Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Important Action Required Redcape Contract Agreement for Professional Services.msg

Overview

General Information

Sample Name:Important Action Required Redcape Contract Agreement for Professional Services.msg
Analysis ID:1312727
MD5:18a070a570b9b28bce099812301db0d6
SHA1:f7f550ef6e88f37cb2151f95283e6bc5d371be19
SHA256:675a8c30d078495153042610d560cf9ff1aab8073eb861816e83d00e8db8fa3f

Detection

HTMLPhisher
Score:56
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected BlockedWebSite
Found phishing picture in email (image similarty)
LLM found phishing text in email (MSG / EML)
Deletes files inside the Windows folder
Creates files inside the system directory
Creates a window with clipboard capturing capabilities
Stores large binary data to the registry
Queries time zone information
Creates or modifies windows services

Classification

Process Tree

  • System is w10x64_ra
  • OUTLOOK.EXE (PID: 2436 cmdline: C:\Program Files\Microsoft Office\Root\Office16\OUTLOOK.EXE" /f "C:\Users\user\Desktop\Important Action Required Redcape Contract Agreement for Professional Services.msg MD5: CA3FDE8329DE07C95897DB0D828545CD)
    • chrome.exe (PID: 2096 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://aus01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fapiservices.krxd.net%2Fclick_tracker%2Ftrack%3Fptx%3DV638xnr9lcmnf%26arv%3Dbu7vs5rpZ%26clk%3Dhttps%3A%2F%2Ftelestationers.mw%2Ftelestationers%2Ftshost%2FRedcape%2Fdoreen.tan%40redcape.com.au&data=05%7C01%7Cdoreen.tan%40redcape.com.au%7C7896b887dc444391b48108dbbb13cf83%7C7ad3b322a23b4ceeb9aab9887924c206%7C0%7C0%7C638309467044535557%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=EFkGGnY0f2GPIuy8Kdq%2Brj46LQRyLmy67pvz4cY5rTE%3D&reserved=0 MD5: 7BC7B4AEDC055BB02BCB52710132E9E1)
      • chrome.exe (PID: 1296 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2044 --field-trial-handle=1780,i,12690198465928797831,10439204556459875747,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationTargetPrediction /prefetch:8 MD5: 7BC7B4AEDC055BB02BCB52710132E9E1)
  • cleanup

Yara Signatures

HTML

SourceRuleDescriptionAuthorStrings
0.0.pages.csvJoeSecurity_BlockedWebSiteYara detected BlockedWebSiteJoe Security
    0.1.pages.csvJoeSecurity_BlockedWebSiteYara detected BlockedWebSiteJoe Security

      Sigma Signatures

      No Sigma rule has matched

      Snort Signatures

      No Snort rule has matched

      Joe Sandbox Signatures

      Click to jump to signature section

      Show All Signature Results

      Phishing

      barindex
      Yara detected BlockedWebSite
      Source: Yara matchFile source: 0.0.pages.csv, type: HTML
      Source: Yara matchFile source: 0.1.pages.csv, type: HTML
      Found phishing picture in email (image similarty)
      Source: RWRLABJGVT.pngEmail attachement: Found strong image similarity, brand: DOCUSIGN
      LLM found phishing text in email (MSG / EML)
      Source: Important Action Required Redcape Contract Agreement for Professional Services.msgChatGPT: Communication: 0 reasoning: The sender's email address does not match the company they claim to represent.
      Source: Important Action Required Redcape Contract Agreement for Professional Services.msgChatGPT: Communication: 0 reasoning: The email contains a suspicious link that does not lead to the company's official website.
      Source: Important Action Required Redcape Contract Agreement for Professional Services.msgChatGPT: Communication: 0 reasoning: The email contains a warning about clicking links or opening attachments, which is a common tactic used in phishing emails to create a sense of security.
      Source: Important Action Required Redcape Contract Agreement for Professional Services.msgChatGPT: Communication: 0 reasoning: The email contains a confidentiality notice, which is often used in phishing emails to create a sense of urgency and importance.
      Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.9619_none_08e065a3a84109b0\MSVCR90.dll
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49722
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49721
      Source: unknownNetwork traffic detected: HTTP traffic on port 49725 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49724 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49721 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49719 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49722 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49723 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49719
      Source: unknownNetwork traffic detected: HTTP traffic on port 49716 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49717
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49716
      Source: unknownNetwork traffic detected: HTTP traffic on port 49717 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49725
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49724
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49723
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownDNS traffic detected: queries for: accounts.google.com
      Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEWindow created: window name: CLIPBRDWNDCLASS
      Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEFile deleted: C:\Windows\System32\PerfStringBackup.TMP
      Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEFile created: C:\Windows\inf\Outlook\
      Source: unknownProcess created: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE C:\Program Files\Microsoft Office\Root\Office16\OUTLOOK.EXE" /f "C:\Users\user\Desktop\Important Action Required Redcape Contract Agreement for Professional Services.msg
      Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://aus01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fapiservices.krxd.net%2Fclick_tracker%2Ftrack%3Fptx%3DV638xnr9lcmnf%26arv%3Dbu7vs5rpZ%26clk%3Dhttps%3A%2F%2Ftelestationers.mw%2Ftelestationers%2Ftshost%2FRedcape%2Fdoreen.tan%40redcape.com.au&data=05%7C01%7Cdoreen.tan%40redcape.com.au%7C7896b887dc444391b48108dbbb13cf83%7C7ad3b322a23b4ceeb9aab9887924c206%7C0%7C0%7C638309467044535557%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=EFkGGnY0f2GPIuy8Kdq%2Brj46LQRyLmy67pvz4cY5rTE%3D&reserved=0
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2044 --field-trial-handle=1780,i,12690198465928797831,10439204556459875747,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationTargetPrediction /prefetch:8
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2044 --field-trial-handle=1780,i,12690198465928797831,10439204556459875747,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationTargetPrediction /prefetch:8
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
      Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://aus01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fapiservices.krxd.net%2Fclick_tracker%2Ftrack%3Fptx%3DV638xnr9lcmnf%26arv%3Dbu7vs5rpZ%26clk%3Dhttps%3A%2F%2Ftelestationers.mw%2Ftelestationers%2Ftshost%2FRedcape%2Fdoreen.tan%40redcape.com.au&data=05%7C01%7Cdoreen.tan%40redcape.com.au%7C7896b887dc444391b48108dbbb13cf83%7C7ad3b322a23b4ceeb9aab9887924c206%7C0%7C0%7C638309467044535557%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=EFkGGnY0f2GPIuy8Kdq%2Brj46LQRyLmy67pvz4cY5rTE%3D&reserved=0
      Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{529A9E6B-6587-4F23-AB9E-9C7D683E3C50}\InProcServer32
      Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEFile created: C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmp
      Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEFile created: C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_13929_20386-20230922T0630350478-2436.etl
      Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEFile written: C:\Windows\INF\Outlook\outlperf.ini
      Source: classification engineClassification label: mal56.phis.winMSG@17/23@5/45
      Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEFile read: C:\Program Files\Microsoft Office\root\Office16\1033\OUTLPERF.INI
      Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEFile read: C:\Windows\System32\drivers\etc\hosts
      Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEFile read: C:\Windows\System32\drivers\etc\hosts
      Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEWindow found: window name: SysTabControl32
      Source: Window RecorderWindow detected: More than 3 window changes detected
      Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEWindow detected: Number of UI elements: 11
      Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEWindow detected: Number of UI elements: 11
      Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common
      Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.9619_none_08e065a3a84109b0\MSVCR90.dll
      Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXERegistry key created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\SYSTEM\CurrentControlSet\services\Outlook\Performance
      Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEKey value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\outlook\ConfigContextData 1
      Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information queried: ProcessInformation
      Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEFile Volume queried: C:\Windows\System32 FullSizeInformation
      Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEFile Volume queried: C:\Windows\System32 FullSizeInformation
      Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEKey value queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\TimeZoneInformation Bias

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid AccountsWindows Management Instrumentation1
      Windows Service      		1
      Windows Service      		11
      Masquerading      		OS Credential Dumping1
      System Time Discovery      		Remote Services1
      Clipboard Data      		Exfiltration Over Other Network Medium2
      Encrypted Channel      		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
      Default AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
      Process Injection      		1
      Modify Registry      		LSASS Memory1
      Process Discovery      		Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth1
      Non-Application Layer Protocol      		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)1
      Process Injection      		Security Account Manager1
      Remote System Discovery      		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration2
      Application Layer Protocol      		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
      File Deletion      		NTDS2
      File and Directory Discovery      		Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets2
      System Information Discovery      		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      No Antivirus matches

      Dropped Files

      No Antivirus matches

      Unpacked PE Files

      No Antivirus matches

      Domains

      No Antivirus matches

      URLs

      No Antivirus matches

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      accounts.google.com
      		142.251.40.237
      		truefalse
        		high
        aus01.safelinks.protection.outlook.com
        		52.102.13.76
        		truefalse
          		high
          www.google.com
          		142.251.40.228
          		truefalse
            		high
            clients.l.google.com
            		142.250.80.78
            		truefalse
              		high
              clients2.google.com
              		unknown
              		unknownfalse
                		high

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                https://aus01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fapiservices.krxd.net%2Fclick_tracker%2Ftrack%3Fptx%3DV638xnr9lcmnf%26arv%3Dbu7vs5rpZ%26clk%3Dhttps%3A%2F%2Ftelestationers.mw%2Ftelestationers%2Ftshost%2FRedcape%2Fdoreen.tan%40redcape.com.au&data=05%7C01%7Cdoreen.tan%40redcape.com.au%7C7896b887dc444391b48108dbbb13cf83%7C7ad3b322a23b4ceeb9aab9887924c206%7C0%7C0%7C638309467044535557%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=EFkGGnY0f2GPIuy8Kdq%2Brj46LQRyLmy67pvz4cY5rTE%3D&reserved=0false
                  		high

                  World Map of Contacted IPs

                  • No. of IPs < 25%
                  • 25% < No. of IPs < 50%
                  • 50% < No. of IPs < 75%
                  • 75% < No. of IPs

                  Public IPs

                  IPDomainCountryFlagASNASN NameMalicious
                  52.113.194.132
                  		unknownUnited States
                  		8068MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                  9.9.9.9
                  		unknownUnited States
                  		19281QUAD9-AS-1USfalse
                  1.1.1.1
                  		unknownAustralia
                  		13335CLOUDFLARENETUSfalse
                  52.109.8.89
                  		unknownUnited States
                  		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                  239.255.255.250
                  		unknownReserved
                  		unknownunknownfalse
                  142.250.65.195
                  		unknownUnited States
                  		15169GOOGLEUSfalse
                  52.109.8.36
                  		unknownUnited States
                  		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                  52.102.13.76
                  		aus01.safelinks.protection.outlook.comUnited States
                  		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                  142.251.41.4
                  		unknownUnited States
                  		15169GOOGLEUSfalse
                  52.111.227.14
                  		unknownUnited States
                  		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                  142.250.80.78
                  		clients.l.google.comUnited States
                  		15169GOOGLEUSfalse
                  142.251.40.237
                  		accounts.google.comUnited States
                  		15169GOOGLEUSfalse

                  General Information

                  Joe Sandbox Version:38.0.0 Beryl
                  Analysis ID:1312727
                  Start date and time:2023-09-22 06:30:08 +02:00
                  Joe Sandbox Product:CloudBasic
                  Overall analysis duration:
                  Hypervisor based Inspection enabled:false
                  Report type:full
                  Cookbook file name:defaultwindowsinteractivecookbook.jbs
                  Analysis system description:Windows 10 64 bit version 1909 (MS Office 2019, IE 11, Chrome 104, Firefox 88, Adobe Reader DC 21, Java 8 u291, 7-Zip)
                  Number of analysed new started processes analysed:9
                  Number of new started drivers analysed:0
                  Number of existing processes analysed:0
                  Number of existing drivers analysed:0
                  Number of injected processes analysed:0
                  Technologies:
                  • EGA enabled
                  Analysis Mode:stream
                  Analysis stop reason:Timeout
                  Sample file name:Important Action Required Redcape Contract Agreement for Professional Services.msg
                  Detection:MAL
                  Classification:mal56.phis.winMSG@17/23@5/45
                  Cookbook Comments:
                  • Found application associated with file extension: .msg

                  Warnings

                  • Exclude process from analysis (whitelisted): RuntimeBroker.exe, SIHClient.exe, backgroundTaskHost.exe, svchost.exe
                  • Excluded IPs from analysis (whitelisted): 52.109.8.89, 52.111.227.14, 52.113.194.132, 52.109.8.36
                  • Excluded domains from analysis (whitelisted): ecs.office.com, slscr.update.microsoft.com, prod.configsvc1.live.com.akadns.net, ctldl.windowsupdate.com, prod.roaming1.live.com.akadns.net, s-0005-office.config.skype.com, prod.nexusrules.live.com.akadns.net, ecs-office.s-0005.s-msedge.net, roaming.officeapps.live.com, us1.roaming1.live.com.akadns.net, login.live.com, s-0005.s-msedge.net, config.officeapps.live.com, us.configsvc1.live.com.akadns.net, officeclient.microsoft.com, ecs.office.trafficmanager.net, nexusrules.officeapps.live.com
                  • Not all processes where analyzed, report is missing behavior information
                  • Report size getting too big, too many NtQueryAttributesFile calls found.
                  • Report size getting too big, too many NtQueryValueKey calls found.

                  Created / dropped Files

                  C:\Users\user\AppData\Local\Microsoft\FORMS\FRMDATA64.DAT

                  Download File
                  Process:C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE
                  File Type:data
                  Category:dropped
                  Size (bytes):239628
                  Entropy (8bit):4.2804350410418
                  Encrypted:false
                  SSDEEP:
                  MD5:B9556B2FCE899A33D1FC41DDC9716614
                  SHA1:F6F9FE827C81960150F4E207B43CF74BEC4E8074
                  SHA-256:FAA9BAC27885D927DB47CB114EB7A05B0EBE48F460AC4EA7C328E11746434498
                  SHA-512:BA630BFE3BEC5C17DC48584681E1073EEB575294D1BD64D9E7488EF24770DECBF238904EEB0537B26DF031EC2AA4229E48F7C5E4E03A547B3D0732B85E00CACD
                  Malicious:false
                  Reputation:low
                  Preview:TH02...... ...+).......SM01(....... ..+)...........IPM.Activity...........h.......................h......q0............H..h.............../.......hot\O................H..h.... ..................h....0..................h.......................h............P../.......h....@.................h....H........4..wn.....0....T........%K.............d.................2h.... ..................kF.G.........I.N.E.....!h...................... h.....................#h....8.................$h............<........."h............../0......'h............(.q0......1h....<.................0hiles8.......ft Offic../h....l........B.'....H..h....p.......PyM0......-h.....................+h.................................... ..............F7..............FIPM.Activity....Form....Standard....Journal Entry...IPM.Microsoft.FolderDesign.FormsDescription................F.k..............1122110020000000....Microsoft...This form is used to create journal entries.........kf...... ..........&...........(.......(...

                  C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\128C7A14-35BE-484C-A8E8-CC9FD48A27BC

                  Download File
                  Process:C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE
                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):160590
                  Entropy (8bit):5.346772007368918
                  Encrypted:false
                  SSDEEP:
                  MD5:A4DD141F793CEA7FF385EFDFE9856E2F
                  SHA1:C2060A6D27EC7BDBFDED3BBF6435FDECBFEC02EC
                  SHA-256:1720A9A9C47C72F9CC19273D8E1D1FD7873B2CF9C8D35BB2238B0AC19BA3AB1F
                  SHA-512:9ADEFBD3D77E3D8FE0E4B3C09BF115C6D4D470840F4309313934117A6A601E894DBF4C311E089BA1360D408F6C3B501FF1AEC392AA88054E5516F03885BC84E0
                  Malicious:false
                  Reputation:low
                  Preview:<?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2023-09-22T04:30:38">.. Build: 16.0.16917.30526-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://rr.office.microsoft.com/research/query.asmx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId" o:authentication="1">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. <o:ticket o:policy="MBI_SSL_SHORT" o:idprovider="1" o:target="[MAX.AuthHost]" o:headerValue="Passport1.4 from-PP='{}&amp;p='" />.. <o:ticket o:idprovider="3" o:headerValue="Bearer {}" o:resourceId="[MAX.ResourceId]" o:authorityUrl="[ADALAuthorityU

                  C:\Users\user\AppData\Local\Microsoft\Office\16.0\outlook.exe_Rules.xml

                  Download File
                  Process:C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE
                  File Type:XML 1.0 document, ASCII text, with very long lines (65536), with no line terminators
                  Category:dropped
                  Size (bytes):273012
                  Entropy (8bit):5.128574640302048
                  Encrypted:false
                  SSDEEP:
                  MD5:DA27FD3691A6E9B136D7461528DB470A
                  SHA1:C72A5BC6923841D219C40AA36BCF68299AE2A361
                  SHA-256:43A93C94E80BA26A1B578B369263F6C362AE1909FAD5A3587ADB7C1E710F576C
                  SHA-512:D5020FDACB1FFE01A7672B235FC81BE570E9CB0B128868C04B68262B98495AAD0B7984A8310B332E860AC464BE60B409A0D091560CDBC000B2D3DA6FF1C96E7E
                  Malicious:false
                  Reputation:low
                  Preview:<?xml version="1.0" encoding="utf-8"?><Rules xmlns="urn:Rules"><R Id="1000" V="5" DC="ESM" EN="Office.Telemetry.RuleErrorsAggregated" ATT="f998cc5ba4d448d6a1e8e913ff18be94-dd122e0a-fcf8-4dc5-9dbb-6afac5325183-7405" SP="CriticalBusinessImpact" S="70" DL="A" DCa="PSP PSU" xmlns=""><S><Etw T="1" E="159" G="{02fd33df-f746-4a10-93a0-2bc6273bc8e4}" /><F T="2"><O T="AND"><L><O T="NE"><L><S T="1" F="Warning" /></L><R><V V="37" T="U32" /></R></O></L><R><O T="NE"><L><S T="1" F="Warning" /></L><R><V V="29" T="U32" /></R></O></R></O></F><TI T="3" I="10min" /><A T="4" E="TelemetrySuspend" /><A T="5" E="TelemetryShutdown" /></S><G I="true" R="TriggerOldest"><S T="2"><F N="RuleID" /><F N="RuleVersion" /><F N="Warning" /><F N="Info" /></S></G><C T="U32" I="0" O="false" N="ErrorCount"><C><S T="2" /></C></C><C T="U32" I="1" O="false" N="ErrorRuleId"><S T="2" F="RuleID" /></C><C T="U16" I="2" O="false" N="ErrorRuleVersion"><S T="2" F="RuleVersion" /></C><C T="U8" I="3" O="false" N="WarningInfo"><S T="2"

                  C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-shm

                  Download File
                  Process:C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE
                  File Type:data
                  Category:dropped
                  Size (bytes):32768
                  Entropy (8bit):0.0923612942132161
                  Encrypted:false
                  SSDEEP:
                  MD5:98C8922A73CC0361B73652B2609DB7A7
                  SHA1:F03F8CDE2D6AB4C5479C668C383E96DB76535D57
                  SHA-256:DF2177F54AF8A89C5D53A3F9DAD007B5CAAF0F7FD1E3FF4971F9DE1AFF15EA41
                  SHA-512:0B136E98BCA7FC5D5579742065E0F3D279FC440EED018983A527F4D21408A13759398662452D48DFF23040B0539FF2DD581ADAEDBD9D5C57ECE9E31C64ABC41D
                  Malicious:false
                  Reputation:low
                  Preview:..-.............A.........U...5......@.Z..b.j..-.............A.........U...5......@.Z..b.j........<...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                  C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-wal

                  Download File
                  Process:C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE
                  File Type:SQLite Write-Ahead Log, version 3007000
                  Category:modified
                  Size (bytes):267832
                  Entropy (8bit):2.78750787746667
                  Encrypted:false
                  SSDEEP:
                  MD5:A748631DA60454D8ECC805894FA0B36C
                  SHA1:98E3E2DBBDBD3B95CDAF76C1C4D9DCCF3A8AA7A1
                  SHA-256:1A2FD742D4A2131E856230D4009CE23F694A57D538EF295080125A6645A0735B
                  SHA-512:2F5AA5D2ADE609B6F9E50E7AE2C88DAA6CF86CAD89A333E59174871DD9F7138EA4688E676B5466EB03ABCD1001D08FF7BFA8BBFBE878CC551B10E39D427D3CB8
                  Malicious:false
                  Reputation:low
                  Preview:7....-..........5......@..H...........5......@.P7*>i.KSQLite format 3......@ .......................................................................... ..........#.....g............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                  C:\Users\user\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

                  Download File
                  Process:C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE
                  File Type:data
                  Category:dropped
                  Size (bytes):2278
                  Entropy (8bit):3.8528168765777586
                  Encrypted:false
                  SSDEEP:
                  MD5:0978DAD878C18DEE3078DFA15E80176F
                  SHA1:8B45C870F267E38CA008E3A4CD9A93307E2AE470
                  SHA-256:EF3C640850165BF3B74A16AE2805490787C5BDBF21FC5DE9F6703C3DAF718385
                  SHA-512:FC4A4CF331A0279BB7724823BACC13035C9F13B86BB97533601D4348C14454925CC435F429DFA9006621CDCD481ABC7B549515235492B9FF4DC285AE2C927EC6
                  Malicious:false
                  Reputation:low
                  Preview:{.".T.B.D.a.t.a.S.t.o.r.e.O.b.j.e.c.t.".:.{.".H.e.a.d.e.r.".:.{.".O.b.j.e.c.t.T.y.p.e.".:.".T.o.k.e.n.R.e.s.p.o.n.s.e.".,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.a.j.o.r.".:.2.,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.i.n.o.r.".:.1.}.,.".O.b.j.e.c.t.D.a.t.a.".:.{.".S.y.s.t.e.m.D.e.f.i.n.e.d.P.r.o.p.e.r.t.i.e.s.".:.{.".R.e.q.u.e.s.t.I.n.d.e.x.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".C.J.1.m.u.g.S.o.z.s.S.9.x.S.Z./.Q.v.O.c.+.E.J.4.u.2.c.=.".}.,.".E.x.p.i.r.a.t.i.o.n.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".g.C.n.I.6.x.X.t.2.Q.E.=.".}.,.".S.t.a.t.u.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".A.A.A.A.A.A.=.=.".}.,.".R.e.s.p.o.n.s.e.B.y.t.e.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.t.r.u.e.,.".V.a.l.u.e.".:.".A.Q.A.A.A.N.C.M.n.d.8.B.F.d.E.R.j.H.o.A.w.E./.C.l.+.s.B.A.A.A.A.W.2.Q.Y.q.T.

                  C:\Users\user\AppData\Local\Microsoft\TokenBroker\Cache\5475cb191e478c39370a215b2da98a37e9dc813d.tbres

                  Download File
                  Process:C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE
                  File Type:data
                  Category:dropped
                  Size (bytes):2684
                  Entropy (8bit):3.904719321743347
                  Encrypted:false
                  SSDEEP:
                  MD5:E1DCDD10DDE83058AA1E24E40F1782EF
                  SHA1:EA822FFFBEEE54FDAB2741C356E5180002876B16
                  SHA-256:7CBE90A6909434D670110F1E2FCC1D373D1BC0A8C7AF33B796EEA700869463B8
                  SHA-512:930C54E284B0BE05830A9DA97A5354BD3EF3513C3070F56B23E8BDDBF8EE0C6F95B12D59110F2F7ED190841AF59A54B584DF4A4F16917E75CE581BCBF7048874
                  Malicious:false
                  Reputation:low
                  Preview:{.".T.B.D.a.t.a.S.t.o.r.e.O.b.j.e.c.t.".:.{.".H.e.a.d.e.r.".:.{.".O.b.j.e.c.t.T.y.p.e.".:.".T.o.k.e.n.R.e.s.p.o.n.s.e.".,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.a.j.o.r.".:.2.,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.i.n.o.r.".:.1.}.,.".O.b.j.e.c.t.D.a.t.a.".:.{.".S.y.s.t.e.m.D.e.f.i.n.e.d.P.r.o.p.e.r.t.i.e.s.".:.{.".R.e.q.u.e.s.t.I.n.d.e.x.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".V.H.X.L.G.R.5.H.j.D.k.3.C.i.F.b.L.a.m.K.N.+.n.c.g.T.0.=.".}.,.".E.x.p.i.r.a.t.i.o.n.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".W.f.X.x.A.t.8.L.2.w.E.=.".}.,.".S.t.a.t.u.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".A.A.A.A.A.A.=.=.".}.,.".R.e.s.p.o.n.s.e.B.y.t.e.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.t.r.u.e.,.".V.a.l.u.e.".:.".A.Q.A.A.A.N.C.M.n.d.8.B.F.d.E.R.j.H.o.A.w.E./.C.l.+.s.B.A.A.A.A.W.2.Q.Y.q.T.

                  C:\Users\user\AppData\Local\Microsoft\TokenBroker\Cache\9aad439831564ef9f88438a70a63c87e26ef3852.tbres

                  Download File
                  Process:C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE
                  File Type:data
                  Category:dropped
                  Size (bytes):3902
                  Entropy (8bit):3.9812352903286112
                  Encrypted:false
                  SSDEEP:
                  MD5:5F81B4067C3B5D1E5178F113DD1C2EA5
                  SHA1:52080C8223D0078AC59E9A005EC8A8CF932E6FF6
                  SHA-256:667B812C296A5160547553D4B4D78D1BC7F41DA9451BD6496E3E31231F812E56
                  SHA-512:A5B900C4A1DC4001D74CF9E6350D4709248918AA10192ED3F9279FBD740E36D4DA2361BE5C4F52CA82ABF31CF014FE15B2E76F5DD3A99E41131C68B5B145018E
                  Malicious:false
                  Reputation:low
                  Preview:{.".T.B.D.a.t.a.S.t.o.r.e.O.b.j.e.c.t.".:.{.".H.e.a.d.e.r.".:.{.".O.b.j.e.c.t.T.y.p.e.".:.".T.o.k.e.n.R.e.s.p.o.n.s.e.".,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.a.j.o.r.".:.2.,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.i.n.o.r.".:.1.}.,.".O.b.j.e.c.t.D.a.t.a.".:.{.".S.y.s.t.e.m.D.e.f.i.n.e.d.P.r.o.p.e.r.t.i.e.s.".:.{.".R.e.q.u.e.s.t.I.n.d.e.x.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".m.q.1.D.m.D.F.W.T.v.n.4.h.D.i.n.C.m.P.I.f.i.b.v.O.F.I.=.".}.,.".E.x.p.i.r.a.t.i.o.n.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".N.u.Z.o.0.Q.3.t.2.Q.E.=.".}.,.".S.t.a.t.u.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".A.w.A.A.A.A.=.=.".}.,.".R.e.s.p.o.n.s.e.B.y.t.e.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.t.r.u.e.,.".V.a.l.u.e.".:.".A.Q.A.A.A.N.C.M.n.d.8.B.F.d.E.R.j.H.o.A.w.E./.C.l.+.s.B.A.A.A.A.W.2.Q.Y.q.T.

                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\1BDA2CE1.dat

                  Download File
                  Process:C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE
                  File Type:PNG image data, 723 x 879, 8-bit/color RGBA, non-interlaced
                  Category:dropped
                  Size (bytes):128402
                  Entropy (8bit):7.946235805510089
                  Encrypted:false
                  SSDEEP:
                  MD5:ADD9FB7245831B8EA2E0FC08586CEAAF
                  SHA1:440C5E2158A585C0467106B5A723DCDE3FB6A84E
                  SHA-256:2406D70D4B1D8D3F4C0E3A9BFAA1774FF5329CA8DB3ADDE17649A51AC7C2F16D
                  SHA-512:10AC9A6B7387B703A83053EC447B950688AEDA790D79436506619C7532B19ED8860F0AC11F93C83C6756856ECE8F305AA9C1002E7F4A1E7D270F414BB55C54AF
                  Malicious:false
                  Reputation:low
                  Preview:.PNG........IHDR.......o.......V... .IDATx......u.......vW.B.G..GEE%.....J9.....kh.......R..%GD<.SZ...a..V.7B..L.JL....?..&...~....3..........y.....c.1..S6..0..c.1...<.1..c.1es>.c.1..cL....c.1..S6..0..c.1...<J...c.1...=.....<J...c.1...=.....<J...c.1...=.....<J...c.1...=.....<J...c.1...=.....<J...c.1...=.....<J...c.1...=.....<J...c.1...=.....<J...c.1...=.....<J...c.1...=.....<J...c.1...=.....<J...c.1...=.....<J...c.1...=.....<J...KD0..c.1;.U.."B.s>...*....1..c.KU...P..D.J.D.c.1....RU*!".:..(..R....c.1..T.J.....<J...KD0..c.1;.U.."B.s>...*....1..c.KU...P..D.J.D.c.1....RU*!".:..(..R....c.1..T.J.....<J...KD0..c.1;.U.."B.s>...*....1..c.KU...P..D.J.D.c.1....RU*!".:..(..R....c.1..T.J.....<J...KD0..c.1;.U.."B.s>...*....1..c.KU...P..D.J.D.c.1....RU*!".:..(..R....F.....c.=.<x0g.y&{.....G.....E...r.Jr......z..1.K...}......r.]wQ...1..cL..*...j..y.HU)..PM.9J.G.&L.....=.....6mb.q.w.}|..w....GS...Fss3E.{.1..c.EU...P..D.J.D.jr.Q..N:....7....../..;.dK.{..w.....tuuQ..

                  C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_13929_20386-20230922T0630350478-2436.etl

                  Download File
                  Process:C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE
                  File Type:data
                  Category:dropped
                  Size (bytes):180224
                  Entropy (8bit):4.799059568698927
                  Encrypted:false
                  SSDEEP:
                  MD5:4F8379A891C583C6DD0B95A119585AC5
                  SHA1:E85B61BCAC9DA62B3529A12C0259DFC7A59E5F64
                  SHA-256:21C03DFE0F4C495B1155F9148018F86A3D1F44126E5BAF551AA8DBCBCEE8EB6E
                  SHA-512:2852C39EC5A344EDA522DBDB44D857136D9AC1573166AA5B66E7B851A28DCC6394CF6BC4C26C5EC3FCB4EF7259BEFB61F156A9DFEC302A2225D55FE867023F27
                  Malicious:false
                  Reputation:low
                  Preview:............................................................................l............m......................G..............Zb..2...............................................@.t.z.r.e.s...d.l.l.,.-.3.2.2.......................................................@.t.z.r.e.s...d.l.l.,.-.3.2.1...........................................................@w.k.............m.............v.2._.O.U.T.L.O.O.K.:.9.8.4.:.4.c.6.d.5.3.3.6.7.6.a.8.4.c.d.d.9.0.3.2.b.3.a.a.d.e.3.9.e.b.3.c...C.:.\.U.s.e.r.s.\.a.l.f.r.e.d.o.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.O.u.t.l.o.o.k. .L.o.g.g.i.n.g.\.O.U.T.L.O.O.K._.1.6._.0._.1.3.9.2.9._.2.0.3.8.6.-.2.0.2.3.0.9.2.2.T.0.6.3.0.3.5.0.4.7.8.-.2.4.3.6...e.t.l...........P.P..........z.............................................................................................................................................................................................................................................................................................

                  C:\Users\user\AppData\Local\Temp\~DFF7256147733FA4D7.TMP

                  Download File
                  Process:C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE
                  File Type:data
                  Category:dropped
                  Size (bytes):155648
                  Entropy (8bit):0.40814520136306004
                  Encrypted:false
                  SSDEEP:
                  MD5:ABBC030B9430D4998C128F340853D3C3
                  SHA1:4B1C594E08291353FB58D7D253E820184678AE4E
                  SHA-256:B92C7BE8AA9123196B154690E01BFB7C22B09BEAF1FAC57CB66C0EBE24E6E8F9
                  SHA-512:4F3CD0A11DA567665A738DDAAC69558320B9240D12CEE3B3377D64DB2E503A8713B48DADDF8BD61101B571F66999A672636D27ED4BF80AC98A2B480258740031
                  Malicious:false
                  Reputation:low
                  Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                  C:\Users\user\AppData\Roaming\Microsoft\Outlook\NoEmail.srs

                  Download File
                  Process:C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE
                  File Type:Composite Document File V2 Document, Cannot read section info
                  Category:dropped
                  Size (bytes):2560
                  Entropy (8bit):2.017663361277445
                  Encrypted:false
                  SSDEEP:
                  MD5:2229AF044597B2FF7FB4B0A28B43E420
                  SHA1:8E7705439D7DEAAA51866E808DECBD76951F5582
                  SHA-256:1BC4B9937B1D38A8501883DDA88F80A73C44F51EBA12D922F7DDD2008497BBAE
                  SHA-512:24236FC9EEFC9287E4C00D3F2B0F804C8E91F10474A675AC9CDA3684171138A3CA97D5FBA7CCCBBBA83244CF472D0C59B7291F777D15B021B3725D830DDAEE30
                  Malicious:false
                  Reputation:low
                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                  C:\Users\user\AppData\Roaming\Microsoft\Templates\NormalEmail.dotm (copy)

                  Download File
                  Process:C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE
                  File Type:Microsoft Word 2007+
                  Category:dropped
                  Size (bytes):19516
                  Entropy (8bit):7.47086643446671
                  Encrypted:false
                  SSDEEP:
                  MD5:9EAE9FB5E647DD4B47D0DA961F2846CD
                  SHA1:C991FC248372F187A56BD60B3CDBB44DF47DBAAE
                  SHA-256:C730CE7B09A19FC5762350B5380614EDA37ECE0EDFFC16B1383B6A1B8DC2647E
                  SHA-512:20EACC82C5075C7DF047C83FC07231E3D67046A3BF9B1A72BC79B47149614636BE963E0D33E55DDEFEBDF2DF62614EDEFB4AA09E83B7D1570E4592A4F175A089
                  Malicious:false
                  Reputation:low
                  Preview:PK..........!.Q3.p............[Content_Types].xml ...(.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................N.0.E.H.C.-J\X ......J..0....K......H...R*.D.g..3.H....M!`.l.....J.j;*...>.b.Fa...B....wz...<`F..K6.._s.r.F`.<X.T....7....U.._t:.\:...<&....A%&:f.9..H.hd..*1y.Lx.k)".........e..k.g.....)....&......A...3..WNN.U..e...<....'4(.....x.....nh.t.....p7..j..s...I@.w6.X..C.Tp...r+..^..F.N...".az...h.[!F.!...g...i"...C..n9.~l...3.....H..V..9.2.,)s..GZD..mo6M..a.!...q$.......O..r-.........PK..........!.........N......

                  C:\Users\user\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotm

                  Download File
                  Process:C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE
                  File Type:data
                  Category:modified
                  Size (bytes):162
                  Entropy (8bit):3.192283400609839
                  Encrypted:false
                  SSDEEP:
                  MD5:89AB06413C9EF48D79E1FE62B8E3C682
                  SHA1:1C60F154432C2C9A639FAB88F171795E49080EE8
                  SHA-256:DCFA558E85841A60A8FD200EABCA131832A8BF782F4C4F34A5C5AA8C4656E127
                  SHA-512:17DBC4AEFDD1536BCB003DD9C42E645CF4793556B2456CC673B190671588AC077EA5F844244E78C83F417EC9A2FD674CF7206FC754901156030E4B1E9A3DBF0B
                  Malicious:false
                  Reputation:low
                  Preview:.user................................................a.l.f.r.e.d.o...................#.......!....0U...............I{?............pG{?......U......r.=....M2..

                  C:\Users\user\AppData\Roaming\Microsoft\Templates\~WRD0000.tmp

                  Download File
                  Process:C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE
                  File Type:Microsoft Word 2007+
                  Category:dropped
                  Size (bytes):19516
                  Entropy (8bit):7.47086643446671
                  Encrypted:false
                  SSDEEP:
                  MD5:9EAE9FB5E647DD4B47D0DA961F2846CD
                  SHA1:C991FC248372F187A56BD60B3CDBB44DF47DBAAE
                  SHA-256:C730CE7B09A19FC5762350B5380614EDA37ECE0EDFFC16B1383B6A1B8DC2647E
                  SHA-512:20EACC82C5075C7DF047C83FC07231E3D67046A3BF9B1A72BC79B47149614636BE963E0D33E55DDEFEBDF2DF62614EDEFB4AA09E83B7D1570E4592A4F175A089
                  Malicious:false
                  Reputation:low
                  Preview:PK..........!.Q3.p............[Content_Types].xml ...(.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................N.0.E.H.C.-J\X ......J..0....K......H...R*.D.g..3.H....M!`.l.....J.j;*...>.b.Fa...B....wz...<`F..K6.._s.r.F`.<X.T....7....U.._t:.\:...<&....A%&:f.9..H.hd..*1y.Lx.k)".........e..k.g.....)....&......A...3..WNN.U..e...<....'4(.....x.....nh.t.....p7..j..s...I@.w6.X..C.Tp...r+..^..F.N...".az...h.[!F.!...g...i"...C..n9.~l...3.....H..V..9.2.,)s..GZD..mo6M..a.!...q$.......O..r-.........PK..........!.........N......

                  C:\Users\user\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

                  Download File
                  Process:C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE
                  File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):20
                  Entropy (8bit):2.8954618442383215
                  Encrypted:false
                  SSDEEP:
                  MD5:F265DE41A3438656937BE5C5D5533FD0
                  SHA1:821DB3674A94901FB5EC364B219CD1988114E406
                  SHA-256:18EB4D03AEAF29E2919C8D5382C2184B16ACFE5E4F3A2CEA39E43D8A02C284F1
                  SHA-512:7B3485397CFD4F88E2C7A36FB4642A3F9C996127BA36E8C306CB7560B03EE8AE839EE0564FB47A06BCE6DC01CD82BEC5D1479B70054F2186C255C4CE33C5ECF1
                  Malicious:false
                  Reputation:low
                  Preview:..a.l.f.r.e.d.o.....

                  C:\Users\user\Documents\Outlook Files\Outlook Data File - NoEmail.pst

                  Download File
                  Process:C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE
                  File Type:Microsoft Outlook email folder (>=2003)
                  Category:dropped
                  Size (bytes):271360
                  Entropy (8bit):1.6767874655911852
                  Encrypted:false
                  SSDEEP:
                  MD5:35227FDC6DB8E3779DB1B2C11B2207C0
                  SHA1:C9C36DF50E02F98E9CD08769777F9E6718D55D48
                  SHA-256:191D26BC369B6053B02B098D1046535A2CE5CB55142F311201E9FFDF675BF204
                  SHA-512:427EC80DCA4F29C8A5FCF4A6466E054E4D42886A5458569E51257DA24876EEBDBDF5D4AE845DB7CE27D4E1DC575C4A762FDE6EE196B24AA5866FF8B0A7745EEC
                  Malicious:false
                  Reputation:low
                  Preview:!BDN'.%6SM......x...............(.......p................@...........@...@...................................@...........................................................................$.......D......@)..............................&........~..........................................................................................................................................................................................................................................................................................p.K..#......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                  C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmp

                  Download File
                  Process:C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE
                  File Type:data
                  Category:dropped
                  Size (bytes):131072
                  Entropy (8bit):0.7295300288713858
                  Encrypted:false
                  SSDEEP:
                  MD5:9B8B40CBB7F3A9DCA60FFA1A926DBD33
                  SHA1:DFC566600C1201249C8DFCDB4003E1EFA857B206
                  SHA-256:C261002B4069FE56C721224EAADB7EDCA077989E719B1A0F8C065EF68F5D611E
                  SHA-512:D42F2EF3F2B0B8849BF781DC56D9C16D830C359FEAF52CDB027D5378B3C9424D62B73FC827772CAE9696F87C91B6E189A5318C964E09E719C828CC4F7D3E7359
                  Malicious:false
                  Reputation:low
                  Preview:..50...A............Tk..........D............#...........................................~..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................D.........0...B............Tk..........B............#.........................................................................................................................................................................................................................................................................................................................................................................................................

                  C:\Windows\INF\Outlook\outlperf.h

                  Download File
                  Process:C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE
                  File Type:ASCII text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):551
                  Entropy (8bit):4.697154350883648
                  Encrypted:false
                  SSDEEP:
                  MD5:BC71FF7DA14ECA943FA0AD815F72B8CB
                  SHA1:CECCD0CFF2DD12AEDE7DE14457D15D00687165BB
                  SHA-256:48E537902C03A3EEE4790FC97EE072CDDC7C1A90122702DD18243D8C12A0D99A
                  SHA-512:08CD022D34C1B9B080322C3CFA15CC22E3353D42BA55C729723378DC177E8A0E979C6644BC2F97B2E36CB5E864FA37FF05DA6DBA5794A39380E72182015AB324
                  Malicious:false
                  Reputation:low
                  Preview:#define OBJECTTYPE 0..#define RPCATTEMPTED 2..#define RPCSUCCEEDED 4..#define RPCFAILED 6..#define RPCCANCEL 8..#define RPCSHOWN 10..#define RPCFOREGROUND 12..#define RPCTIMEAVG 14..#define RPCTIMEAVG10 16..#define RPCTIMEAVG50 18..#define RPCTIMEAVG200 20..#define RPCTIMEMIN 22..#define RPCTIMEMAX 24..#define RPCCONNCOUNT 26..#define RPCSRVOBJCOUNT 28..#define CONTEXTHANDLECOUNTAD 30..#define BINDINGHANDLECOUNTAD 32..#define CONTEXTHANDLECOUNTSTORE 34..#define BINDINGHANDLECOUNTSTORE 36..

                  C:\Windows\INF\Outlook\outlperf.ini

                  Download File
                  Process:C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE
                  File Type:Generic INItialization configuration [languages]
                  Category:dropped
                  Size (bytes):2695
                  Entropy (8bit):5.33674634085226
                  Encrypted:false
                  SSDEEP:
                  MD5:509A7197AE66401D1DA76F4BAC1DD0A8
                  SHA1:A30F0CF0161ADDBDD3B04B482FEF651EE4EAE322
                  SHA-256:EE9E288C3495FD548FD49095BE08807F215FC0780064E179011098C0C7461A34
                  SHA-512:4041C1073CB15ADA49D284CF612A95502CE74AC1EF69FD1B9DFDF84EDDD074150B6092C8534E49807AD3166F97127477E3497368AE845D369EBBFC2ACFC6C071
                  Malicious:false
                  Reputation:low
                  Preview:[info]..drivername=Outlook..symbolfile=outlperf.h....[languages]..009=English....[text]..OBJECTTYPE_009_NAME=Outlook..OBJECTTYPE_009_HELP=Gives performance metrics for outlook server connectivity...RPCATTEMPTED_009_NAME=RPCs Attempted..RPCATTEMPTED_009_HELP=Number of RPCs that outlook attempted to send to the server...RPCSUCCEEDED_009_NAME=RPCs Succeeded..RPCSUCCEEDED_009_HELP=Number of RPCs that outlook successfully sent to the server...RPCFAILED_009_NAME=RPCs Failed..RPCFAILED_009_HELP=Number of RPCs that were attempted, but failed...RPCCANCEL_009_NAME=RPCs Cancelled..RPCCANCEL_009_HELP=Number of RPCs that were sent to the server, but the user cancelled...RPCSHOWN_009_NAME=RPCs UI Shown..RPCSHOWN_009_HELP=Number of RPCs that were sent to the server, and took long enough to show progress UI...RPCFOREGROUND_009_NAME=RPCs Attempted - UI..RPCFOREGROUND_009_HELP=Number of RPCs that outlook attempted that blocked the UI...RPCTIMEAVG_009_NAME=Time Avg (all)..RPCTIMEAVG_009_HELP=The average

                  C:\Windows\System32\PerfStringBackup.INI

                  Download File
                  Process:C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE
                  File Type:data
                  Category:dropped
                  Size (bytes):859104
                  Entropy (8bit):3.425747900982268
                  Encrypted:false
                  SSDEEP:
                  MD5:49D331723F55C80BAA2A0F67440DCBE8
                  SHA1:7CC39AEA1B0D74B0673EF57E6E36A4B076BE3A73
                  SHA-256:76F16159D4E5B8972EEF7CDB6C2D331816C8BBFF39CF1E13D9C75D2CF1F0B1C6
                  SHA-512:FD04F284EAD52CA2DC50825150D66AE7F9A08BEA38B3DCBC8F1579AAFF79B0CB043B3F290AE9AE310822A2C5371AC761EFA0FFF41D8F8C103C0F967728AACFDD
                  Malicious:false
                  Reputation:low
                  Preview:........[.P.e.r.f.l.i.b.].....B.a.s.e. .I.n.d.e.x.=.1.8.4.7.....L.a.s.t. .C.o.u.n.t.e.r.=.1.0.1.7.0.....L.a.s.t. .H.e.l.p.=.1.0.1.7.1.........[.P.E.R.F._...N.E.T. .C.L.R. .D.a.t.a.].....F.i.r.s.t. .C.o.u.n.t.e.r.=.8.9.0.4.....F.i.r.s.t. .H.e.l.p.=.8.9.0.5.....L.a.s.t. .C.o.u.n.t.e.r.=.8.9.1.6.....L.a.s.t. .H.e.l.p.=.8.9.1.7.........[.P.E.R.F._...N.E.T. .C.L.R. .N.e.t.w.o.r.k.i.n.g.].....F.i.r.s.t. .C.o.u.n.t.e.r.=.8.6.5.4.....F.i.r.s.t. .H.e.l.p.=.8.6.5.5.....L.a.s.t. .C.o.u.n.t.e.r.=.8.6.6.4.....L.a.s.t. .H.e.l.p.=.8.6.6.5.........[.P.E.R.F._...N.E.T. .C.L.R. .N.e.t.w.o.r.k.i.n.g. .4...0...0...0.].....F.i.r.s.t. .C.o.u.n.t.e.r.=.6.7.4.2.....F.i.r.s.t. .H.e.l.p.=.6.7.4.3.....L.a.s.t. .C.o.u.n.t.e.r.=.6.7.6.8.....L.a.s.t. .H.e.l.p.=.6.7.6.9.........[.P.E.R.F._...N.E.T. .D.a.t.a. .P.r.o.v.i.d.e.r. .f.o.r. .O.r.a.c.l.e.].....F.i.r.s.t. .C.o.u.n.t.e.r.=.8.9.4.8.....F.i.r.s.t. .H.e.l.p.=.8.9.4.9.....L.a.s.t. .C.o.u.n.t.e.r.=.8.9.7.6.....L.a.s.t. .H.e.l.p.=.8.9.7.7.........[.P.E.R.F._...N.E.

                  C:\Windows\System32\perfc009.dat

                  Download File
                  Process:C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE
                  File Type:data
                  Category:dropped
                  Size (bytes):134328
                  Entropy (8bit):3.4070252971321673
                  Encrypted:false
                  SSDEEP:
                  MD5:0B93BD4D4FEB91B302D1D37395BA87B3
                  SHA1:976289290F5B26119ACC5F4198B2A9130BEE0C8B
                  SHA-256:98205417B38B2F63EA639D00636A4130B670F8608196CB2DB4B1C0D859D78E2B
                  SHA-512:9340B87669D632799A461F401D41247D749082480A065C3F0AD737909C28A27ABAAA0EDA86B07ECBA36F995D9938E2EEC3558AEB01AA35A2761568732C07649E
                  Malicious:false
                  Reputation:low
                  Preview:1...1.8.4.7...2...S.y.s.t.e.m...4...M.e.m.o.r.y...6...%. .P.r.o.c.e.s.s.o.r. .T.i.m.e...1.0...F.i.l.e. .R.e.a.d. .O.p.e.r.a.t.i.o.n.s./.s.e.c...1.2...F.i.l.e. .W.r.i.t.e. .O.p.e.r.a.t.i.o.n.s./.s.e.c...1.4...F.i.l.e. .C.o.n.t.r.o.l. .O.p.e.r.a.t.i.o.n.s./.s.e.c...1.6...F.i.l.e. .R.e.a.d. .B.y.t.e.s./.s.e.c...1.8...F.i.l.e. .W.r.i.t.e. .B.y.t.e.s./.s.e.c...2.0...F.i.l.e. .C.o.n.t.r.o.l. .B.y.t.e.s./.s.e.c...2.4...A.v.a.i.l.a.b.l.e. .B.y.t.e.s...2.6...C.o.m.m.i.t.t.e.d. .B.y.t.e.s...2.8...P.a.g.e. .F.a.u.l.t.s./.s.e.c...3.0...C.o.m.m.i.t. .L.i.m.i.t...3.2...W.r.i.t.e. .C.o.p.i.e.s./.s.e.c...3.4...T.r.a.n.s.i.t.i.o.n. .F.a.u.l.t.s./.s.e.c...3.6...C.a.c.h.e. .F.a.u.l.t.s./.s.e.c...3.8...D.e.m.a.n.d. .Z.e.r.o. .F.a.u.l.t.s./.s.e.c...4.0...P.a.g.e.s./.s.e.c...4.2...P.a.g.e. .R.e.a.d.s./.s.e.c...4.4...P.r.o.c.e.s.s.o.r. .Q.u.e.u.e. .L.e.n.g.t.h...4.6...T.h.r.e.a.d. .S.t.a.t.e...4.8...P.a.g.e.s. .O.u.t.p.u.t./.s.e.c...5.0...P.a.g.e. .W.r.i.t.e.s./.s.e.c...5.2...B.r.o.w.s.e.r...5.4...A.n.n.o.u.

                  C:\Windows\System32\perfh009.dat

                  Download File
                  Process:C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE
                  File Type:data
                  Category:dropped
                  Size (bytes):713794
                  Entropy (8bit):3.275722206359022
                  Encrypted:false
                  SSDEEP:
                  MD5:2DFFFCAD174FED5C02ADF147768F921B
                  SHA1:DF211F1FFF47ABBC59AA6B54A184BB6F554BAE7B
                  SHA-256:F8F574AD65087AC82D2EBA2C2F4F13A0D7027E72AEE0C930E37044FEFF7D234E
                  SHA-512:B1357B93F930C343D6EF5BF35655D4D1464A053D43D43779FD71E37DFD527E0D45C5C907FF8852F1FF4F96CF1941B1791DAEED43D36DBC781941ABD1416503E7
                  Malicious:false
                  Reputation:low
                  Preview:3...T.h.e. .S.y.s.t.e.m. .p.e.r.f.o.r.m.a.n.c.e. .o.b.j.e.c.t. .c.o.n.s.i.s.t.s. .o.f. .c.o.u.n.t.e.r.s. .t.h.a.t. .a.p.p.l.y. .t.o. .m.o.r.e. .t.h.a.n. .o.n.e. .i.n.s.t.a.n.c.e. .o.f. .a. .c.o.m.p.o.n.e.n.t. .p.r.o.c.e.s.s.o.r.s. .o.n. .t.h.e. .c.o.m.p.u.t.e.r.....5...T.h.e. .M.e.m.o.r.y. .p.e.r.f.o.r.m.a.n.c.e. .o.b.j.e.c.t. . .c.o.n.s.i.s.t.s. .o.f. .c.o.u.n.t.e.r.s. .t.h.a.t. .d.e.s.c.r.i.b.e. .t.h.e. .b.e.h.a.v.i.o.r. .o.f. .p.h.y.s.i.c.a.l. .a.n.d. .v.i.r.t.u.a.l. .m.e.m.o.r.y. .o.n. .t.h.e. .c.o.m.p.u.t.e.r... . .P.h.y.s.i.c.a.l. .m.e.m.o.r.y. .i.s. .t.h.e. .a.m.o.u.n.t. .o.f. .r.a.n.d.o.m. .a.c.c.e.s.s. .m.e.m.o.r.y. .o.n. .t.h.e. .c.o.m.p.u.t.e.r... . .V.i.r.t.u.a.l. .m.e.m.o.r.y. .c.o.n.s.i.s.t.s. .o.f. .t.h.e. .s.p.a.c.e. .i.n. .p.h.y.s.i.c.a.l. .m.e.m.o.r.y. .a.n.d. .o.n. .d.i.s.k... . .M.a.n.y. .o.f. .t.h.e. .m.e.m.o.r.y. .c.o.u.n.t.e.r.s. .m.o.n.i.t.o.r. .p.a.g.i.n.g.,. .w.h.i.c.h. .i.s. .t.h.e. .m.o.v.e.m.e.n.t. .o.f. .p.a.g.e.s. .o.f. .c.o.d.e. .a.n.d. .d.a.t.a. .b.e.t.

                  Static File Info

                  General

                  File type:CDFV2 Microsoft Outlook Message
                  Entropy (8bit):7.159660033505401
                  TrID:
                  • Outlook Message (71009/1) 45.36%
                  • Outlook Form Template (41509/1) 26.51%
                  • Perfect Keyboard macro set (36024/1) 23.01%
                  • Generic OLE2 / Multistream Compound File (8008/1) 5.12%
                  File name:Important Action Required Redcape Contract Agreement for Professional Services.msg
                  File size:226'304 bytes
                  MD5:18a070a570b9b28bce099812301db0d6
                  SHA1:f7f550ef6e88f37cb2151f95283e6bc5d371be19
                  SHA256:675a8c30d078495153042610d560cf9ff1aab8073eb861816e83d00e8db8fa3f
                  SHA512:2c78601476d2a8d1cbba0cce77009520de8638d831d70da81686a826c291364f346b8cc75c42a18e2380cad8b24a2542018cb896ffc54e4cd91a2fb5a2c9da64
                  SSDEEP:3072:jiZoExt0EZPbuYygBBgTh+fxiJkMbjBgcz6etZu66lBhO8AYHGNYlRI5i1:mVbpJuhIikMvBV/XIl
                  TLSH:39248E1639E78614F2B7AFB949F650479925BCA2EE25CB5F2581330E16B1C01EC70F2B
                  File Content Preview:........................>.......................................................~..............................................................................................................................................................................

                  Static Mail

                  General

                  Subject:Important Action Required: Redcape Contract Agreement for Professional Services
                  From:Redcape E-Signature Notification <adam.fenton@eyebrowconsulting.com>
                  To:Doreen Tan <Doreen.Tan@redcape.com.au>
                  Cc:
                  BCC:
                  Date:Fri, 22 Sep 2023 04:29:33 +0200
                  Communications:
                  • This email is from an external sender. Please do not click links or open attachments unless you recognize the sender and know the content is safe. <https://aus01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fapiservices.krxd.net%2Fclick_tracker%2Ftrack%3Fptx%3DV638xnr9lcmnf%26arv%3Dbu7vs5rpZ%26clk%3Dhttps%3A%2F%2Ftelestationers.mw%2Ftelestationers%2Ftshost%2FRedcape%2Fdoreen.tan%40redcape.com.au&data=05%7C01%7Cdoreen.tan%40redcape.com.au%7C7896b887dc444391b48108dbbb13cf83%7C7ad3b322a23b4ceeb9aab9887924c206%7C0%7C0%7C638309467044535557%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=EFkGGnY0f2GPIuy8Kdq%2Brj46LQRyLmy67pvz4cY5rTE%3D&reserved=0> ________________________________ The information contained in this electronic communication and any document attached hereto or transmitted herewith is confidential and intended for the exclusive use of the individual or entity named above. If the reader of this message is not the intended recipient or the employee or agent responsible for delivering it to the intended recipient, you are hereby notified that any examination, use, dissemination, distribution or copying of this communication or any part thereof is strictly prohibited. If you have received this communication in error, please immediately notify the sender by reply e-mail and destroy this communication. Thank you.
                  Attachments:
                  • RWRLABJGVT.png

                  Headers

                  Key Value
                  Receivedfrom [100.64.100.6] ([45.133.5.103]) by mrelayeu.kundenserver.de
                  0231:44 +0000
                  ME3PR01MB6724.ausprd01.prod.outlook.com (260310c6:220:125::9) with Microsoft
                  15.20.6813.23; Fri, 22 Sep 2023 0229:56 +0000
                  (260310c6:220:5::22) with Microsoft SMTP Server (version=TLS1_2,
                  Transport; Fri, 22 Sep 2023 0229:56 +0000
                  15.20.6838.12 via Frontend Transport; Fri, 22 Sep 2023 0229:56 +0000
                  by mx305.antispamcloud.com with esmtps (TLSv1.3TLS_AES_256_GCM_SHA384:256)
                  for doreen.tan@redcape.com.au; Fri, 22 Sep 2023 0429:53 +0200
                  for <doreen.tan@redcape.com.au>; Fri, 22 Sep 2023 0429:40 +0200
                  FromRedcape E-Signature Notification <adam.fenton@eyebrowconsulting.com>
                  ToDoreen Tan <Doreen.Tan@redcape.com.au>
                  SubjectImportant Action Required: Redcape Contract Agreement for
                  Thread-TopicImportant Action Required: Redcape Contract Agreement for
                  Thread-IndexAQHZ7PztHv3+PgoZLUScUIvxhsagqQ==
                  Importancehigh
                  X-Priority1
                  DateFri, 22 Sep 2023 02:29:33 +0000
                  Message-ID<169534977338.57588.13586127585770475354@eyebrowconsulting.com>
                  Content-Languageen-AU
                  X-MS-Exchange-Organization-AuthSourceME3AUS01FT017.eop-AUS01.prod.protection.outlook.com
                  X-MS-Has-Attachyes
                  X-MS-Exchange-Organization-Network-Message-Id7896b887-dc44-4391-b481-08dbbb13cf83
                  X-MS-TNEF-Correlatorx-ms-publictraffictype: Email
                  received-spfpass (mx305.antispamcloud.com: domain of eyebrowconsulting.com
                  authentication-resultsspf=pass (sender IP is 212.227.126.187)
                  x-ms-office365-filtering-correlation-id7896b887-dc44-4391-b481-08dbbb13cf83
                  x-microsoft-antispamBCL:0;
                  x-ms-traffictypediagnosticME3AUS01FT017:EE_|ME3PR01MB6724:EE_|ME3PR01MB8532:EE_
                  x-forefront-antispam-reportCIP:185.201.19.200;CTRY:DE;LANG:en;SCL:-1;SRV:;IPV:NLI;SFV:NSPM;H:mout.kundenserver.de;PTR:mout.kundenserver.de;CAT:NONE;SFS:;DIR:INB;
                  x-ms-exchange-crosstenant-network-message-id7896b887-dc44-4391-b481-08dbbb13cf83
                  x-ms-exchange-crosstenant-originalarrivaltime22 Sep 2023 02:29:56.3345 (UTC)
                  x-ms-exchange-crosstenant-fromentityheaderInternet
                  x-ms-exchange-crosstenant-id7ad3b322-a23b-4cee-b9aa-b9887924c206
                  x-ms-exchange-transport-crosstenantheadersstampedME3PR01MB6724
                  authentication-results-originalantispamcloud.com; spf=pass
                  x-eopattributedmessage0
                  x-ms-exchange-transport-endtoendlatency00:01:47.9628337
                  x-ms-exchange-processed-by-bccfoldering15.20.6813.014
                  x-eoptenantattributedmessage7ad3b322-a23b-4cee-b9aa-b9887924c206:0
                  x-ms-exchange-atpmessagepropertiesSA|SL
                  x-ms-exchange-crosstenant-authasAnonymous
                  x-ms-exchange-crosstenant-authsourceME3AUS01FT017.eop-AUS01.prod.protection.outlook.com
                  x-report-abuse-tospam@quarantine14.antispamcloud.com
                  x-recommended-actionaccept
                  x-filter-idMvzo4OR0dZXEDF/gcnlw0QMcUzSk6iCXiZrKhsXBB2KpSDasLI4SayDByyq9LIhVZVtPQGbGgb4Q
                  x-spf-resultmx305.antispamcloud.com: domain of eyebrowconsulting.com
                  x-mailassure-classunsure
                  x-mailassure-evidenceCombined (0.69)
                  X-Microsoft-Antispam-Mailbox-Deliveryucf:0;jmr:0;auth:0;dest:I;ENG:(910001)(944506478)(944626604)(920097)(930097)(140003)(1420103);
                  X-Microsoft-Antispam-Message-Info=?us-ascii?Q?GJSgvHmt3DErU6zPlNr4ep02xfVhiNeIt8prKE7EECkYC4Qka7UhTAuzGoGC?=
                  Content-Typemultipart/related;
                  MIME-Version1.0
                  dateFri, 22 Sep 2023 04:29:33 +0200

                  File Icon

                  Icon Hash:c4e1928eacb280a2