Edit tour

Windows Analysis Report
Fw_ Complete with Docusign_ J929272_SOW Extension_002_09-OCT-24_201415.pdf.eml

Overview

General Information

Sample name:	Fw_ Complete with Docusign_ J929272_SOW Extension_002_09-OCT-24_201415.pdf.eml
Analysis ID:	1530942
MD5:	4e46610dcb7ece78f8c2123b95fa5e23
SHA1:	8ba69d84b2b311e3e9edc433f73e36a19e6fcb4c
SHA256:	e605ac00ac4839c0dfba0ad5eafe8a8c2cf0ca4b1ac3e273b0090d669de3a10b
Infos:

Detection

Score:	48
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

AI detected landing page (webpage, office document or email)

Suspicious MSG / EML detected (based on various text indicators)

Queries the volume information (name, serial number etc) of a device

Sigma detected: Office Autorun Keys Modification

Stores files to the Windows start menu directory

Classification

Process Tree

System is w10x64_ra

OUTLOOK.EXE (PID: 6504 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\Fw_ Complete with Docusign_ J929272_SOW Extension_002_09-OCT-24_201415.pdf.eml" MD5: 91A5292942864110ED734005B7E005C0)

ai.exe (PID: 5780 cmdline: "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "E2281F03-DBD0-45BA-93C4-42734399A761" "B9A67480-8303-44DE-8058-9B3EB0AFE824" "6504" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx" MD5: EC652BEDD90E089D9406AFED89A8A8BD)

chrome.exe (PID: 3676 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.com%2Fv3%2F__https%3A%2Fna2.docusign.net%2FSigning%2FEmailStart.aspx%3Fa%3D423c3005-40e3-4f73-b01f-22c9db5b3def%26etti%3D24%26acct%3D038966a5-ff0e-476e-8a6b-74cff2dbb75d%26er%3D394d41b2-f386-4e71-a2b3-8177fba01463__%3B!!C8I-Dec!486hyGdic1hV2am9VfDJH5Ax3zwY0qv4ruelnV64xkz4xB5hLT894olBod_KeZbxsIbkdqirZCaLewk%24&data=05%7C02%7Ccgoolsby%40ceenta.com%7C0c2dd23699af4d34b13e08dce93351f7%7C97bf5e89559d4b3e997ec4ee27dbd4cf%7C1%7C0%7C638641653844817953%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=zaJtoIm3TinFFKZVAkfa85ottmo3ktA9hI4XaMqBzx0%3D&reserved=0 MD5: 83395EAB5B03DEA9720F8D7AC0D15CAA)

chrome.exe (PID: 1952 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2220 --field-trial-handle=1932,i,5493115229194152307,3648905318716236932,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 83395EAB5B03DEA9720F8D7AC0D15CAA)

cleanup

Sigma Signatures

Sigma detected: Office Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE, ProcessId: 6504, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Addins\OneNote.OutlookAddin\1

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Phishing

Suspicious MSG / EML detected (based on various text indicators)

Source: MSG / EML

OCR Text: Can you please look at this? I asked Dr. Parsons to also report as suspicious. Thank you. Get Outlook for iOS From: Parsons MD, Gregory <gparsons@ceenta.com> Sent: Thursday, October 10, 2024 AM To: Woodall,Jeremie <jwoodall@ceenta.com> Subject: FW: Complete with Docusign: J929272 SOW Extension_002 09-OCT-24 201415.pdf Please help.l don't know anything about this issue and I am concerned it is fake email. Gregory S Parsons MD Otolaryngology t: 803-327-4000 | f: 803-328-1865 Charlotte Eye Ear Nose & Throat Associates, P.A. 200 South Herlong Ave Suite F Rock Hill SC 29732 From: DocuSign System <dse_na2@docusign.net> Sent: Thursday, October 10, 2024 9:43 AM To: Gill ScD, Jag <jgill@ceenta.com> Subject: Complete with Docusign: J929272 SOW Extension_002 09-OCT-24 201415.pdf External Sender I Exercise Caution Report Suspicious Verify the sender's identity BEFORE replying or opening attachments or links! docusign Lewis, Robert D sent you a document to review and sign. REVIEW DOCUMENT Lewis, Robert D robert.d.lewis@oracle.com This extends the expiration date of our NetSuite Planning and Budgeting implementation and there is no additional cost associated with it. Please let me know if you have any questions. Robert Lewis PM 817-897-2678

Source: unknown	HTTPS traffic detected: 23.60.203.209:443 -> 192.168.2.18:49702 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.126.31.71:443 -> 192.168.2.18:49704 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 4.175.87.197:443 -> 192.168.2.18:49705 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.126.31.71:443 -> 192.168.2.18:49722 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.86.251.27:443 -> 192.168.2.18:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 4.175.87.197:443 -> 192.168.2.18:49856 version: TLS 1.2

Source: unknown	TCP traffic detected without corresponding DNS query: 23.60.203.209
Source: unknown	TCP traffic detected without corresponding DNS query: 23.60.203.209
Source: unknown	TCP traffic detected without corresponding DNS query: 23.60.203.209
Source: unknown	TCP traffic detected without corresponding DNS query: 23.60.203.209
Source: unknown	TCP traffic detected without corresponding DNS query: 23.60.203.209
Source: unknown	TCP traffic detected without corresponding DNS query: 23.60.203.209
Source: unknown	TCP traffic detected without corresponding DNS query: 23.60.203.209
Source: unknown	TCP traffic detected without corresponding DNS query: 23.60.203.209
Source: unknown	TCP traffic detected without corresponding DNS query: 23.60.203.209
Source: unknown	TCP traffic detected without corresponding DNS query: 23.60.203.209
Source: unknown	TCP traffic detected without corresponding DNS query: 23.60.203.209
Source: unknown	TCP traffic detected without corresponding DNS query: 23.60.203.209
Source: unknown	TCP traffic detected without corresponding DNS query: 23.60.203.209
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.31.71
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.31.71
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.31.71
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.31.71
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.31.71
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.31.71
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.31.71
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.31.71
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.31.71
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.31.71
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.31.71
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 52.182.141.63
Source: unknown	TCP traffic detected without corresponding DNS query: 52.182.141.63
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 52.182.141.63
Source: unknown	TCP traffic detected without corresponding DNS query: 52.182.141.63
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 52.182.141.63
Source: unknown	TCP traffic detected without corresponding DNS query: 52.182.141.63

Source: global traffic	DNS traffic detected: DNS query: nam11.safelinks.protection.outlook.com
Source: global traffic	DNS traffic detected: DNS query: urldefense.com
Source: global traffic	DNS traffic detected: DNS query: na2.docusign.net
Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: docucdn-a.akamaihd.net
Source: global traffic	DNS traffic detected: DNS query: a.docusign.com
Source: global traffic	DNS traffic detected: DNS query: api.mixpanel.com
Source: global traffic	DNS traffic detected: DNS query: cdn.optimizely.com

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49687
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49862
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49686
Source: unknown	Network traffic detected: HTTP traffic on port 49702 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49686 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49793 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49701 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49856
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49862 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49793
Source: unknown	Network traffic detected: HTTP traffic on port 49679 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49790
Source: unknown	Network traffic detected: HTTP traffic on port 49856 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49687 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49702
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49790 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49701

Source: unknown	HTTPS traffic detected: 23.60.203.209:443 -> 192.168.2.18:49702 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.126.31.71:443 -> 192.168.2.18:49704 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 4.175.87.197:443 -> 192.168.2.18:49705 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.126.31.71:443 -> 192.168.2.18:49722 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.86.251.27:443 -> 192.168.2.18:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 4.175.87.197:443 -> 192.168.2.18:49856 version: TLS 1.2

Source: classification engine

Classification label: mal48.phis.winEML@18/74@26/200

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

File created: C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmp

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

File created: C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20241010T1200020369-6504.etl

Source: unknown	Process created: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\Fw_ Complete with Docusign_ J929272_SOW Extension_002_09-OCT-24_201415.pdf.eml"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "E2281F03-DBD0-45BA-93C4-42734399A761" "B9A67480-8303-44DE-8058-9B3EB0AFE824" "6504" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "E2281F03-DBD0-45BA-93C4-42734399A761" "B9A67480-8303-44DE-8058-9B3EB0AFE824" "6504" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.com%2Fv3%2F__https%3A%2Fna2.docusign.net%2FSigning%2FEmailStart.aspx%3Fa%3D423c3005-40e3-4f73-b01f-22c9db5b3def%26etti%3D24%26acct%3D038966a5-ff0e-476e-8a6b-74cff2dbb75d%26er%3D394d41b2-f386-4e71-a2b3-8177fba01463__%3B!!C8I-Dec!486hyGdic1hV2am9VfDJH5Ax3zwY0qv4ruelnV64xkz4xB5hLT894olBod_KeZbxsIbkdqirZCaLewk%24&data=05%7C02%7Ccgoolsby%40ceenta.com%7C0c2dd23699af4d34b13e08dce93351f7%7C97bf5e89559d4b3e997ec4ee27dbd4cf%7C1%7C0%7C638641653844817953%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=zaJtoIm3TinFFKZVAkfa85ottmo3ktA9hI4XaMqBzx0%3D&reserved=0
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2220 --field-trial-handle=1932,i,5493115229194152307,3648905318716236932,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.com%2Fv3%2F__https%3A%2Fna2.docusign.net%2FSigning%2FEmailStart.aspx%3Fa%3D423c3005-40e3-4f73-b01f-22c9db5b3def%26etti%3D24%26acct%3D038966a5-ff0e-476e-8a6b-74cff2dbb75d%26er%3D394d41b2-f386-4e71-a2b3-8177fba01463__%3B!!C8I-Dec!486hyGdic1hV2am9VfDJH5Ax3zwY0qv4ruelnV64xkz4xB5hLT894olBod_KeZbxsIbkdqirZCaLewk%24&data=05%7C02%7Ccgoolsby%40ceenta.com%7C0c2dd23699af4d34b13e08dce93351f7%7C97bf5e89559d4b3e997ec4ee27dbd4cf%7C1%7C0%7C638641653844817953%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=zaJtoIm3TinFFKZVAkfa85ottmo3ktA9hI4XaMqBzx0%3D&reserved=0
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2220 --field-trial-handle=1932,i,5493115229194152307,3648905318716236932,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown

Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: apphelp.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: c2r64.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: userenv.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: msasn1.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: gpapi.dll

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7b8a2d94-0ac9-11d1-896c-00c04Fb6bfc4}\InprocServer32

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

Window found: window name: SysTabControl32

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common

Persistence and Installation Behavior

AI detected landing page (webpage, office document or email)

Source: Email	LLM: Page contains button: 'REVIEW DOCUMENT' Source: 'Email'
Source: Email	LLM: Email contains prominent button: 'review document'

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

File Volume queried: C:\Windows\SysWOW64 FullSizeInformation

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

Process information queried: ProcessInformation

Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe

Queries volume information: C:\Program Files (x86)\Microsoft Office\root\Office16\AI\WordCombinedFloatieLreOnline.onnx VolumeInformation

Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 Browser Extensions	1 Process Injection	1 Masquerading	OS Credential Dumping	1 Process Discovery	Remote Services	Data from Local System	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 DLL Side-Loading	1 Process Injection	LSASS Memory	13 System Information Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 Registry Run Keys / Startup Folder	1 Registry Run Keys / Startup Folder	1 DLL Side-Loading	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact

Name	IP	Active	Malicious	Reputation
cdn.optimizely.com	104.18.66.57	true	false	unknown
nam11.safelinks.eop-tm2.outlook.com	104.47.58.156	true	false	unknown
urldefense.com	52.204.90.22	true	false	unknown
www.google.com	172.217.23.100	true	false	unknown
api.mixpanel.com	35.186.241.51	true	false	unknown
arya-1323461286.us-west-2.elb.amazonaws.com	35.161.37.142	true	false	unknown
nam11.safelinks.protection.outlook.com	unknown	unknown	false	unknown
a.docusign.com	unknown	unknown	false	unknown
docucdn-a.akamaihd.net	unknown	unknown	false	unknown
na2.docusign.net	unknown	unknown	false	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://na2.docusign.net/Signing/?ti=687025a17ea54551bfa5602a9e03a561	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
52.113.194.132	unknown	United States	8068	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
35.161.37.142	arya-1323461286.us-west-2.elb.amazonaws.com	United States	16509	AMAZON-02US	false
142.250.186.35	unknown	United States	15169	GOOGLEUS	false
142.250.186.78	unknown	United States	15169	GOOGLEUS	false
35.186.241.51	api.mixpanel.com	United States	15169	GOOGLEUS	false
104.18.66.57	cdn.optimizely.com	United States	13335	CLOUDFLARENETUS	false
162.248.185.182	unknown	United States	62856	DOCUS-6-PRODUS	false
1.1.1.1	unknown	Australia	13335	CLOUDFLARENETUS	false
162.248.185.183	unknown	United States	62856	DOCUS-6-PRODUS	false
54.201.17.39	unknown	United States	16509	AMAZON-02US	false
2.19.126.218	unknown	European Union	16625	AKAMAI-ASUS	false
104.47.58.156	nam11.safelinks.eop-tm2.outlook.com	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
64.233.167.84	unknown	United States	15169	GOOGLEUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
2.19.126.140	unknown	European Union	16625	AKAMAI-ASUS	false
142.250.185.131	unknown	United States	15169	GOOGLEUS	false
172.217.23.100	www.google.com	United States	15169	GOOGLEUS	false
142.250.186.142	unknown	United States	15169	GOOGLEUS	false
52.204.90.22	urldefense.com	United States	14618	AMAZON-AESUS	false
51.116.253.168	unknown	United Kingdom	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
142.250.186.42	unknown	United States	15169	GOOGLEUS	false

Private

IP
192.168.2.18

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1530942
Start date and time:	2024-10-10 17:59:22 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsinteractivecookbook.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	15
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	EGA enabled
Analysis Mode:	stream
Analysis stop reason:	Timeout
Sample name:	Fw_ Complete with Docusign_ J929272_SOW Extension_002_09-OCT-24_201415.pdf.eml
Detection:	MAL
Classification:	mal48.phis.winEML@18/74@26/200
Cookbook Comments:	Found application associated with file extension: .eml

Warnings

Exclude process from analysis (whitelisted): dllhost.exe
Excluded IPs from analysis (whitelisted): 52.113.194.132, 51.116.253.168, 142.250.185.131, 142.250.186.78, 64.233.167.84, 34.104.35.123, 162.248.185.183
Excluded domains from analysis (whitelisted): ecs.office.com, na2.docusign.net.akadns.net, accounts.google.com, slscr.update.microsoft.com, na2-ch.docusign.net.akadns.net, clientservices.googleapis.com, s-0005-office.config.skype.com, onedscolprdgwc01.germanywestcentral.cloudapp.azure.com, mobile.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com, ecs-office.s-0005.s-msedge.net, clients2.google.com, edgedl.me.gvt1.com, s-0005.s-msedge.net, ecs.office.trafficmanager.net, clients.l.google.com, mobile.events.data.trafficmanager.net
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: Fw_ Complete with Docusign_ J929272_SOW Extension_002_09-OCT-24_201415.pdf.eml

LLM Input / Output

Input	Output
URL: Email Model: jbxai	{ "brands":["Docusign"], "text":"Thank you. Get Outlook for iOS From: Parsons MD, Gregory <gparsons@ceenta.com> Sent: Thursday, October 10, 2024 9:50:40 AM To: Woodall, Jeremie <jwoodall@ceenta.com> Subject: FW: Complete with Docusign: J929272_SOW Extension_002_09-OCT-24_201415.pdf Please help.I don't know anything about this issue and I am concerned it is fake email. Gregory S Parsons MD Otolaryngology t: 803-327-4000 \| f: 803-328-1865 Charlotte Eye Ear Nose & Throat Associates, P.A. 200 South Herlong Ave Suite F Rock Hill SC 29732 From: Docusign System <dse_na2@docusign.net> Sent: Thursday, October 10, 2024 9:43 AM To: Gill ScD, Jag <jgill@ceenta.com> Subject: Complete with Docusign: J929272_SOW Extension_002_09-OCT-24_201415.pdf Lewis, Robert D sent you a document to review and sign. REVIEW DOCUMENT Lewis, Robert D robert.d.lewis@oracle.com This extends the expiration date of our NetSuite Planning and Budgeting implementation and there is no additional cost associated with it. Please let me know if you have any questions. Robert Lewis PM 817-897-2678", "contains_trigger_text":true, "trigger_text":"REVIEW DOCUMENT", "prominent_button_name":"REVIEW DOCUMENT", "text_input_field_labels":"unknown", "pdf_icon_visible":false, "has_visible_captcha":false, "has_urgent_text":false, "has_visible_qrcode":false}

URL: https://na2.docusign.net/Signing/?ti=687025a17ea54551bfa5602a9e03a561 Model: jbxai	{ "brands":["docusign"], "text":"Please Review & Act on These Documents", "contains_trigger_text":true, "trigger_text":"ORACLE CONTRACT INFORMATION", "prominent_button_name":"CONTINUE", "text_input_field_labels":["Globi", "Globi"], "pdf_icon_visible":false, "has_visible_captcha":false, "has_urgent_text":false, "has_visible_qrcode":false}

URL: https://na2.docusign.net/Signing/?ti=687025a17ea54551bfa5602a9e03a561 Model: jbxai	{ "brands":["docusign"], "text":"This change order amends the statement of work listed below and all change orders thereto (the \"Statement of Work\") between You and Oracle America, Inc. (\"Oracle\")", "contains_trigger_text":true, "trigger_text":"CHANGE ORDER DETAILS", "prominent_button_name":"START", "text_input_field_labels":["Order of Precedence. In the event of any inconsistencies between the Statement of Work and this change order, this change order shall take precedence.", "Other. Subject to the modifications herein, the Statement of Work shall remain in full force and effect."], "pdf_icon_visible":false, "has_visible_captcha":false, "has_urgent_text":false, "has_visible_qrcode":false}

URL: https://na2.docusign.net/Signing/?ti=687025a17ea54551bfa5602a9e03a561 Model: jbxai	{ "brands":["docusign"], "text":"Please review the documents below.", "contains_trigger_text":false, "trigger_text":"", "prominent_button_name":"START", "text_input_field_labels":"unknown", "pdf_icon_visible":false, "has_visible_captcha":false, "has_urgent_text":false, "has_visible_qrcode":false}

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	data
Category:	dropped
Size (bytes):	231348
Entropy (8bit):	4.388455822016392
Encrypted:	false
SSDEEP:
MD5:	384FA16F6B74049706B7F3C7A9A008D8
SHA1:	6CCC39D7A461B414E698A17291C5D205AC8F9E91
SHA-256:	A1511A647AC6C3D31F6464DEA4D8837EA1149F0E76FF9732A2555785C7386666
SHA-512:	4EFD7C13212C94B072538EF42448813763111FF067D8D20ABD35C425B3A9E129F74BDC97EFACF2057ED091041E9DD848F2689E25C901EBDA75D5DEE30B7CB42A
Malicious:	false
Reputation:	unknown
Preview:	TH02...... .p.ql-.......SM01X...,.....bl-...........IPM.Activity...........h...............h............H..h..\.....kS.....h........H?..H..h\nor ...ppDa...h`..0....\....h.V.f...........h........_`.k...h7P.f@...I..w...h....H...8..k...0....T...............d.........2h...............k2.0.....;.2...!h.............. hF.........\...#h....8.........$hH?......8....."h.......`....'h..............1h.V.f<.........0h....4....k../h....h......kH..h...p.....\...-h .......4.\...+hsV.f......\................. ..............F7..............FIPM.Activity....Form....Standard....Journal Entry...IPM.Microsoft.FolderDesign.FormsDescription................F.k..........1122110020000000....Microsoft...This form is used to create journal entries.........kf...... ..........&...........(.......(... ...@.....................................................................................................................fffffffff........wwwwwwww.p....pp..............p...............pw..............pw..DDDDO..

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Thu Oct 10 15:00:22 2024, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2675
Entropy (8bit):	3.9846344132298737
Encrypted:	false
SSDEEP:
MD5:	B3DBF3AB520A8B5CC04E31C0E7086C95
SHA1:	5DDD52C75306B7D47E490AB4809A4E5A7081D6CC
SHA-256:	AB87D217C6B0B80073D5C1CE6B49E7F9AC614C279E79A2CE53E09F293B05CEA9
SHA-512:	F78E3A4CB7FB33008EC9FD6B8325C8B58854B53D5BCC9264065278B7598358321C7708663D16D74F115A609C9779B7D187A9A3FCBB7695E2BD7417E77DC316C6
Malicious:	false
Reputation:	unknown
Preview:	L..................F.@.. ...$+.,.....Ub.-.......y... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.R..PROGRA~1..t......O.IJYu.....B...............J......Y..P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VJY......L.....................p+j.G.o.o.g.l.e.....T.1.....FW.R..Chrome..>......CW.VJY......M......................pd.C.h.r.o.m.e.....`.1.....FW.R..APPLIC~1..H......CW.VJY.............................pd.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..BW. .CHROME~1.EXE..R......CW.VJY.......#......................3.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........{........C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

File type:	RFC 822 mail, ASCII text, with very long lines (857), with CRLF line terminators
Entropy (8bit):	5.886901185959978
TrID:	E-Mail message (Var. 5) (54515/1) 100.00%
File name:	Fw_ Complete with Docusign_ J929272_SOW Extension_002_09-OCT-24_201415.pdf.eml
File size:	52'688 bytes
MD5:	4e46610dcb7ece78f8c2123b95fa5e23
SHA1:	8ba69d84b2b311e3e9edc433f73e36a19e6fcb4c
SHA256:	e605ac00ac4839c0dfba0ad5eafe8a8c2cf0ca4b1ac3e273b0090d669de3a10b
SHA512:	cb05baab1daf51ec7b76965622ffab81584635457f3b25bcfacb40192173f68afec9c3d11f7b2cbf163ec83240369dac8cf0030792915575f48df28bcb946158
SSDEEP:	768:szT3G6IYA8/xl30WQdzY6g+fzkQCwrYl5bJq2KJeNwYtpwm4I9Po+T:sP3XPAkH+nzvsKOoo7T
TLSH:	4C339EE24E8B27A8ED1D1A78DCDDFA066E38DA4B32D281898734CF854D757E00CD55AC
File Content Preview:	Received: from SN4PR13MB5309.namprd13.prod.outlook.com (2603:10b6:806:208::17).. by BY5PR13MB3794.namprd13.prod.outlook.com with HTTPS; Thu, 10 Oct 2024.. 13:56:23 +0000..Received: from SJ0PR13MB6052.namprd13.prod.outlook.com (2603:10b6:a03:4e7::20).. by

Subject:	Fw: Complete with Docusign: J929272_SOW Extension_002_09-OCT-24_201415.pdf
From:	"Woodall,Jeremie" <jwoodall@ceenta.com>
To:	"Goolsby,Caroline" <cgoolsby@ceenta.com>
Cc:
BCC:
Date:	Thu, 10 Oct 2024 13:56:20 +0000
Communications:	Can you please look at this? I asked Dr. Parsons to also report as suspicious. Thank you. Get Outlook for iOS<https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Faka.ms%2Fo0ukef&data=05%7C02%7Ccgoolsby%40ceenta.com%7C0c2dd23699af4d34b13e08dce93351f7%7C97bf5e89559d4b3e997ec4ee27dbd4cf%7C1%7C0%7C638641653844757448%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=WLSFxsQaFYUuKLmuShKfwUKttDT433wyQR5hKnuBhO4%3D&reserved=0> ________________________________ From: Parsons MD, Gregory <gparsons@ceenta.com> Sent: Thursday, October 10, 2024 9:50:40 AM To: Woodall,Jeremie <jwoodall@ceenta.com> Subject: FW: Complete with Docusign: J929272_SOW Extension_002_09-OCT-24_201415.pdf Please help.I dont know anything about this issue and I am concerned it is fake email. Gregory S Parsons MD Otolaryngology t: 803-327-4000 \| f: 803-328-1865 Charlotte Eye Ear Nose & Throat Associates, P.A. 200 South Herlong Ave Suite F Rock Hill SC 29732 From: DocuSign System <dse_na2@docusign.net> Sent: Thursday, October 10, 2024 9:43 AM To: Gill ScD, Jag <jgill@ceenta.com> Subject: Complete with Docusign: J929272_SOW Extension_002_09-OCT-24_201415.pdf Lewis, Robert D sent you a document to review and sign. REVIEW DOCUMENT Lewis, Robert D robert.d.lewis@oracle.com This extends the expiration date of our NetSuite Planning and Budgeting implementation and there is no additional cost associated ZjQcmQRYFpfptBannerStart External Sender \| Exercise Caution Verify the sender's identity BEFORE replying or opening attachments or links! Report Suspicious <https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fus-phishalarm-ewt.proofpoint.com%2FEWT%2Fv1%2FC8I-Dec!hqGqyqwS7n6mjDk7oCB-SCIBTujywaMjw2279jfKkgL0d8ePCJjw5uaeyAMboueIwiL1x_Z0RBPkMMb2HWOd63iFB4Ui%24&data=05%7C02%7Ccgoolsby%40ceenta.com%7C0c2dd23699af4d34b13e08dce93351f7%7C97bf5e89559d4b3e997ec4ee27dbd4cf%7C1%7C0%7C638641653844794491%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=jnK3Dm0diKhYu1ehPnadYVEw584g8zup5uSmMRPkHe4%3D&reserved=0> ZjQcmQRYFpfptBannerEnd [DocuSign] [https://na2.docusign.net/member/Images/email/docInvite-white.png] Lewis, Robert D sent you a document to review and sign. REVIEW DOCUMENT <https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.com%2Fv3%2F__https%3A%2Fna2.docusign.net%2FSigning%2FEmailStart.aspx%3Fa%3D423c3005-40e3-4f73-b01f-22c9db5b3def%26etti%3D24%26acct%3D038966a5-ff0e-476e-8a6b-74cff2dbb75d%26er%3D394d41b2-f386-4e71-a2b3-8177fba01463__%3B!!C8I-Dec!486hyGdic1hV2am9VfDJH5Ax3zwY0qv4ruelnV64xkz4xB5hLT894olBod_KeZbxsIbkdqirZCaLewk%24&data=05%7C02%7Ccgoolsby%40ceenta.com%7C0c2dd23699af4d34b13e08dce93351f7%7C97bf5e89559d4b3e997ec4ee27dbd4cf%7C1%7C0%7C638641653844817953%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=zaJtoIm3TinFFKZVAkfa85ottmo3ktA9hI4XaMqBzx0%3D&reserved=0> Lewis, Robert D robert.d.lewis@oracle.com<mailto:robert.d.lewis@oracle.com> This extends the expiration date of our NetSuite Planning and Budgeting implementation and there is no additional cost associated with it. Please let me know if you have any questions. Robert Lewis PM 817-897-2678 Do Not Share This Email This email contains a secure link to Docusign. Please do not share this email, link, or access code with others. Alternate Signing Method Visit Docusign.com, click 'Access Documents', and enter the security code: 423C300540E34F73B01F22C9DB5B3DEF2 About Docusign Sign documents electronically in just minutes. It's safe, secure, and legally binding. Whether you're in an office, at home, on-the-go -- or even across the globe -- Docusign provides a professional trusted solution for Digital Transaction Management. Questions about the Document? If you need to modify the document or have questions about the details in the document, please reach out to the sender by emailing them directly. Stop receiving this email Report this email<https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.com%2Fv3%2F__https%3A%2Fprotect.docusign.net%2Freport-abuse%3Fe%3DAUtomjpFak9GlbPL0zFFi13qgVbLQhKu6jc0XZ3n1y1BfNAzoF1B0urflk5z-TG-qbrg-Pz4SLsa7WoOEbicOzUUpvb03C89fmEXDnyHaMJeiVx5Xjd7MY7Lh4rZMwG7rhbaGZuB9zG58lHCDxp5GcFmoCxE0bBZaVYRoVgICFUmLYSbD0qseTE0oLO5oGC3Hxfo8W1LzwsEIucdWeXuFP5BCLbMgsNYYFAbvabn0KoNgug1OxM8LX3VT9COLGCkhrdDzaIHHvXo_g2fGrgaywuMuQKlPF_KgF2Edgol2oqZe_-36Z-bVlozZN9UXD75Ot38ZlJFYaw3z-XFEda_pUnBiMG3yBS5y9OtXZ1FbRdG0Q2hVN_9jNGVBE859JR2-et63r9fB_zUl5XNESOQv59g8forwQMSklksIciauUw6fNSa-4wLsAnQiHgXLU4qJg%26lang%3Den__%3B!!C8I-Dec!486hyGdic1hV2am9VfDJH5Ax3zwY0qv4ruelnV64xkz4xB5hLT894olBod_KeZbxsIbkdqir52PeZ3Y%24&data=05%7C02%7Ccgoolsby%40ceenta.com%7C0c2dd23699af4d34b13e08dce93351f7%7C97bf5e89559d4b3e997ec4ee27dbd4cf%7C1%7C0%7C638641653844833926%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=CVXt%2FINwrBbV0EdsPGzpWoePggPhL2aEDPlgsub14mA%3D&reserved=0> or read more about Declining to sign<https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.com%2Fv3%2F__https%3A%2Fsupport.docusign.com%2Fen%2Fguides%2FDeclining-to-sign-DocuSign-Signer-Guide__%3B!!C8I-Dec!486hyGdic1hV2am9VfDJH5Ax3zwY0qv4ruelnV64xkz4xB5hLT894olBod_KeZbxsIbkdqirjaV2onE%24&data=05%7C02%7Ccgoolsby%40ceenta.com%7C0c2dd23699af4d34b13e08dce93351f7%7C97bf5e89559d4b3e997ec4ee27dbd4cf%7C1%7C0%7C638641653844849319%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=bTMZhExgpVIZq8%2FUceEcUGuHYvopZyPsEMc5v3os7xA%3D&reserved=0> and Managing notifications<https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.com%2Fv3%2F__https%3A%2Fsupport.docusign.com%2Fen%2Farticles%2FHow-do-I-manage-my-email-notifications__%3B!!C8I-Dec!486hyGdic1hV2am9VfDJH5Ax3zwY0qv4ruelnV64xkz4xB5hLT894olBod_KeZbxsIbkdqir0FRjdMs%24&data=05%7C02%7Ccgoolsby%40ceenta.com%7C0c2dd23699af4d34b13e08dce93351f7%7C97bf5e89559d4b3e997ec4ee27dbd4cf%7C1%7C0%7C638641653844870170%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=VA9%2BjlezzsdvmFufE1S2DvZwBWpiX%2F9vJ%2FE53jAfroY%3D&reserved=0>. If you have trouble signing, visit "How to Sign a Document<https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.com%2Fv3%2F__https%3A%2Fsupport.docusign.com%2Fs%2Farticles%2FHow-do-I-sign-a-DocuSign-document-Basic-Signing%3Flanguage%3Den_US%26utm_campaign%3DGBL_XX_DBU_UPS_2211_SignNotificationEmailFooter%26utm_medium%3Dproduct%26utm_source%3Dpostsend__%3B!!C8I-Dec!486hyGdic1hV2am9VfDJH5Ax3zwY0qv4ruelnV64xkz4xB5hLT894olBod_KeZbxsIbkdqirdsVzsxA%24&data=05%7C02%7Ccgoolsby%40ceenta.com%7C0c2dd23699af4d34b13e08dce93351f7%7C97bf5e89559d4b3e997ec4ee27dbd4cf%7C1%7C0%7C638641653844893199%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=qIfQwQ9k6BS8QZ436WEj3fDr0q4%2B6jg5rRFTdWfE5Ms%3D&reserved=0>" on our Docusign Support Center<https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.com%2Fv3%2F__https%3A%2Fsupport.docusign.com%2F__%3B!!C8I-Dec!486hyGdic1hV2am9VfDJH5Ax3zwY0qv4ruelnV64xkz4xB5hLT894olBod_KeZbxsIbkdqirDo8Da7c%24&data=05%7C02%7Ccgoolsby%40ceenta.com%7C0c2dd23699af4d34b13e08dce93351f7%7C97bf5e89559d4b3e997ec4ee27dbd4cf%7C1%7C0%7C638641653844919218%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=qlLb6R1KDnUOYCChRFyPhbubFn708MSjk2Jfjlw0uaQ%3D&reserved=0>, or browse our Docusign Community<https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.com%2Fv3%2F__https%3A%2Fcommunity.docusign.com%2Fesignature-111%3Futm_campaign%3DGBL_US_PRD_AWA_2405_CommunityCTA%26utm_medium%3Demail%26utm_source%3Dpostsend__%3B!!C8I-Dec!486hyGdic1hV2am9VfDJH5Ax3zwY0qv4ruelnV64xkz4xB5hLT894olBod_KeZbxsIbkdqir526U-VU%24&data=05%7C02%7Ccgoolsby%40ceenta.com%7C0c2dd23699af4d34b13e08dce93351f7%7C97bf5e89559d4b3e997ec4ee27dbd4cf%7C1%7C0%7C638641653844942136%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=zsqGWN6o75CxGIYm%2FspyFSvezcSL8VSNlztKuXeAVZw%3D&reserved=0> for more information. [https://docucdn-a.akamaihd.net/olive/images/2.62.0/global-assets/email-templates/icon-download-app.png]Download the Docusign App <https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.com%2Fv3%2F__https%3A%2Fwww.docusign.com%2Ffeatures-and-benefits%2Fmobile%3Futm_campaign%3DGBL_XX_DBU_UPS_2211_SignNotificationEmailFooter%26utm_medium%3Dproduct%26utm_source%3Dpostsend__%3B!!C8I-Dec!486hyGdic1hV2am9VfDJH5Ax3zwY0qv4ruelnV64xkz4xB5hLT894olBod_KeZbxsIbkdqirl8iOjYo%24&data=05%7C02%7Ccgoolsby%40ceenta.com%7C0c2dd23699af4d34b13e08dce93351f7%7C97bf5e89559d4b3e997ec4ee27dbd4cf%7C1%7C0%7C638641653844962776%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=cSZh285KL8V4X0mNbGlv3qOQkTfSBzAcruziRoV6JIw%3D&reserved=0> This message was sent to you by Lewis, Robert D who is using the Docusign Electronic Signature Service. If you would rather not receive email from this sender you may contact the sender with your request. Confidentiality: The information in this electronic mail may contain confidential, sensitive and/or protected health information intended only for the addressee(s). Any other person, including anyone who believes he/she might have received it due to an addressing error, is requested to notify this sender immediately by telephone and/or return e-mail, and shall delete it without further reading and retention. The information shall not be forwarded or shared. Intentional interception or dissemination of electronic mail not belonging to you may violate Federal or State law.
Attachments:

Key	Value
Received	from SJ0PR13MB6052.namprd13.prod.outlook.com ([fe80::17e1:f724:44f9:5180]) by SJ0PR13MB6052.namprd13.prod.outlook.com ([fe80::17e1:f724:44f9:5180%4]) with mapi id 15.20.8048.017; Thu, 10 Oct 2024 13:56:20 +0000
From	"Woodall,Jeremie" <jwoodall@ceenta.com>
To	"Goolsby,Caroline" <cgoolsby@ceenta.com>
Subject	Fw: Complete with Docusign: J929272_SOW Extension_002_09-OCT-24_201415.pdf
Thread-Topic	Complete with Docusign: J929272_SOW Extension_002_09-OCT-24_201415.pdf
Thread-Index	AQHbGxrx0QnmZqsJnEqy3Dd+l6ECg7KAAEXggAABojc=
Date	Thu, 10 Oct 2024 13:56:20 +0000
Message-ID	<SJ0PR13MB605243BD82C67A085614BD62B5782@SJ0PR13MB6052.namprd13.prod.outlook.com>
References	<993d3238c2464d0e9031244eb249a71c@docusign.net> <MN2PR13MB3856A92A1B7EBAAAB5B64C4CA8782@MN2PR13MB3856.namprd13.prod.outlook.com>
In-Reply-To	<MN2PR13MB3856A92A1B7EBAAAB5B64C4CA8782@MN2PR13MB3856.namprd13.prod.outlook.com>
Accept-Language	en-US
Content-Language	en-US
X-MS-Exchange-Organization-AuthAs	Internal
X-MS-Exchange-Organization-AuthMechanism	04
X-MS-Exchange-Organization-AuthSource	SJ0PR13MB6052.namprd13.prod.outlook.com
X-MS-Has-Attach
X-MS-Exchange-Organization-Network-Message-Id	0c2dd236-99af-4d34-b13e-08dce93351f7
X-MS-Exchange-Organization-SCL	1
X-MS-TNEF-Correlator
X-MS-Exchange-Organization-RecordReviewCfmType	0
x-ms-publictraffictype	Email
x-ms-reactions	allow
X-Microsoft-Antispam-Mailbox-Delivery	ucf:0;jmr:0;auth:0;dest:I;ENG:(910001)(944506478)(944626604)(920097)(425001)(930097)(140003)(1420198);
X-Microsoft-Antispam-Message-Info	i2CJ8kyVUCclqwEGWctCT/BM8P08AY89K9YMCZ2Wo+ESoLfe8G7WLKu2NkovZQCos1CbhZq9eI4zTlCuBq7sqsfYr9Q9Dc0rOzKLOSgJ+bpk7/lLSttpHE8KwNNnv5UI/AriWdk2wkR5L+PmhnhRFPE6L0R9CXe990H+JrS4X/klBCZXDMVYqM9OAlYsS14tE3Jj2Vn5Ua2Ckls4O/WBy79vWTTqkYcjgOlJgfMoFGAYI3hSGWDos2CJWM+W7lIde5TduToPhlhm5EIsxbbHDYXfa87K6xOT4Ksq67FNDK8ap+T7Cjx4jTfCYbGjWgxegeCgd0yi1ciR3uSqsFNFpjEipYMvfbfAB3SCq+MWqz3KmK7bh2Z/zpWMJWLJFT75E0efcaJCv+XzKdyKMeNctyk8KIRH2q5iYg8Wr3eXZH+yYNzlwKfEFGBT8oaAvDzoDZpwGzYvWk6v7zxiuUEiZiW5okLicIx2ZuvOkZ69AJyMaBkJb3566WhqgB8Ntj4/N8bipbfE1BTUQzJsdQf3gUWV3yx0ccrWqjzBr8X9y1Mwiy/2x42H5gq7KfV+EHR+4kOQuJ3ZyJwWmSIFlid1GoA9lBlYKJgaNfRIa9PgdMR+5Ufahc2QHOEFHC4+Dbit0ZbKQOrVFaQh5DyyacDa2NXHTSHKN0b/3Cln0g2HYrqHsQg85BBpYbu52s/TbNRFJb3rPxbXq6uUY+nLKX9OLXujvoN8uheo5Grwp08HuWtAz/EOzUmCzStyS0Di7t1iaCOYCjp/M0ag1QxH5eOfPuSfImJn47XRotJykZtjFt95f8SbKXkimOMDzhZwIueEyp/WeqrlT1MxXuzdKqbVHA==
Content-Type	multipart/alternative; boundary="_000_SJ0PR13MB605243BD82C67A085614BD62B5782SJ0PR13MB6052namp_"
MIME-Version	1.0

Description:	Adversaries may abuse Internet browser extensions to establish persistent access to victim systems. Browser extensions or plugins are small programs that can add functionality and customize aspects of Internet browsers. They can be installed directly or through a browser's app store and generally have access and permissions to everything that the browser can access.
Tactics:	Persistence
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Process: Process Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Fw_ Complete with Docusign_ J929272_SOW Extension_002_09-OCT-24_201415.pdf.eml

Overview

General Information

Detection

Signatures

Classification

Process Tree

Yara Signatures

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

Phishing

Compliance

Networking

System Summary

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

LLM Input / Output

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-shm

C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-wal

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{CD0ED681-5B48-46A2-B918-397AB52629A8}.tmp

C:\Users\user\AppData\Local\Temp\Diagnostics\OUTLOOK\App1728576002588920900_71364968-CE07-4103-82E7-792B9BA0DE6E.log

C:\Users\user\AppData\Local\Temp\Diagnostics\OUTLOOK\App1728576002589646400_71364968-CE07-4103-82E7-792B9BA0DE6E.log

C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20241010T1200020369-6504.etl

C:\Users\user\AppData\Roaming\Microsoft\Office\MSO3072.acl

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

C:\Users\user\Documents\Outlook Files\Outlook Data File - NoEmail.pst

C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmp

Chrome Cache Entry: 135

Chrome Cache Entry: 140

Chrome Cache Entry: 141

Chrome Cache Entry: 145

Chrome Cache Entry: 147

Chrome Cache Entry: 148

Chrome Cache Entry: 151

Chrome Cache Entry: 152

Chrome Cache Entry: 153

Chrome Cache Entry: 155

Chrome Cache Entry: 156

Chrome Cache Entry: 157

Chrome Cache Entry: 159

Chrome Cache Entry: 160

Chrome Cache Entry: 165

Chrome Cache Entry: 166

Chrome Cache Entry: 168

Windows Analysis Report
Fw_ Complete with Docusign_ J929272_SOW Extension_002_09-OCT-24_201415.pdf.eml