a Document\" on our Docusign Support Center, or browse our Docusign Community for more information.\nhttps://urldefense.proofpoint.com/v2/url?u=https-3A__support.docusign.com_s_articles_How-2Ddo-2DI-2Dsign-2Da-2DDocuSign-2Ddocument-2DBasic-2DSigning-3Flanguage-3Den-5FUS-26-2338-3Butm-5Fcampaign-3DGBL-5FXX-5FDBU-5FUPS-5F2211-5FSignNotificationEmailFooter-26-2338-3Butm-5Fmedium-3Dproduct-26-2338-3Butm-5Fsource-3Dpostsend&d=DwIFaQ&c=AbmFZyyDMVrBYLu9z0bfO-H7A0sKUmoCsEUAvVmcgZg&r=DLqoN5pSDZ_g9IIBhfg1GadgDUy4JQHTxGHBPBqm0XnxKB29YXx3aTfWdfxKdxqt&m=TOrMzYU-AZsL7WsaqFVzKE-ijRE0JpkFu-jC-OpDcHacFpnyXJ_3I3i9tgY43igq&s=56gNhvIQMdIrlKsKTtDfbKpn1a-wOe1bv9PFCn2y-2I&e= \n"
    ], 
    "from": "Proofpoint Solutions via Docusign <dse_NA4@docusign.net>", 
    "to": "kparks <Departments77@rednersmarkets.com>", 
    "attachements": []
}
                URL: Email Model: Joe Sandbox AI
                ```json
{
  "contains_trigger_text": true,
  "trigger_text": "REVIEW DOCUMENT",
  "prominent_button_name": "REVIEW DOCUMENT",
  "text_input_field_labels": "unknown",
  "pdf_icon_visible": false,
  "has_visible_captcha": false,
  "has_urgent_text": true,
  "has_visible_qrcode": false
}
                URL: Email Model: Joe Sandbox AI
                ```json
{
  "brands": [
    "Docusign"
  ]
}
                URL: https://na4.docusign.net/Signing/Error.aspx?scope=9dfe5303-2222-4a49-8c37-7c826559453d Model: Joe Sandbox AI
                ```json
{
  "contains_trigger_text": false,
  "trigger_text": "unknown",
  "prominent_button_name": "unknown",
  "text_input_field_labels": "unknown",
  "pdf_icon_visible": false,
  "has_visible_captcha": false,
  "has_urgent_text": false,
  "has_visible_qrcode": false
}
                URL: https://na4.docusign.net Model: Joe Sandbox AI
                {
    "typosquatting": false,
    "unusual_query_string": false,
    "suspicious_tld": false,
    "ip_in_url": false,
    "long_subdomain": false,
    "malicious_keywords": false,
    "encoded_characters": false,
    "redirection": false,
    "contains_email_address": false,
    "known_domain": true,
    "brand_spoofing_attempt": false,
    "third_party_hosting": false
}
                URL: https://na4.docusign.net
                URL: https://na4.docusign.net/Signing/Error.aspx?scope=9dfe5303-2222-4a49-8c37-7c826559453d Model: Joe Sandbox AI
                ```json
{
  "brands": [
    "Docusign"
  ]
}

                Created / dropped Files

                C:\Users\user\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

                Download File
                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                File Type:data
                Category:dropped
                Size (bytes):231348
                Entropy (8bit):4.382485222419633
                Encrypted:false
                SSDEEP:
                MD5:00E4C2040EF2838D322FA59A9377A45F
                SHA1:090F71CB83E9203B45773F354E367B3F0FCB8EF2
                SHA-256:71142981BDF7125C1FC3985B561DCBBBE819B18E966A6E77BBAEE699C7A2CDCD
                SHA-512:43875662D3B2D0EE70A5B80E47CA7861991A4C2BB5108F599BC4FB0017424205E5F3051848EA9BC8202C9312EB25A84A4F4198C741AE78FDD475EBFE2DBB2FE4
                Malicious:false
                Reputation:unknown
                Preview:TH02...... . ?Gd.9......SM01X...,...@.8d.9..........IPM.Activity...........h...............h............H..h..^.....i..a...h........0..H..h\cal ...pDat...h.k..0...P.^....h...............h........_`.k...h....@...I.lw...h....H...8..k...0....T...............d.........2h...............k.............!h.............. h........h.^...#h....8.........$h0......8....."h..............'h..............1h....<.........0h....4.....k../h....h......kH..h.8..p.....^...-h .........^...+h.........^......... ...... ..............F7..............FIPM.Activity....Form....Standard....Journal Entry...IPM.Microsoft.FolderDesign.FormsDescription................F.k..........1122110020000000....Microsoft...This form is used to create journal entries.........kf...... ..........&...........(.......(... ...@.....................................................................................................................fffffffff........wwwwwwww.p....pp..............p...............pw..............pw..DDDDO..

                C:\Users\user\AppData\Local\Microsoft\Office\16.0\AddInClassifierCache\OfficeSharedEntities.bin

                Download File
                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                File Type:ASCII text, with very long lines (65536), with no line terminators
                Category:dropped
                Size (bytes):322260
                Entropy (8bit):4.000299760592446
                Encrypted:false
                SSDEEP:
                MD5:CC90D669144261B198DEAD45AA266572
                SHA1:EF164048A8BC8BD3A015CF63E78BDAC720071305
                SHA-256:89C701EEFF939A44F28921FD85365ECD87041935DCD0FE0BAF04957DA12C9899
                SHA-512:16F8A8A6DCBAEAEFB88C7CFF910BCCC71B76A723CF808B810F500E28E543112C2FAE2491D4D209569BD810490EDFF564A2B084709B02963BCAF6FDF1AEEC59AC
                Malicious:false
                Reputation:unknown
                Preview:51253fe60063c31af0d295afb42228b0:v2:2:1:1590:2:8479:76bd602437550e98c9043d06a55186ab7d95dea5a0e935a599f73e62a8c9b158e0afcb19351f6c353940c06a38172b94d18c02cf92bb8a80184eccca0392b259ab3e71dae73e491c7941997cb36ad4a198661f622dad478d840f66d530a0dde78acea3367f91fff62fbb3dc18faff0c708ad30edef5bea8b22c5fd782b770d8993386eaa784fd19a3c3e1db3b537b1a94d3d4fbd46f8df8fddf6d16611969fe0a97c50e0f3ac24750c93257cf5c161184aa7385800c87d803b339632a3d8ec7fe17a0afd83ce9e9d0e3f7b8d579637928a811f1f7e6d1887df2ddc7d4f752c4d600235e426c92c7bf8a1362f95457998cc0e5d4261f0efa4fada0f866dbcefb407dacab7a2914e91c2f08200f38c2d9d621962145b1464b0f204b326118a53ecdcab22bff005fdd5257c99a6dc51ac0600a49f2ef782396987e78c08b846dad5db55e8ccefffc64863bc2c3e90b95a09d25d0814a848c98fe01a82d4e30e6682dd546e12c45ca0d280a45295ab4bd632dafb070edfdc3c9e38313d5aeb195972986f8011b66817028fd8c78b67a0ac7e780eecc3fb6a31f5a025b8a9a3db278a98c0696aeaac739b18688b0f9c7d751bba02cc5f4e41853fb119b3c0c915059aaa92971244a1989124f12881ca88e6410df70b793a2c3a736ff4

                C:\Users\user\AppData\Local\Microsoft\Office\16.0\AddInClassifierCache\OfficeSharedEntitiesUpdated.bin

                Download File
                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                File Type:ASCII text, with no line terminators
                Category:dropped
                Size (bytes):10
                Entropy (8bit):2.721928094887362
                Encrypted:false
                SSDEEP:
                MD5:316AFD00BAEBD8BEDD2FB1BE8F544867
                SHA1:A66B7119FFC921AD4C45F10F2D62D1892F888D85
                SHA-256:E381F15EE62F60D60CE0F11A0197B527EC3E7734CC64B28A1114B0AD22FCCFB2
                SHA-512:2DAB3353D0C1D02C5B2C07B42E76A9A9E60863B16FCB7EF898EEC929A40F99D410B44258EE21F94BD07725830B15382BCBC6157711CB1C7922DF0758C68B17E4
                Malicious:false
                Reputation:unknown
                Preview:1731935524

                C:\Users\user\AppData\Roaming\Microsoft\Office\MSO3072.acl

                Download File
                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                File Type:data
                Category:dropped
                Size (bytes):30
                Entropy (8bit):1.172253928364927
                Encrypted:false
                SSDEEP:
                MD5:FF01F72918128BBD103F2134B2918459
                SHA1:DA5E581287CDE86282CA5B48D0A238DDE4678DC0
                SHA-256:A3CF6928037CF68C0E89E872EC847EBE72A9EE51EB7ECE1716272B46C438C057
                SHA-512:1F00DF875E3537ABC0F8966779EE7B93FF7F6FB867CCF8BD32DF8F8BA06EF75071C981A9CAEEE20D3195F1D78BA5D67568E2079346F16ED588B4729F2B0B5AF2
                Malicious:false
                Reputation:unknown
                Preview:..............................

                C:\Users\user\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

                Download File
                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                Category:dropped
                Size (bytes):14
                Entropy (8bit):2.699513850319966
                Encrypted:false
                SSDEEP:
                MD5:C5A12EA2F9C2D2A79155C1BC161C350C
                SHA1:75004B4B6C6C4EE37BE7C3FD7EE4AF4A531A1B1A
                SHA-256:61EC0DAA23CBC92167446DADEFB919D86E592A31EBBD0AB56E64148EBF82152D
                SHA-512:B3D5AF7C4A9CB09D27F0522671503654D06891740C36D3089BB5CB21E46AB235B0FA3DC2585A383B9F89F5C6DAE78F49F72B0AD58E6862DE39F440C4D6FF460B
                Malicious:false
                Reputation:unknown
                Preview:..c.a.l.i.....

                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

                Download File
                Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Mon Nov 18 12:12:14 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
                Category:dropped
                Size (bytes):2673
                Entropy (8bit):3.976119761882083
                Encrypted:false
                SSDEEP:
                MD5:A29F20B63B2029D258FBCD4E64704DD9
                SHA1:7CFA6CE47CF98A23DCF947465973504D6E74411C
                SHA-256:CFD5EFD6ACBA8FF1B036B60DE37569217CEE437CDDEA87931BC20955FD52F5A7
                SHA-512:CB5BA4AA14D591317BD318D69A20C22B2FC062035B38B92F05E96E24D2593DFA1D83711A002E2506E871395A94E2248D4805CF35BDB9B0F0935511389DF07141
                Malicious:false
                Reputation:unknown
                Preview:L..................F.@.. ...$+.,....X.S|.9..N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.IrYhi....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VrY.i....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VrY.i....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VrY.i..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VrY.i...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i............J{......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

                Download File
                Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Mon Nov 18 12:12:14 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
                Category:dropped
                Size (bytes):2675
                Entropy (8bit):3.990961051632568
                Encrypted:false
                SSDEEP:
                MD5:5EC5F57F984C3EE942EA510A71216CB3
                SHA1:D5FC7D78CAA186DBA2A4D3DCFF0F4FEFE8313FE6
                SHA-256:FD0E6DE2E24A4DF947B69B7CF1CE84EC11024E77D7055C15D0B4DE895A948378
                SHA-512:AE1F66E2FC92ECB6610FB981FD1F050DB140425F46F962B3A0CE7E0A7FC5D7665F1B5F8802108CE922FFE21E6BFE0B85C9B9FB8785B66FBBDC6254E986E665A8
                Malicious:false
                Reputation:unknown
                Preview:L..................F.@.. ...$+.,.....XG|.9..N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.IrYhi....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VrY.i....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VrY.i....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VrY.i..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VrY.i...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i............J{......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

                Download File
                Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Oct 6 08:05:01 2023, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
                Category:dropped
                Size (bytes):2689
                Entropy (8bit):3.999915695756445
                Encrypted:false
                SSDEEP:
                MD5:E161DA3D13021A7A840663B85FBCBE4D
                SHA1:101F04E53C3DF312AF781EA3686B8C280D3C3F79
                SHA-256:438FB49E17FB613A4537A874358A29C106175812BD7EB9D8B4F7F24C621CA5C8
                SHA-512:7F1FF46C1E3FBB05CC019CBD9D92D5A8AACB6F18EE488378461A30D3FDCAA998F9C389C1907A169E1BD56A78F66A6CE58BA50640BBC556102345B54E46542FDE
                Malicious:false
                Reputation:unknown
                Preview:L..................F.@.. ...$+.,.....Y.04...N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.IrYhi....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VrY.i....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VrY.i....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VrY.i..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VFW.E...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i............J{......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

                Download File
                Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Mon Nov 18 12:12:14 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
                Category:dropped
                Size (bytes):2677
                Entropy (8bit):3.989616317159062
                Encrypted:false
                SSDEEP:
                MD5:3322AFF301D78EDB90E8A30EFD344437
                SHA1:E7D11ACC8D3DEA11A87CC6FBD6E26C5A5C1BD8FC
                SHA-256:B8E94FADAE9B035FCA6A60B495BAE7813579F9D801F5A6F318AAEB9E1BB821DC
                SHA-512:16775A1FE1F178D20E3800F44F260934BB88169D42B05984B909809A821BE3B63DFD9D1F13BF4574FA7E2CEC4B6B152404E825C8E9FCCEEE046E44FFFB8EECD3
                Malicious:false
                Reputation:unknown
                Preview:L..................F.@.. ...$+.,....d.@|.9..N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.IrYhi....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VrY.i....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VrY.i....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VrY.i..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VrY.i...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i............J{......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

                Download File
                Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Mon Nov 18 12:12:14 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
                Category:dropped
                Size (bytes):2677
                Entropy (8bit):3.9786690366395385
                Encrypted:false
                SSDEEP:
                MD5:AEA1B6762E8266CB8AD5D76A11A33FFC
                SHA1:C5E55C2571E095DC051D644962C8F1BFE28603A6
                SHA-256:9B1E501BEF22AA98448BBB4BBA853F0D4EF3D0E01EA75D7EAA21B8C88F0D61F4
                SHA-512:04F71B48039EB90CD6F6F2FDCA913146E6FFFA3B43E7245E953674A0439B2F32B820723BF8637BAB52E129CD7F5844F05D1C4CA6EE4FA1FDF86055E2984B228B
                Malicious:false
                Reputation:unknown
                Preview:L..................F.@.. ...$+.,......M|.9..N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.IrYhi....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VrY.i....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VrY.i....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VrY.i..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VrY.i...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i............J{......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

                Download File
                Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Mon Nov 18 12:12:14 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
                Category:dropped
                Size (bytes):2679
                Entropy (8bit):3.987157702965474
                Encrypted:false
                SSDEEP:
                MD5:A536648641AFB254E325F3E0254DD9D5
                SHA1:BA05EFF8FE854545443A1C2B46FF8474DAC36607
                SHA-256:99380D70B35FA1290C6215906AA957BDC73BCC2EFC95BD96C1FE47AEE547190E
                SHA-512:2A9029AA74DDA3EDADC5340C7C3CF155CFC03B1274C2B095E236EF4F31FF8D8CBCC71C82E19B2DF9B7E533FB9B642B0E1D03CB06C1E7A3611F47947339E09FD3
                Malicious:false
                Reputation:unknown
                Preview:L..................F.@.. ...$+.,.....y7|.9..N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.IrYhi....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VrY.i....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VrY.i....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VrY.i..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VrY.i...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i............J{......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

                Static File Info

                General

                File type:RFC 822 mail, ASCII text, with CRLF line terminators
                Entropy (8bit):5.939636705684686
                TrID:
                • E-Mail message (Var. 5) (54515/1) 100.00%
                File name:phish_alert_sp1_1.0.0.0.eml
                File size:21'925 bytes
                MD5:fb9691407fb258bda50ae9500985e732
                SHA1:563b0e80459032dc2b571d102465f1de6de878bc
                SHA256:a1ea0c9614d9e99cb2c59cae8fbcb3f73cd882166462d1d205e9794a5f224378
                SHA512:90b79de033c03166947d4a60908b3b03380a5e6b815e81d1c15558466aaf6d047b85302e7eccd2dc49d38eea6b83f85b3e8369e879c6a202dc95ddb46cc91940
                SSDEEP:384:UgGgrFjsZY3tyQzIDPMoxKvJV3GQWdNhw9Uxd55K2UcQH/aByAn5eV:bjU1GCPMoxKe1xd55K2HQH/aByA5eV
                TLSH:3FA25DA541065C6714B31215B0123FD571024C6F16E09EA0BC2BBA7EBDEFD763BBB60A
                File Content Preview:Received: from Redmail23.rednersmarkets.com (172.25.127.100) by.. Redmail23.rednersmarkets.com (172.25.127.100) with Microsoft SMTP Server.. (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id.. 15.2.1544.11 via Mailbox Transport; Thu, 14 No

                Static Mail

                General

                Subject:[External] RE: Important Document
                From:Proofpoint Solutions via Docusign <dse_NA4@docusign.net>
                To:kparks <Departments77@rednersmarkets.com>
                Cc:
                BCC:
                Date:Thu, 14 Nov 2024 07:28:30 -0800
                Communications:
                • *WARNING: EXTERNAL EMAIL* **************************************************************************************************************************************************************************************************************************************************************************************** Hello kparks, Proofpoint Solutions has sent you a new Docusign document to view and sign. Please click on the link below to begin signing. A new policy has been introduced, and you need to review it and fill out the enrollment form. Please go through the provided materials and sign the last three pages. Also, kindly confirm receipt of the form when you receive this email. REVIEW DOCUMENT https://urldefense.proofpoint.com/v2/url?u=https-3A__na4.docusign.net_Signing_EmailStart.aspx-3Fa-3Dc0dbe9f7-2Df7ee-2D4825-2Dafe9-2Dc077fda5793f-26etti-3D24-26acct-3D487a6e12-2D9193-2D4267-2Da77c-2D3e880dfe488b-26er-3D3a53a047-2D168d-2D4667-2D8625-2D6ccd021bbc9f&d=DwIFaQ&c=AbmFZyyDMVrBYLu9z0bfO-H7A0sKUmoCsEUAvVmcgZg&r=DLqoN5pSDZ_g9IIBhfg1GadgDUy4JQHTxGHBPBqm0XnxKB29YXx3aTfWdfxKdxqt&m=TOrMzYU-AZsL7WsaqFVzKE-ijRE0JpkFu-jC-OpDcHacFpnyXJ_3I3i9tgY43igq&s=1y0M7J2xi9v5tbIr_fHHALT_gNd8vExVPl2mHZG5w7k&e= If clicking the link does not work, you can highlight and copy the entire line above and paste it into your browser to get started. This message was sent to you by Proofpoint Solutions who is using the Docusign Electronic Signature Service. If you would rather not receive email from this sender you may contact the sender with your request. Do Not Share This Email This email contains a secure link to Docusign. Please do not share this email, link, or access code with others. Questions about the Document? If you need to modify the document or have questions about the details in the document, please reach out to the sender by emailing them directly. Stop receiving this email Report this email https://urldefense.proofpoint.com/v2/url?u=https-3A__protect.docusign.net_report-2Dabuse-3Fe-3DAUtomjpFak9GlbPL0zFFi11XVXBwytLdmpDpy34xHZVcx-2DFCuAWOYNdHEbhU50c9Hqxhg31KAVl7NB6QJiM4wSsECFxG6ZKZ-2DpmxC04uTf2aSBA9GBpeZBP2xT3Z3SymstmpTwikWILwRtm5Wbw7w-2Da3uszZ8OOXOBXmjkhUL54MfGXzLQvDTUIn8FKhORtiXHX4JigGISpjdx-5FMWaDCRzUrn7QYuHkEQgDXr5FHq-2D8GTeg1V2msJW2D2yQCe1UctzlWzqiWbaJQlPOiEQGiIJaFBGdovirzA8smCpVC-5FisOTyH0vg976E-5F8tPO0GFWo13bkRigC-2DHn3nojdk-2DhUv2NlDTMCuknAHATaISvHUFD6M-2D5K-5FEcMWsEi-5Ff22D-2DlmwSKzfEsChmkxddY5-5Ft2aEu98YRCKUtreflfePu875nxDKzyYZlWSP6NUCC0crdTm8XiCbDkcd7YWAjijeJCTk3E-26lang-3Den&d=DwIFaQ&c=AbmFZyyDMVrBYLu9z0bfO-H7A0sKUmoCsEUAvVmcgZg&r=DLqoN5pSDZ_g9IIBhfg1GadgDUy4JQHTxGHBPBqm0XnxKB29YXx3aTfWdfxKdxqt&m=TOrMzYU-AZsL7WsaqFVzKE-ijRE0JpkFu-jC-OpDcHacFpnyXJ_3I3i9tgY43igq&s=Q5_CojUl0Cy0GEaesvrSIIlPnpKcziHNwYznZeMTFSA&e= Declining to sign Managing notifications If you have trouble signing, visit "How to Sign a Document" on our Docusign Support Center, or browse our Docusign Community for more information. https://urldefense.proofpoint.com/v2/url?u=https-3A__support.docusign.com_s_articles_How-2Ddo-2DI-2Dsign-2Da-2DDocuSign-2Ddocument-2DBasic-2DSigning-3Flanguage-3Den-5FUS-26-2338-3Butm-5Fcampaign-3DGBL-5FXX-5FDBU-5FUPS-5F2211-5FSignNotificationEmailFooter-26-2338-3Butm-5Fmedium-3Dproduct-26-2338-3Butm-5Fsource-3Dpostsend&d=DwIFaQ&c=AbmFZyyDMVrBYLu9z0bfO-H7A0sKUmoCsEUAvVmcgZg&r=DLqoN5pSDZ_g9IIBhfg1GadgDUy4JQHTxGHBPBqm0XnxKB29YXx3aTfWdfxKdxqt&m=TOrMzYU-AZsL7WsaqFVzKE-ijRE0JpkFu-jC-OpDcHacFpnyXJ_3I3i9tgY43igq&s=56gNhvIQMdIrlKsKTtDfbKpn1a-wOe1bv9PFCn2y-2I&e=
                Attachments:

                  Headers

                  Key Value
                  Receivedfrom docusign.net ([127.0.0.1]) by CH101FE27.corp.docusign.net with Microsoft SMTPSVC(10.0.17763.1697); Thu, 14 Nov 2024 07:28:30 -0800
                  Authentication-Resultsrednersmarkets.com; spf=pass smtp.mailfrom=dse_NA4@docusign.net; dkim=pass header.s=mail1 header.d=docusign.net; dmarc=pass header.from=docusign.net
                  DKIM-Signaturev=1; a=rsa-sha256; c=relaxed/simple; d=docusign.net; s=mail1; t=1731598136; bh=5XNXTS6J+juyXvX6j6AtnaPH2eu20RBz7KJgX947K04=; h=From; b=PoA8f1FCg5MIlZ/z/GFarYpW5zk90QYEprufYxFvVWHC85Eyk0gRwvmO69QthC8dd lZZS9mc/tLnZvK7r4+kqNfdpx6q3h6hXTAfbh90deqOMj1LRRTEYeVo/7FA2YMBJxq DZb70K8JXrRpuMtPJ+hkT2pY3SYqsrY86GO22Akijjm9IxoqVT72tiWijaQxGtE5Yx MV/2dw/htbPvppSNiB0lE2h1HDXmLdihJnuu97rGkvqkBgnHY0bguUfaDg8nW3kVe+ 5pj8Lv0HbGdWxy/knC94VZT3gOFH0/QH1wiuufbdEd6w+v3MIxY0tKjtEYLLhX9P5f Wsl2B/c2A6rrg==
                  SenderDocuSign NA4 System <dse_NA4@docusign.net>
                  Reply-ToProofpoint Solutions <jennahall114@outlook.com>
                  Recipient-Id3a53a047-168d-4667-8625-6ccd021bbc9f
                  X-DebugFalse
                  X-Email-Rejection-ModeLearningMode
                  X-Api-Hostna4.docusign.net
                  Site-Id7
                  X-BounceEmailVersion1
                  FromProofpoint Solutions via Docusign <dse_NA4@docusign.net>
                  Tokparks <Departments77@rednersmarkets.com>
                  Message-ID<a99fad8a25034a5b9f5d2d3a2f095d97@docusign.net>
                  DateThu, 14 Nov 2024 07:28:30 -0800
                  Content-Typemultipart/alternative; boundary="----=_NextPart_03BA3DC8_95C2_43B3_B136_51340DF65F63"
                  X-OriginalArrivalTime14 Nov 2024 15:28:30.0005 (UTC) FILETIME=[DBA66650:01DB36A9]
                  X-Proofpoint-GUIDTwbP_m7oxNuImddQjR0FiXcLzS02PvmX
                  X-CLX-ShadesMLX
                  X-Proofpoint-ORIG-GUIDTwbP_m7oxNuImddQjR0FiXcLzS02PvmX
                  X-CLX-Response1TFkXHhsdEQpMehceHB4RCllEF25gYG4ZfXhATVJ7EQpYWBdtU09+bXBwfhl fchEKeE4XZ19fcEtmWB1ncmERCnhLF21TT35tcHB+GV9yEQp4TBdsfklvWkZoaXxDZBEKeUwXbl 5ZZ0JEc0BmEm8RCkNIFwcbHRkRCkNZFwcZGR0RCkNJFxoEGhoaEQpZTRdnZnIRCllJFxsYEnETE Bp3BhgcE3EYHBgZGhAfGXcGGBoGGhEKWV4XbGx5EQpJRhdYT05ET1hZR0tYQU9eWXVaWEVOX0le Q0VEB1xHEQpJRxd4T00RCkNOF35dSHp1Rx1FUmRfY0dOTntAeBpsQ3JJZlB5Ghh6XEdyEQpYXBc fBBoEGR0TBRsaBBsbGgQbGR4EGR4QGx4aHxoRCl5ZF09LHV8dEQpNXBceHx4RCkxaF2l7Q3tNTR EKRVkXaGtrEQpMXxd6BQUFBQUFBQUFHREKTEYXb2trY2trEQpCTxdiARJOc0ZNeU0SaBEKQ1oXH B4EGBodBBgbEwQbGR0RCkJeFxsRCkJcFxsRCl5OFxsRCkJLF3oBcnhjBWNiGGEFEQpCSRd6AXJ4 YwVjYhhhBREKQkUXZGhTR3xQWlNJX3ARCkJOF3oBcnhjBWNiGGEFEQpCTBdlSGh8WkEcXWQcYhE KQmwXbXBeU3BjcFlZH0ARCkJAF2BoeWtaR3tEax1QEQpCWBdlZ1wBXGluG3pHbBEKWlgXGBIRCn lDF2NZUGweXBN7bmlBEQpZSxcTGBIfEQpaSxcbGxoeHBEKcGcXaX95fkdwGFhweUEQGhEKcGgXZ W4aRV98ZkZzYlgQGx8TEQpwaBdhXBgZG35de0FwbhAbGRsRCnBoF2ZSQHMSeVJMR1p9EBsZHhEK cGgXa3xgXBkeTh9leXkQGxoZEQpwaBdpQXN4Q0ABAU8aUhASExEKcGgXZGl/YRJOZUlTGEMQGhE KcGgXZH5Sbx1dWkdTZ0QQEhkRCnBoF2wcWx98eVtJAWNSEBoRCnB9F297UFxbSVptWHplEBoRCn B9F25DWBwdcmJAbXJAEBoRCnB9F25fAWByHkMSEk5nEBseHxEKcH0Xemx4R3BYBUFQfm4QEhwRC nB9F21naW9eHGQaXWdlEB0cEQpwfRdgQFxvfHp8S18bSBASGxEKcH0XYXBEY3pOT18YSUkQEhsR CnB9F3oBGW1uH1IYUnNaEBIeEQpwfRdhWklieBhdSRkBRBAbHx4RCnB9F2JAEllQTHhvU3gfEBs eGxEKcH8Xa35rbmFQe3pteBIQEhkRCnBfF2EBUktGSXhTXW9YEBIYEQpwXxdjZHJ+ZhNDG2F9UB ASGREKcH8XbnpFQG0bWENgEm4QEh4RCnBfF20ZBXxuZRJ9XmFmEBIYEQpwfxdic1NyU3saBXlPG hATGhEKcF8XbXtaEk5BW3AcfFgQExgRCnBfF2FEUxtvAUhaZ21dEBIfEQpwXxdjUmN+RhNeQhlQ ehASGxEKcF8XYV0cUHBARgFMfGsQEhgRCnBfF2dCSWh4Z19BaFlPEBIfEQpwXxdsQHNiZBNwYEB 7GhASHhEKcH8XbE19Tl95RVBSQmUQGx4ZEQpwXxdlW0dcbmdYR0IebBAbHBgRCnBsF24BSE4cHR ljZFlCEBoRCnBMF2BcQ31SQ2xZGXN4EBoRCm1+FxoRClhNF0sRIA==
                  MIME-Version1.0
                  Subject[External] RE: Important Document
                  X-Proofpoint-Virus-Versionvendor=nai engine=6700 definitions=11256 signatures=596817
                  X-Proofpoint-Spam-Detailsrule=inbound_notspam policy=inbound score=0 spamscore=0 priorityscore=464 bulkscore=0 suspectscore=0 malwarescore=0 adultscore=0 unknownsenderscore=20 phishscore=0 lowpriorityscore=0 clxscore=417 impostorscore=0 mlxscore=0 mlxlogscore=999 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2409260000 definitions=main-2411140120 domainage_hfrom=9285 domainage_replyto=11046
                  Return-Pathdse_NA4@docusign.net
                  X-MS-Exchange-Organization-Network-Message-Id8d3f82d4-c9d7-4844-47bb-08dd04c0ffe3
                  X-MS-Exchange-Organization-AVStamp-Enterprise1.0
                  X-MS-Exchange-Organization-AuthSourceRedmail23.rednersmarkets.com
                  X-MS-Exchange-Organization-AuthAsAnonymous
                  X-MS-Exchange-Transport-EndToEndLatency00:00:00.2956276
                  X-MS-Exchange-Processed-By-BccFoldering15.02.1544.011

                  File Icon

                  Icon Hash:46070c0a8e0c67d6