Edit tour

Windows Analysis Report
Invoice.msg

Overview

General Information

Sample name:	Invoice.msg
Analysis ID:	1550051
MD5:	9d28d181cba5235a5024af3311bfa697
SHA1:	77ae21a95788d86aaada4861743a979bb547b113
SHA256:	d2f69c24241e5bd6d5f1b8bc68719f43cb3833de602b89a301ee852d298693f5
Infos:

Detection

Score:	48
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

AI detected landing page (webpage, office document or email)

AI detected potential phishing Email

Detected non-DNS traffic on DNS port

Form action URLs do not match main URL

HTML body contains low number of good links

HTML body with high number of embedded SVGs detected

HTML page contains hidden javascript code

HTML title does not match URL

Queries the volume information (name, serial number etc) of a device

Sigma detected: Office Autorun Keys Modification

Sigma detected: Suspicious Office Outbound Connections

Stores files to the Windows start menu directory

Stores large binary data to the registry

Classification

Process Tree

System is w10x64_ra

OUTLOOK.EXE (PID: 5220 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /f "C:\Users\user\Desktop\Invoice.msg" MD5: 91A5292942864110ED734005B7E005C0)

ai.exe (PID: 6996 cmdline: "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "672215CA-F4AA-4482-9503-571E8ABAF98A" "F5042F95-A155-46F5-BFCD-888C65CCABC7" "5220" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx" MD5: EC652BEDD90E089D9406AFED89A8A8BD)

chrome.exe (PID: 2036 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://jameskolcreative-my.sharepoint.com/:u:/g/personal/admin_canterburycreative_com_au/EdhVn6LqhdpMu9-I_GDguUQBbvsIOY0aNnMF6RYg-i_PoQ?e=ZQaqIA MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 1612 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2020 --field-trial-handle=1968,i,11042376241896981992,14371663597059836392,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

cleanup

Sigma Signatures

Sigma detected: Office Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE, ProcessId: 5220, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Addins\OneNote.OutlookAddin\1

Sigma detected: Suspicious Office Outbound Connections

Source: Network Connection

Author: X__Junior (Nextron Systems): Data: DestinationIp: 192.168.2.16, DestinationIsIpv6: false, DestinationPort: 49696, EventID: 3, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE, Initiated: true, ProcessId: 5220, Protocol: tcp, SourceIp: 52.123.243.71, SourceIsIpv6: false, SourcePort: 443

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Source: https://jameskolcreative-my.sharepoint.com/:u:/g/personal/admin_canterburycreative_com_au/EdhVn6LqhdpMu9-I_GDguUQBbvsIOY0aNnMF6RYg-i_PoQ?rtime=7LYu7FD-3Eg

HTTP Parser: Form action: https://login.microsoftonline.com/4900a925-f6d8-4158-b2ee-73abce5a0025/oauth2/v2.0/authorize?client_id=08e18876-6177-487e-b8b5-cf950c1e598c&scope=https%3A%2F%2Fgraph.microsoft.com%2F.default%20openid%20profile%20offline_access&redirect_uri=https%3A%2F%2Fjameskolcreative-my.sharepoint.com%2F_forms%2Fspfxsinglesignon.aspx&client-request-id=3d139792-4bae-4534-9c4e-978a09e77faf&response_mode=fragment&response_type=code&x-client-SKU=msal.js.browser&x-client-VER=3.23.0&client_info=1&code_challenge=EfrSY9DK4U0HLRHIk-DOQ2l5Dj58RvwDwNHxV0ip5Gg&code_challenge_method=S256&prompt=none&nonce=01930119-d621-7a24-b546-2c552a432048&state=eyJpZCI6IjAxOTMwMTE5LWQ2MWYtNzY3OC1iZWYwLWQ4YzE0Nzc0NWExOCIsIm1ldGEiOnsiaW50ZXJhY3Rpb25UeXBlIjoic2lsZW50In19&sso_reload=true sharepoint microsoftonline

Source: https://jameskolcreative-my.sharepoint.com/:u:/g/personal/admin_canterburycreative_com_au/EdhVn6LqhdpMu9-I_GDguUQBbvsIOY0aNnMF6RYg-i_PoQ?rtime=7LYu7FD-3Eg

HTTP Parser: Number of links: 0

Source: https://jameskolcreative-my.sharepoint.com/:u:/g/personal/admin_canterburycreative_com_au/EdhVn6LqhdpMu9-I_GDguUQBbvsIOY0aNnMF6RYg-i_PoQ?rtime=7LYu7FD-3Eg

HTTP Parser: Total embedded SVG size: 167060

Source: https://jameskolcreative-my.sharepoint.com/personal/admin_canterburycreative_com_au/_layouts/15/Doc.aspx?sourcedoc=%7Ba29f55d8-85ea-4cda-bbdf-88fc60e0b944%7D&action=default&slrid=653461a1-009e-4000-0673-1f280b28ba3b&originalPath=aHR0cHM6Ly9qYW1lc2tvbGNyZWF0aXZlLW15LnNoYXJlcG9pbnQuY29tLzp1Oi9nL3BlcnNvbmFsL2FkbWluX2NhbnRlcmJ1cnljcmVhdGl2ZV9jb21fYXUvRWRoVm42THFoZHBNdTktSV9HRGd1VVFCYnZzSU9ZMGFObk1GNlJZZy1pX1BvUT9ydGltZT03TFl1N0ZELTNFZw&CID=e5b6b0f7-941a-4717-b89f-eb22fd30df8c&_SRM=0:G:77

HTTP Parser: Base64 decoded: {"typ":"JWT","alg":"RS256","x5t":"uXehQJPleVjNCbakUhGD6IyFQQk"}

Source: https://jameskolcreative-my.sharepoint.com/:u:/g/personal/admin_canterburycreative_com_au/EdhVn6LqhdpMu9-I_GDguUQBbvsIOY0aNnMF6RYg-i_PoQ?rtime=7LYu7FD-3Eg

HTTP Parser: Title: Redirecting does not match URL

Source: https://jameskolcreative-my.sharepoint.com/:u:/g/personal/admin_canterburycreative_com_au/EdhVn6LqhdpMu9-I_GDguUQBbvsIOY0aNnMF6RYg-i_PoQ?rtime=7LYu7FD-3Eg

HTTP Parser: No favicon

Source: https://jameskolcreative-my.sharepoint.com/:u:/g/personal/admin_canterburycreative_com_au/EdhVn6LqhdpMu9-I_GDguUQBbvsIOY0aNnMF6RYg-i_PoQ?rtime=7LYu7FD-3Eg

HTTP Parser: No <meta name="author".. found

Source: https://jameskolcreative-my.sharepoint.com/:u:/g/personal/admin_canterburycreative_com_au/EdhVn6LqhdpMu9-I_GDguUQBbvsIOY0aNnMF6RYg-i_PoQ?rtime=7LYu7FD-3Eg

HTTP Parser: No <meta name="copyright".. found

Source: unknown	HTTPS traffic detected: 52.123.243.71:443 -> 192.168.2.16:49696 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 4.175.87.197:443 -> 192.168.2.16:49881 version: TLS 1.2

Source: global traffic	TCP traffic: 192.168.2.16:52411 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.16:52411 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.16:52411 -> 1.1.1.1:53

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.31.67
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.31.67
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.31.67
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.31.67
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.31.67
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.31.67
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.31.67
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.31.67
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.31.67
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.31.67
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.31.67
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.31.67
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.31.67
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.31.67
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.31.67
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.31.67
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.31.67
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.31.67
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197

Source: global traffic	DNS traffic detected: DNS query: jameskolcreative-my.sharepoint.com
Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: common.online.office.com
Source: global traffic	DNS traffic detected: DNS query: m365cdn.nel.measure.office.net
Source: global traffic	DNS traffic detected: DNS query: login.microsoftonline.com
Source: global traffic	DNS traffic detected: DNS query: aadcdn.msftauth.net
Source: global traffic	DNS traffic detected: DNS query: storage.live.com
Source: global traffic	DNS traffic detected: DNS query: messaging.engagement.office.com
Source: global traffic	DNS traffic detected: DNS query: visioonline.nel.measure.office.net
Source: global traffic	DNS traffic detected: DNS query: spo.nel.measure.office.net

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49860
Source: unknown	Network traffic detected: HTTP traffic on port 49926 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49789 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49878 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49803 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49795 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49906 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49881 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49696
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49901 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49924 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49819 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52413
Source: unknown	Network traffic detected: HTTP traffic on port 49805 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49832
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49795
Source: unknown	Network traffic detected: HTTP traffic on port 52413 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49792
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49895 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49808 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49811 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49789
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49788
Source: unknown	Network traffic detected: HTTP traffic on port 49922 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49813 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49871 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49894 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49819
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49813
Source: unknown	Network traffic detected: HTTP traffic on port 49885 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49811
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49899
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49897
Source: unknown	Network traffic detected: HTTP traffic on port 49925 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49895
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49894
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 49696 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49788 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49897 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49876 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49808
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49805
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49926
Source: unknown	Network traffic detected: HTTP traffic on port 49905 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49925
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49803
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49924
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49923
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49922
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49885
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49883
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 49678 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49881
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49880
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49908 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49860 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49883 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49878
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49876
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 49923 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49871
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49899 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49880 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49832 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49908
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49906
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49905
Source: unknown	Network traffic detected: HTTP traffic on port 49792 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49901

Source: unknown	HTTPS traffic detected: 52.123.243.71:443 -> 192.168.2.16:49696 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 4.175.87.197:443 -> 192.168.2.16:49881 version: TLS 1.2

Source: classification engine

Classification label: mal48.winMSG@27/20@42/388

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

File created: C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmp

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

File created: C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20241106T0550510958-5220.etl

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

File read: C:\Users\desktop.ini

Source: unknown	Process created: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /f "C:\Users\user\Desktop\Invoice.msg"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "672215CA-F4AA-4482-9503-571E8ABAF98A" "F5042F95-A155-46F5-BFCD-888C65CCABC7" "5220" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://jameskolcreative-my.sharepoint.com/:u:/g/personal/admin_canterburycreative_com_au/EdhVn6LqhdpMu9-I_GDguUQBbvsIOY0aNnMF6RYg-i_PoQ?e=ZQaqIA
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2020 --field-trial-handle=1968,i,11042376241896981992,14371663597059836392,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "672215CA-F4AA-4482-9503-571E8ABAF98A" "F5042F95-A155-46F5-BFCD-888C65CCABC7" "5220" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://jameskolcreative-my.sharepoint.com/:u:/g/personal/admin_canterburycreative_com_au/EdhVn6LqhdpMu9-I_GDguUQBbvsIOY0aNnMF6RYg-i_PoQ?e=ZQaqIA
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2020 --field-trial-handle=1968,i,11042376241896981992,14371663597059836392,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown

Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: apphelp.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: c2r64.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: userenv.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: msasn1.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: gpapi.dll

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2E1271D5-2FF2-4EA4-9647-C67A82A2D85C}\InProcServer32

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

Window found: window name: SysTabControl32

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common

Persistence and Installation Behavior

AI detected landing page (webpage, office document or email)

Source: Email	LLM: Email contains QR code
Source: Email	LLM: Email contains QR code
Source: https://jameskolcreative-my.sharepoint.com/personal/admin_canterburycreative_com_au/_layouts/15/Doc.aspx?sourcedoc=%7Ba29f55d8-85ea-4cda-bbdf-88fc60e0b944%7D&action=default&slrid=653461a1-009e-4000-0673-1f280b28ba3b&originalPath=aHR0cHM6Ly9qYW1lc2tvbGNyZWF0aXZlLW15LnNoYXJlcG9pbnQuY29tLzp1Oi9nL3BlcnNvbmFsL2FkbWluX2NhbnRlcmJ1cnljcmVhdGl2ZV9jb21fYXUvRWRoVm42THFoZHBNdTktSV9HRGd1VVFCYnZzSU9ZMGFObk1GNlJZZy1pX1BvUT9ydGltZT03TFl1N0ZELTNFZw&CID=e5b6b0f7-941a-4717-b89f-eb22fd30df8c&_SRM=0:G:77	LLM: Page contains button: 'VIEW DOCUMENT' Source: '1.0.pages.csv'
Source: https://jameskolcreative-my.sharepoint.com/:u:/g/personal/admin_canterburycreative_com_au/EdhVn6LqhdpMu9-I_GDguUQBbvsIOY0aNnMF6RYg-i_PoQ?rtime=7LYu7FD-3Eg	LLM: Page contains button: 'VIEW DOCUMENT' Source: '2.2.pages.csv'
Source: https://jameskolcreative-my.sharepoint.com/:u:/g/personal/admin_canterburycreative_com_au/EdhVn6LqhdpMu9-I_GDguUQBbvsIOY0aNnMF6RYg-i_PoQ?rtime=7LYu7FD-3Eg	LLM: Page contains button: 'VIEW DOCUMENT' Source: '2.1.pages.csv'

AI detected potential phishing Email

Source: Email

LLM: Detected potential phishing email: The email has a vague subject line 'Invoice' with minimal content mentioning an unspecified attachment

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

Key value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\outlook\ConfigContextData 1

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

Process information queried: ProcessInformation

Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe

Queries volume information: C:\Program Files (x86)\Microsoft Office\root\Office16\AI\WordCombinedFloatieLreOnline.onnx VolumeInformation

Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	2 Browser Extensions	1 Process Injection	1 Masquerading	OS Credential Dumping	1 Process Discovery	Remote Services	Data from Local System	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 DLL Side-Loading	1 Modify Registry	LSASS Memory	1 File and Directory Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 Registry Run Keys / Startup Folder	1 Registry Run Keys / Startup Folder	1 Process Injection	Security Account Manager	12 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction

Name	IP	Active	Malicious	Reputation
mira-tmc.tm-4.office.com	52.123.243.71	true	false	unknown
bg.microsoft.map.fastly.net	199.232.210.172	true	false	high
wac-0003.wac-msedge.net	52.108.8.12	true	false	unknown
dual-spo-0005.spo-msedge.net	13.107.136.10	true	false	high
195554-ipv4v6.farm.dprodmgd106.aa-rt.sharepoint.com	52.105.206.27	true	false	unknown
sni1gl.wpc.omegacdn.net	152.199.21.175	true	false	high
www.google.com	142.250.185.132	true	false	high
wac-0003.wac-dc-msedge.net	52.108.11.12	true	false	unknown
sni1gl.wpc.sigmacdn.net	152.199.21.175	true	false	unknown
common.online.office.com	unknown	unknown	false	high
aadcdn.msftauth.net	unknown	unknown	false	high
visioonline.nel.measure.office.net	unknown	unknown	false	high
login.microsoftonline.com	unknown	unknown	false	high
storage.live.com	unknown	unknown	false	high
jameskolcreative-my.sharepoint.com	unknown	unknown	false	unknown
m365cdn.nel.measure.office.net	unknown	unknown	false	high
messaging.engagement.office.com	unknown	unknown	false	high
spo.nel.measure.office.net	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://jameskolcreative-my.sharepoint.com/:u:/g/personal/admin_canterburycreative_com_au/EdhVn6LqhdpMu9-I_GDguUQBbvsIOY0aNnMF6RYg-i_PoQ?rtime=7LYu7FD-3Eg	true		unknown
https://jameskolcreative-my.sharepoint.com/personal/admin_canterburycreative_com_au/_layouts/15/Doc.aspx?sourcedoc=%7Ba29f55d8-85ea-4cda-bbdf-88fc60e0b944%7D&action=default&slrid=653461a1-009e-4000-0673-1f280b28ba3b&originalPath=aHR0cHM6Ly9qYW1lc2tvbGNyZWF0aXZlLW15LnNoYXJlcG9pbnQuY29tLzp1Oi9nL3BlcnNvbmFsL2FkbWluX2NhbnRlcmJ1cnljcmVhdGl2ZV9jb21fYXUvRWRoVm42THFoZHBNdTktSV9HRGd1VVFCYnZzSU9ZMGFObk1GNlJZZy1pX1BvUT9ydGltZT03TFl1N0ZELTNFZw&CID=e5b6b0f7-941a-4717-b89f-eb22fd30df8c&_SRM=0:G:77	true		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
13.107.6.156	unknown	United States	8068	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
23.38.98.94	unknown	United States	16625	AKAMAI-ASUS	false
2.18.64.220	unknown	European Union	6057	AdministracionNacionaldeTelecomunicacionesUY	false
20.189.173.7	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
52.109.89.119	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
2.22.242.17	unknown	European Union	20940	AKAMAI-ASN1EU	false
142.250.185.227	unknown	United States	15169	GOOGLEUS	false
2.22.242.16	unknown	European Union	20940	AKAMAI-ASN1EU	false
52.108.9.12	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
52.108.10.12	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
40.79.189.58	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
52.109.32.97	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
2.19.126.160	unknown	European Union	16625	AKAMAI-ASUS	false
95.101.54.113	unknown	European Union	34164	AKAMAI-LONGB	false
199.232.210.172	bg.microsoft.map.fastly.net	United States	54113	FASTLYUS	false
34.104.35.123	unknown	United States	15169	GOOGLEUS	false
1.1.1.1	unknown	Australia	13335	CLOUDFLARENETUS	false
2.16.238.24	unknown	European Union	20940	AKAMAI-ASN1EU	false
52.111.236.7	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
52.108.234.31	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
142.250.186.142	unknown	United States	15169	GOOGLEUS	false
152.199.21.175	sni1gl.wpc.omegacdn.net	United States	15133	EDGECASTUS	false
52.123.243.71	mira-tmc.tm-4.office.com	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
23.38.98.66	unknown	United States	16625	AKAMAI-ASUS	false
2.18.64.215	unknown	European Union	6057	AdministracionNacionaldeTelecomunicacionesUY	false
23.38.98.71	unknown	United States	16625	AKAMAI-ASUS	false
13.107.136.10	dual-spo-0005.spo-msedge.net	United States	8068	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
142.250.186.174	unknown	United States	15169	GOOGLEUS	false
20.42.65.85	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
52.109.68.129	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
40.126.31.67	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
2.16.241.83	unknown	European Union	20940	AKAMAI-ASN1EU	false
142.250.74.195	unknown	United States	15169	GOOGLEUS	false
52.113.194.132	unknown	United States	8068	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
40.126.32.134	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
23.38.98.83	unknown	United States	16625	AKAMAI-ASUS	false
2.16.241.17	unknown	European Union	20940	AKAMAI-ASN1EU	false
142.250.185.132	www.google.com	United States	15169	GOOGLEUS	false
52.111.231.8	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
52.108.8.12	wac-0003.wac-msedge.net	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
13.105.28.48	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
64.233.167.84	unknown	United States	15169	GOOGLEUS	false
52.108.11.12	wac-0003.wac-dc-msedge.net	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
52.108.83.4	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
40.126.32.68	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
2.16.168.6	unknown	European Union	20940	AKAMAI-ASN1EU	false
184.28.90.27	unknown	United States	16625	AKAMAI-ASUS	false
52.105.206.27	195554-ipv4v6.farm.dprodmgd106.aa-rt.sharepoint.com	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false

Private

IP
192.168.2.17
192.168.2.16

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1550051
Start date and time:	2024-11-06 11:50:22 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsinteractivecookbook.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	16
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	EGA enabled
Analysis Mode:	stream
Analysis stop reason:	Timeout
Sample name:	Invoice.msg
Detection:	MAL
Classification:	mal48.winMSG@27/20@42/388
Cookbook Comments:	Found application associated with file extension: .msg

Warnings

Exclude process from analysis (whitelisted): dllhost.exe
Excluded IPs from analysis (whitelisted): 52.109.32.97
Excluded domains from analysis (whitelisted): config.officeapps.live.com, prod.configsvc1.live.com.akadns.net, officeclient.microsoft.com, ukw-azsc-config.officeapps.live.com, europe.configsvc1.live.com.akadns.net
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetValueKey calls found.
VT rate limit hit for: Invoice.msg

LLM Input / Output

Input	Output
URL: Model: claude-3-5-sonnet-latest	{ "explanation": [ "The email has a vague subject line 'Invoice' with minimal content mentioning an unspecified attachment", "The sender and recipient are the same address, which is highly suspicious", "The email contains numerous image attachments with generic names, which is often a tactic used in phishing to make emails look legitimate" ], "phishing": true, "confidence": 8 }
{ "date": "Wed, 06 Nov 2024 11:08:13 +0100", "subject": "Invoice", "communications": [ "Some people who received this message don't often get email from midhila.murali@arabianfood.om. Learn why this is important<https://aka.ms/LearnAboutSenderIdentification>\nGood Afternoon,\n\nPlease see attached that was emailed for your review.\n\n\nRegards,\n\nMidhila Murali\nHR Admin & Purchase Asst.\n\n[cid:image002.png@01DB2FEE.36E71F40] +968 95174374\n[cid:image003.png@01DB2FEE.36E71F40]\n[cid:image004.png@01DB2FEE.36E71F40] +968 26983900\n[cid:image005.png@01DB2FEE.36E71F40]+968 26983909\n\n[cid:image007.png@01DB2FEE.36E71F40] P.O.BOX: 268, PC:320\n\n[cid:image008.png@01DB2FEE.36E71F40] Sultanate Of Oman\n[cid:image009.png@01DB2FEE.36E71F40]Midhila.Murali@arabianfood.om<mailto:Midhila.Murali@arabianfood.om>\n\n[cid:image010.png@01DB2FEE.36E71F40]www.arabianfood.om<https://che01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.arabianfood.om%2F&data=05%7C02%7Cpatrick.tran%40bdo.ch%7C0f7f883b690a4b63075b08dcfe4af9a0%7C880a79fec93e4143b972dca563afc136%7C0%7C0%7C638664848787667170%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C40000%7C%7C%7C&sdata=7jBX8idYKZWI33z0%2BZmZ3ePjX%2B%2BNGRNHdIT0mi%2Fskow%3D&reserved=0>\n [cid:image011.png@01DB2FEE.36E71F40] <https://che01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.linkedin.com%2Fcompany%2Farabian-food-production-company%2F&data=05%7C02%7Cpatrick.tran%40bdo.ch%7C0f7f883b690a4b63075b08dcfe4af9a0%7C880a79fec93e4143b972dca563afc136%7C0%7C0%7C638664848787688133%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C40000%7C%7C%7C&sdata=89cuturwjrOMwgmyGUXgDGWWcaGF5LMl8eI7X1H7ipw%3D&reserved=0> [cid:image012.png@01DB2FEE.36E71F40] <https://che01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.instagram.com%2Fdanaeggs%2F&data=05%7C02%7Cpatrick.tran%40bdo.ch%7C0f7f883b690a4b63075b08dcfe4af9a0%7C880a79fec93e4143b972dca563afc136%7C0%7C0%7C638664848787699770%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C40000%7C%7C%7C&sdata=3vXcSXJ2DJw9enaY5znSDozcb%2BZ2A0lak7LAELzK0Q8%3D&reserved=0> [cid:image013.png@01DB2FEE.36E71F40] <https://che01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.facebook.com%2Fdanaeggs&data=05%7C02%7Cpatrick.tran%40bdo.ch%7C0f7f883b690a4b63075b08dcfe4af9a0%7C880a79fec93e4143b972dca563afc136%7C0%7C0%7C638664848787713135%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C40000%7C%7C%7C&sdata=HzgOdVjFUwa92f%2B%2FhROu8iSzhXl1kM8czZStwXmbI%2FE%3D&reserved=0> [cid:image014.png@01DB2FEE.36E71F40] [cid:image015.png@01DB2FEE.36E71F40] <https://che01.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftwitter.com%2FDanaEggs&data=05%7C02%7Cpatrick.tran%40bdo.ch%7C0f7f883b690a4b63075b08dcfe4af9a0%7C880a79fec93e4143b972dca563afc136%7C0%7C0%7C638664848787729953%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C40000%7C%7C%7C&sdata=7hWIzPD8IT1EQIW14vH3On7AnQjBDVV873naJ4d9W20%3D&reserved=0>\n[cid:image016.png@01DB2FEE.36E71F40]\n\n[A white background with many triangles Description automatically generated]\n\n" ], "from": "Midhila Murali <Midhila.Murali@arabianfood.om>", "to": "Midhila Murali <Midhila.Murali@arabianfood.om>", "attachements": [ "image001.png", "image002.png", "image003.png", "image004.png", "image005.png", "image006.png", "image007.png", "image008.png", "image009.png", "image010.png", "image011.png", "image012.png", "image013.png", "image014.png", "image015.png", "image016.png", "image017.png", "Invoice" ] }
URL: Email Model: claude-3-haiku-20240307	```json { "contains_trigger_text": true, "trigger_text": "Please see attached that was emailed for your review.", "prominent_button_name": "unknown", "text_input_field_labels": [ "P.O.BOX. 268,", "PC.320", "Sultanate Of", "Oman" ], "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": true }

URL: Email Model: claude-3-haiku-20240307	```json { "contains_trigger_text": true, "trigger_text": "Please view the \"Arabian Food Invoice\" shared for reference.", "prominent_button_name": "Review Document: ARABIAN FOOD INVOICE", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": true }

URL: Email Model: claude-3-haiku-20240307	```json { "brands": [ "Arabian Food" ] }
	```json { "brands": [ "Arabian Food" ] }
URL: Email Model: claude-3-haiku-20240307	```json { "brands": [ "Arabian Food" ] }
	```json { "brands": [ "Arabian Food" ] }
URL: https://jameskolcreative-my.sharepoint.com/personal/admin_canterburycreative_com_au/_layouts/15/Doc.aspx?sourcedoc=%7Ba29f55d8-85ea-4cda-bbdf-88fc60e0b944%7D&action=default&slrid=653461a1-009e-4000-0673-1f280b28ba3b&originalPath=aHR0cHM6Ly9qYW1lc2tvbGNyZW Model: claude-3-haiku-20240307	```json { "contains_trigger_text": true, "trigger_text": "VIEW DOCUMENT", "prominent_button_name": "VIEW DOCUMENT", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false }

URL: https://jameskolcreative-my.sharepoint.com/personal/admin_canterburycreative_com_au/_layouts/15/Doc.aspx?sourcedoc=%7Ba29f55d8-85ea-4cda-bbdf-88fc60e0b944%7D&action=default&slrid=653461a1-009e-4000-0673-1f280b28ba3b&originalPath=aHR0cHM6Ly9qYW1lc2tvbGNyZW Model: claude-3-haiku-20240307	```json { "brands": [] } ``` The provided image does not contain any visible brands. The page appears to be a generic "View Document" page with instructions to hold the CTRL button and click on "View Document" to access an invoice. There are no logos or brand names visible in the header, footer, or elsewhere on the page.

URL: Model: claude-3-5-sonnet-latest	{ "typosquatting": false, "unusual_query_string": false, "suspicious_tld": false, "ip_in_url": false, "long_subdomain": false, "malicious_keywords": false, "encoded_characters": false, "redirection": false, "contains_email_address": false, "known_domain": true, "brand_spoofing_attempt": false, "third_party_hosting": false }
URL: URL: https://jameskolcreative-my.sharepoint.com
URL: https://jameskolcreative-my.sharepoint.com/:u:/g/personal/admin_canterburycreative_com_au/EdhVn6LqhdpMu9-I_GDguUQBbvsIOY0aNnMF6RYg-i_PoQ?rtime=7LYu7FD-3Eg Model: claude-3-haiku-20240307	```json { "contains_trigger_text": true, "trigger_text": "VIEW DOCUMENT", "prominent_button_name": "VIEW DOCUMENT", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false }

URL: https://jameskolcreative-my.sharepoint.com/:u:/g/personal/admin_canterburycreative_com_au/EdhVn6LqhdpMu9-I_GDguUQBbvsIOY0aNnMF6RYg-i_PoQ?rtime=7LYu7FD-3Eg Model: claude-3-haiku-20240307	```json { "contains_trigger_text": true, "trigger_text": "VIEW DOCUMENT", "prominent_button_name": "VIEW DOCUMENT", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false }

URL: https://jameskolcreative-my.sharepoint.com/:u:/g/personal/admin_canterburycreative_com_au/EdhVn6LqhdpMu9-I_GDguUQBbvsIOY0aNnMF6RYg-i_PoQ?rtime=7LYu7FD-3Eg Model: claude-3-haiku-20240307	```json { "brands": [ "Microsoft" ] }
	```json { "brands": [ "Microsoft" ] }
URL: https://jameskolcreative-my.sharepoint.com/:u:/g/personal/admin_canterburycreative_com_au/EdhVn6LqhdpMu9-I_GDguUQBbvsIOY0aNnMF6RYg-i_PoQ?rtime=7LYu7FD-3Eg Model: claude-3-haiku-20240307	```json { "brands": [] } ``` The provided image does not contain any visible brand logos or names. The page appears to be a generic web page with a "VIEW DOCUMENT" button and instructions to click on it to access an invoice. There are no brand names or logos visible in the header, footer, or any other part of the page.

Created / dropped Files

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	data
Category:	dropped
Size (bytes):	338
Entropy (8bit):	3.465722094443142
Encrypted:	false
SSDEEP:
MD5:	9E176019ACAE8C82D46538D4B83F7E40
SHA1:	F85DAB24FE995255788C92BA932CBA2D6297802A
SHA-256:	B4800FCAF55DF003031EA4001210D118071BB8DA8928E4A3F909167B693A7822
SHA-512:	5C21D958B875B2660B4B5BCD47A78224209DB43F6DE0DED6AD98F94C04A5A7145E19F31BEAD2088706A858C57C9FFDD2EC45C9DF2A6DB024241235932297F87E
Malicious:	false
Reputation:	unknown
Preview:	p...... ............90..(..................................................^SZ.. .........p.........$...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.d.i.s.a.l.l.o.w.e.d.c.e.r.t.s.t.l...c.a.b...".7.4.6.7.8.7.a.3.f.0.d.9.1.:.0."...

C:\Users\user\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	data
Category:	dropped
Size (bytes):	231348
Entropy (8bit):	4.389923818432665
Encrypted:	false
SSDEEP:
MD5:	41DE698AAC1EA09DCA7FCC5BD0585CA2
SHA1:	1877FAEABAE161CCEE78FBB987F1A6B9A8192906
SHA-256:	F3C52317CAB90600135686BCF32831576E4C8033382E281EFB50035F7B1A49D6
SHA-512:	511B18658A5DCD1853397C9281C09109D7AD79A9D786441B6CE5B9C74FA99B56726F5A6F96B91FCA0F420BBD97DD896179FBBCCC754666B4DF648F19A9464EE0
Malicious:	false
Reputation:	unknown
Preview:	TH02...... ..`.90......SM01X...,......90..........IPM.Activity...........h...............h............H..h........&..%...h.........#..H..h\cal ...pDat...h.N..0...P......h..L...........h........_`Pk...h...L@...I.lw...h....H...8.Uk...0....T...............d.........2h...............k..........i...!h.............. h...2....h.....#h....8.........$h.#......8....."h............'h..............1h..L<.........0h....4....Uk../h....h.....UkH..h.W..p.........-h .............+h^..L...................... ..............F7..............FIPM.Activity....Form....Standard....Journal Entry...IPM.Microsoft.FolderDesign.FormsDescription................F.k..........1122110020000000....Microsoft...This form is used to create journal entries.........kf...... ..........&...........(.......(... ...@.....................................................................................................................fffffffff........wwwwwwww.p....pp..............p...............pw..............pw..DDDDO..

C:\Users\user\AppData\Local\Microsoft\FontCache\4\CatalogCacheMetaData.xml

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	XML 1.0 document, ASCII text, with very long lines (1869), with no line terminators
Category:	dropped
Size (bytes):	1869
Entropy (8bit):	5.08641327721163
Encrypted:	false
SSDEEP:
MD5:	6A4ECAE3398831CF99910F27EE8C9058
SHA1:	9839B89B179DEB2052AE4742CB456394E2D8125B
SHA-256:	8E07A2757D453999493E0604616E540A3F90F351EF5C34448A05F194AD5F32AB
SHA-512:	90AA71C3A54D5E9CDD9541E1C7321CD7A3D072F183123AF1FFE2C86AB33F56530F9F7E4A1745BF3E2C8B9351D1D33F08CB5B19EDD924A9FFF5164BC119BE3252
Malicious:	false
Reputation:	unknown
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?><root><version>1</version><Count>12</Count><Resource><Id>Aptos_26215680</Id><LAT>2024-11-06T10:50:55Z</LAT><key>29939506207.ttf</key><folder>Aptos</folder><type>4</type></Resource><Resource><Id>Aptos_45876480</Id><LAT>2024-11-06T10:50:55Z</LAT><key>27160079615.ttf</key><folder>Aptos</folder><type>4</type></Resource><Resource><Id>Aptos Narrow_26215424</Id><LAT>2023-10-06T09:25:29Z</LAT><key>31558910439.ttf</key><folder>Aptos Narrow</folder><type>4</type></Resource><Resource><Id>Aptos Display_26215680</Id><LAT>2023-10-06T09:25:29Z</LAT><key>23001069669.ttf</key><folder>Aptos Display</folder><type>4</type></Resource><Resource><Id>Aptos Narrow_45876224</Id><LAT>2023-10-06T09:25:29Z</LAT><key>24153076628.ttf</key><folder>Aptos Narrow</folder><type>4</type></Resource><Resource><Id>Aptos Display_45876480</Id><LAT>2023-10-06T09:25:29Z</LAT><key>30264859306.ttf</key><folder>Aptos Display</folder><type>4</type></Resource><Resource><Id>Aptos_

C:\Users\user\AppData\Local\Microsoft\FontCache\4\Catalog\ListAll.Json

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	JSON data
Category:	dropped
Size (bytes):	521377
Entropy (8bit):	4.9084889265453135
Encrypted:	false
SSDEEP:
MD5:	C37972CBD8748E2CA6DA205839B16444
SHA1:	9834B46ACF560146DD7EE9086DB6019FBAC13B4E
SHA-256:	D4CFBB0E8B9D3E36ECE921B9B51BD37EF1D3195A9CFA1C4586AEA200EB3434A7
SHA-512:	02B4D134F84122B6EE9A304D79745A003E71803C354FB01BAF986BD15E3BA57BA5EF167CC444ED67B9BA5964FF5922C50E2E92A8A09862059852ECD9CEF1A900
Malicious:	false
Reputation:	unknown
Preview:	{"MajorVersion":4,"MinorVersion":40,"Expiration":14,"Fonts":[{"a":[4294966911],"f":"Abadi","fam":[],"sf":[{"c":[1,0],"dn":"Abadi","fs":32696,"ful":[{"lcp":983041,"lsc":"Latn","ltx":"Abadi"}],"gn":"Abadi","id":"23643452060","p":[2,11,6,4,2,1,4,2,2,4],"sub":[],"t":"ttf","u":[2147483651,0,0,0],"v":197263,"w":26215680},{"c":[1,0],"dn":"Abadi Extra Light","fs":22180,"ful":[{"lcp":983042,"lsc":"Latn","ltx":"Abadi Extra Light"}],"gn":"Abadi Extra Light","id":"17656736728","p":[2,11,2,4,2,1,4,2,2,4],"sub":[],"t":"ttf","u":[2147483651,0,0,0],"v":197263,"w":13108480}]},{"a":[4294966911],"f":"ADLaM Display","fam":[],"sf":[{"c":[536870913,0],"dn":"ADLaM Display Regular","fs":140072,"ful":[{"lcp":983040,"lsc":"Latn","ltx":"ADLaM Display"}],"gn":"ADLaM Display","id":"31965479471","p":[2,1,0,0,0,0,0,0,0,0],"sub":[],"t":"ttf","u":[2147491951,1107296330,0,0],"v":131072,"w":26215680}]},{"a":[4294966911],"f":"Agency FB","fam":[],"sf":[{"c":[536870913,0],"dn":"Agency FB Bold","fs":54372,"ful":[{"lcp":9830

C:\Users\user\AppData\Local\Microsoft\FontCache\4\PreviewFont\flat_officeFontsPreview_4_40.ttf

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	TrueType Font data, 10 tables, 1st "OS/2", 7 names, Microsoft, language 0x409, \251 2018 Microsoft Corporation. All Rights Reserved.msofp_4_40RegularVersion 4.40;O365
Category:	dropped
Size (bytes):	773040
Entropy (8bit):	6.55939673749297
Encrypted:	false
SSDEEP:
MD5:	4296A064B917926682E7EED650D4A745
SHA1:	3953A6AA9100F652A6CA533C2E05895E52343718
SHA-256:	E04E41C74D6C78213BA1588BACEE64B42C0EDECE85224C474A714F39960D8083
SHA-512:	A25388DDCE58D9F06716C0F0BDF2AEFA7F68EBCA7171077533AF4A9BE99A08E3DCD8DFE1A278B7AA5DE65DA9F32501B4B0B0ECAB51F9AF0F12A3A8A75363FF2C
Malicious:	false
Reputation:	unknown
Preview:	........... OS/29....(...`cmap.s.,.......pglyf..&....\|....head2..........6hheaE.@v.......$hmtx...........@loca.U.....8...Dmaxp........... name.P+........post...<...... .........b~1_.<...........<......r......Aa...................Q....Aa....Aa.........................~...................................................3..............................MS .@.......(...Q................. ...........d...........0...J.......8.......>..........+a..#...,................................................/...K.......z...............N.........!...-...+........z.......h..%^..3...&j..+...+%..'R..+..."....................k......$A...,.......g...&...=.......X..&..............&....B..(B...............#.......j...............+...P...5...@...)..........#...)Q..................{.. ....?..'...#....N...7......<...;>.............. ]...........5......#....s.......$.......$.......^..................+...>....H.......%...7.......6.......O...V...........K......"........c...N......!...............$...&...p..

C:\Users\user\AppData\Local\Microsoft\Office\16.0\AddInClassifierCache\OfficeSharedEntities.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	ASCII text, with very long lines (65536), with no line terminators
Category:	dropped
Size (bytes):	322260
Entropy (8bit):	4.000299760592446
Encrypted:	false
SSDEEP:
MD5:	CC90D669144261B198DEAD45AA266572
SHA1:	EF164048A8BC8BD3A015CF63E78BDAC720071305
SHA-256:	89C701EEFF939A44F28921FD85365ECD87041935DCD0FE0BAF04957DA12C9899
SHA-512:	16F8A8A6DCBAEAEFB88C7CFF910BCCC71B76A723CF808B810F500E28E543112C2FAE2491D4D209569BD810490EDFF564A2B084709B02963BCAF6FDF1AEEC59AC
Malicious:	false
Reputation:	unknown
Preview:	51253fe60063c31af0d295afb42228b0:v2:2:1:1590:2:8479:76bd602437550e98c9043d06a55186ab7d95dea5a0e935a599f73e62a8c9b158e0afcb19351f6c353940c06a38172b94d18c02cf92bb8a80184eccca0392b259ab3e71dae73e491c7941997cb36ad4a198661f622dad478d840f66d530a0dde78acea3367f91fff62fbb3dc18faff0c708ad30edef5bea8b22c5fd782b770d8993386eaa784fd19a3c3e1db3b537b1a94d3d4fbd46f8df8fddf6d16611969fe0a97c50e0f3ac24750c93257cf5c161184aa7385800c87d803b339632a3d8ec7fe17a0afd83ce9e9d0e3f7b8d579637928a811f1f7e6d1887df2ddc7d4f752c4d600235e426c92c7bf8a1362f95457998cc0e5d4261f0efa4fada0f866dbcefb407dacab7a2914e91c2f08200f38c2d9d621962145b1464b0f204b326118a53ecdcab22bff005fdd5257c99a6dc51ac0600a49f2ef782396987e78c08b846dad5db55e8ccefffc64863bc2c3e90b95a09d25d0814a848c98fe01a82d4e30e6682dd546e12c45ca0d280a45295ab4bd632dafb070edfdc3c9e38313d5aeb195972986f8011b66817028fd8c78b67a0ac7e780eecc3fb6a31f5a025b8a9a3db278a98c0696aeaac739b18688b0f9c7d751bba02cc5f4e41853fb119b3c0c915059aaa92971244a1989124f12881ca88e6410df70b793a2c3a736ff4

C:\Users\user\AppData\Local\Microsoft\Office\16.0\AddInClassifierCache\OfficeSharedEntitiesUpdated.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	ASCII text, with no line terminators
Category:	modified
Size (bytes):	10
Entropy (8bit):	2.8464393446710154
Encrypted:	false
SSDEEP:
MD5:	F01855E50200AFB40CA7C9871A39FBBA
SHA1:	A435897A92F534AF0FE580A9D78CC53F9DB077B1
SHA-256:	E033C783B6A0C354CC070F690C842FBDA9A44297694F45BF5E04393B4FCF3ECA
SHA-512:	E9A03B783DD026D66E15160DE3495BEB80A160DC461F2F01EE61257E76F6C3BC9DA318CDE0D108ECC14F91B786834CD03E80F041CBE326DEE722302B1F5D11B3
Malicious:	false
Reputation:	unknown
Preview:	1730890260

C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\BD9BBBC7-9B69-46C8-A9B6-898DCFF18D67

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	180288
Entropy (8bit):	5.2910066724912586
Encrypted:	false
SSDEEP:
MD5:	C9CF7FCD5208FA3C696375AE31E8A1B2
SHA1:	E9BC5E75C0A859A6195AF929EEF0D9CADEF1B11F
SHA-256:	65FBACBEEF7D5D2FD7BEAF651FEBA274AF237EA98956EEE348E07C872F74EFEE
SHA-512:	3A9F0EC3C9092894C6EAB60E0487B034FA2E82EE93B573711B2979A8E6F97F5D73ADFB45D702C5204B4C4CAF8CB308DDE6ACCAD134EAD211E22131DA181349BE
Malicious:	false
Reputation:	unknown
Preview:	<?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2024-11-06T10:50:54">.. Build: 16.0.18223.40125-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://word-edit.officeapps.live.com/we/rrdiscovery.ashx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId" o:authentication="1">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. <o:ticket o:policy="MBI_SSL_SHORT" o:idprovider="1" o:target="[MAX.AuthHost]" o:headerValue="Passport1.4 from-PP='{}&p='" />.. <o:ticket o:idprovider="3" o:headerValue="Bearer {}" o:resourceId="[

C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-journal

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	SQLite Rollback Journal
Category:	dropped
Size (bytes):	4616
Entropy (8bit):	0.13640804182083313
Encrypted:	false
SSDEEP:
MD5:	03CBC5E86025E050CA66160784E39B70
SHA1:	67E95E1ABAA2AB69643DBA37D802447C581A51E5
SHA-256:	535865A6EC1C097BDB6E5627EE34644A8EE6568709616CE6F95C230FA8D3A23E
SHA-512:	F03359C43532C64775143AC1F492A9D675805E540B9FFDA80248763FE7702BB362AED49F00A4F8407DB1FA09EE74357461053DDB4D91D55C678106B40CDB16B3
Malicious:	false
Reputation:	unknown
Preview:	.... .c.....i{......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................SQLite format 3......@ .......................................................................... .................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Office\MSO3072.acl

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	data
Category:	modified
Size (bytes):	30
Entropy (8bit):	1.2389205950315936
Encrypted:	false
SSDEEP:
MD5:	DC2CA92F62A6201F532509BB81C83F28
SHA1:	4F2DA0FE980F66019F1D9C08588487611ED3A52D
SHA-256:	AA761BA315615F06DE0923BCA7956DFC7C93CA7BEED3DC99A50DB6E1ADD07B22
SHA-512:	6D09438BA41B7D2597A2708B2624E8F0BE0B0091BC5690BAFC7F8EF3B62040C444A01E569F7B3DF8501ABB5D4126F8660418B72F3104F1FBD9D6A8492AF6D64E
Malicious:	false
Reputation:	unknown
Preview:	....^.........................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Nov 6 09:51:08 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2673
Entropy (8bit):	3.9763401440760218
Encrypted:	false
SSDEEP:
MD5:	8FC6556CF12DF68B789F89C3CBCE2D92
SHA1:	F70A4BE5D31E2285F657F592DCDB79C650616B5B
SHA-256:	62A69F40C67521818C8DE49A98A87F2B4C2573B533E45D0C9CC0D59214592AD2
SHA-512:	BD522C150765EB82793B94DB777F68A257D354E5AF0DA99118C0B0ADC280A7D389107071C2A9545F6C3639AB49DBEEDE7E5F754D3B7A3A8176AFA63AE94C6517
Malicious:	false
Reputation:	unknown
Preview:	L..................F.@.. ...$+.,....BP..90..N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.IfYQV....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VfYcV....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VfYcV....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VfYcV..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VfYeV...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i.............SV.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Oct 6 08:05:01 2023, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2689
Entropy (8bit):	4.002067162424876
Encrypted:	false
SSDEEP:
MD5:	A2861AE68817EFF1AC53F2EFA77ABF1B
SHA1:	2A6AD67F8E3146699A708914D6458E210B9F6CAE
SHA-256:	68B6D899BE922EC997A54C43A0CEEA43CD8C3E2936F9DA1958EF4D6A07F37EB0
SHA-512:	9B539E36916CC6FDDD2A1CDC46D37FC3154007FCD4A078B5243225CC03B49921BB5D23C9C3287E0AA0093CF9DC8B81709F372E752D4796EE13C86A12072749E7
Malicious:	false
Reputation:	unknown
Preview:	L..................F.@.. ...$+.,.....Y.04...N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.IfYQV....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VfYcV....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VfYcV....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VfYcV..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VFW.E...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i.............SV.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Nov 6 09:51:08 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2677
Entropy (8bit):	3.9772740344719444
Encrypted:	false
SSDEEP:
MD5:	1B803F58F9075ECFB4E150E8A04A47A4
SHA1:	20134E975B53FB9B694BA87AFE0F6708E533E4B3
SHA-256:	43E2312159ACCDCA3DBDB651D9385BCA56BC4563229947391F1FDBD4BDF03518
SHA-512:	5041EA67684CFDF5E0F55797D16CBE3524744CEA94F37E86C2622F11EFC068A164DF173FB7827657F11986672E5B1DD0DEFF346AF045E1E6E6C514DBC804E9ED
Malicious:	false
Reputation:	unknown
Preview:	L..................F.@.. ...$+.,....L.~.90..N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.IfYQV....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VfYcV....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VfYcV....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VfYcV..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VfYeV...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i.............SV.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Nov 6 09:51:08 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2679
Entropy (8bit):	3.986466611627186
Encrypted:	false
SSDEEP:
MD5:	962B25D7C933A9C9F0681DDBE8432F4E
SHA1:	26B05E60BCE919F328DADCB5B46C758C6898F4EF
SHA-256:	90E02859D05278E8CE815E1D377190FBC46AE62E81843CEE6E93F52EF9CBECFE
SHA-512:	A8E528803EF5D6352A4402947B73502840C87343ADBEE36D99A69589E6FDC23E479D89A318E034C261DBA80B012DB8A6762B01EAF9CACFE420384768C7F693BB
Malicious:	false
Reputation:	unknown
Preview:	L..................F.@.. ...$+.,......h.90..N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.IfYQV....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VfYcV....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VfYcV....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VfYcV..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VfYeV...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i.............SV.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

Chrome Cache Entry: 367

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (65536), with no line terminators
Category:	downloaded
Size (bytes):	210847
Entropy (8bit):	5.517637444327454
Encrypted:	false
SSDEEP:
MD5:	11AED9A5A016E221C8C83797DABF391E
SHA1:	E6D9F2A18AAB9DF8BB9C50F772B6E0D35F274580
SHA-256:	F80A5F62758F34811C802BC91E7CAD5CE8F10B7C243E40B00F337ED1F4D8C5B9
SHA-512:	AB751E295384E9D44C03C2649E822387F6B282300EAC52B47D5A0C078CC91CD68F9A2F11696BE80EDC123012C8EDFC59EEC8505B18DF9B1ACA6890B6D4F8BB51
Malicious:	false
Reputation:	unknown
URL:	https://wise.public.cdn.office.net/wise/owl/owl.82066cf09995831e92e7.js
Preview:	var Microsoft;!function(){"use strict";var t,e,n,o,r={32812:function(t,e,n){n.d(e,{h:function(){return s}});var o=n(13260),r=n(40426),i=n(19665),s=function(t){function e(){var e=null!==t&&t.apply(this,arguments)\|\|this;return e.value=null,e.hasNext=!1,e.hasCompleted=!1,e}return o.C6(e,t),e.prototype.N=function(e){return this.hasError?(e.error(this.thrownError),i.y.EMPTY):this.hasCompleted&&this.hasNext?(e.next(this.value),e.complete(),i.y.EMPTY):t.prototype.N.call(this,e)},e.prototype.next=function(t){this.hasCompleted\|\|(this.value=t,this.hasNext=!0)},e.prototype.error=function(e){this.hasCompleted\|\|t.prototype.error.call(this,e)},e.prototype.complete=function(){this.hasCompleted=!0,this.hasNext&&t.prototype.next.call(this,this.value),t.prototype.complete.call(this)},e}(r.B7)},39188:function(t,e,n){n.d(e,{t:function(){return s}});var o=n(13260),r=n(40426),i=n(92581),s=function(t){function e(e){var n=t.call(this)\|\|this;return n.B=e,n}return o.C6(e,t),Object.defineProperty(e.prototype,"va

Chrome Cache Entry: 371

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	HTML document, Unicode text, UTF-8 text, with very long lines (17571), with CRLF, LF line terminators
Category:	downloaded
Size (bytes):	364439
Entropy (8bit):	5.606811463779985
Encrypted:	false
SSDEEP:
MD5:	EE7FEFE9D7B031480E9F6AB555462DDA
SHA1:	290A42F899F53F7A205296808F04307F912AAA43
SHA-256:	BDDABF083C56EFB723D586361C9F54E8BD7DFFA98D00F42AB6571ABCC2DB1190
SHA-512:	80C206D7DB8E0DAAC5C0F86B034AA729CCCA8710180E5C56D60D5F86C5ED9E47DC46381CC5636F6B0A7363E0C55129A2CDB06B8EAC704A90DCF0F73E9A7C1697
Malicious:	false
Reputation:	unknown
URL:	https://auc-visio.officeapps.live.com/v/visioframe.aspx?visioview=ConsumptionView&ui=en-US&rs=en-US&wopisrc=https%3A%2F%2Fjameskolcreative-my.sharepoint.com%2Fpersonal%2Fadmin_canterburycreative_com_au%2F_vti_bin%2Fwopi.ashx%2Ffiles%2Fa29f55d885ea4cdabbdf88fc60e0b944&wdenableroaming=1&mscc=0&wdodb=1&hid=653461A1-A0FF-4000-136A-1D64192B03BF.0&uih=sharepointcom&wdlcid=en-US&jsapi=1&jsapiver=v2&corrid=5564104a-07cf-58ba-c0ce-0913226de2be&usid=5564104a-07cf-58ba-c0ce-0913226de2be&newsession=1&sftc=1&uihit=docaspx&muv=1&cac=1&mtf=1&sfp=1&sdp=1&hch=1&hwfh=1&readonly=1&dchat=1&sc=%7B%22pmo%22%3A%22https%3A%2F%2Fjameskolcreative-my.sharepoint.com%22%2C%22pmshare%22%3Atrue%7D&ctp=LeastProtected&rct=Normal&wdorigin=Sharing.ClientRedirect&pmorigin=https%3A%2F%2Fjameskolcreative-my.sharepoint.com&filesrc=sharepointcom&fastpreview=true
Preview:	<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html xmlns="http://www.w3.org/1999/xhtml" lang="en-US"><head><meta http-equiv="X-UA-Compatible" content="IE=10" /><meta HTTP-EQUIV="Content-Type" content="text/html; charset=utf-8" /><meta HTTP-EQUIV="Expires" content="0" /><script type="text/javascript"> var g_firstByte = new Date(); function highResTimeStamp() { if (performance && performance.now) { return performance.now();} return 0;} var g_firstByteHighhResTime = highResTimeStamp(); var g_pageInitStartTimeHighResTime; var g_jsLTHighhResTime = {} ; if (performance && performance.mark) performance.mark("g_firstByte"); var g_cssLT; var g_jsLT; var g_bootScriptsStartTime; var g_bootScriptsEndTime; </script><![if gte IE 8]><style type="text/css"> #load_back{width:100%;height:100%;opacity:1.0;background-color:#fff;position:absolute;z-index:1050;text-align:center;} #load_img{width:100%;height:100%;position:absolute;text-align:center;display:

Chrome Cache Entry: 379

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	Unicode text, UTF-8 text, with very long lines (65530), with no line terminators
Category:	downloaded
Size (bytes):	108513
Entropy (8bit):	5.310741046471892
Encrypted:	false
SSDEEP:
MD5:	77C9684211102D592D9C2E042C24DADE
SHA1:	0A03C6B4E4ED441D584C28DE29EC78B797ED2792
SHA-256:	BCD659260529EA730BA14B8AE4455F7E8BD97CA98FC262CA89A21563D33DA58C
SHA-512:	F5C69F10BAF63ABB1CB67D6BCC9A35C85B3DD2740D5DB88982CD722A7248FADE9DC3CD5E2F0A83F2E50E12471C667D5360390F40F547C9B10D3197286C800899
Malicious:	false
Reputation:	unknown
URL:	https://res-1.cdn.office.net/officeonline/v/s/hBCD659260529EA73_App_Scripts/MicrosoftAjaxDS.js
Preview:	window\|\|(this.window=this),window.Type=Function,window.g_MSAJAXIgnoreXHRZeroStatus=void 0===window.g_MSAJAXIgnoreXHRZeroStatus\|\|window.g_MSAJAXIgnoreXHRZeroStatus,Function.__typeName="Function",Function.__class=!0,Function.createCallback=function(e,t){return function(){var r=arguments.length;if(r>0){for(var n=[],i=0;i<r;i++)n[i]=arguments[i];return n[r]=t,e.apply(this,n)}return e.call(this,t)}},Function.createDelegate=function(e,t){return function(){return t.apply(e,arguments)}},Function.emptyFunction=Function.emptyMethod=function(){},Function.validateParameters=function(e,t,r){return Function._validateParams(e,t,r)},Function._validateParams=function(e,t,r){var n,i=t.length;if(r=r\|\|void 0===r,n=Function._validateParameterCount(e,t,r))return n.popStackFrame(),n;for(var a=0,s=e.length;a<s;a++){var o=t[Math.min(a,i-1)],l=o.name;if(o.parameterArray)l+="["+(a-i+1)+"]";else if(!r&&a>=i)break;if(n=Function._validateParameter(e[a],o,l))return n.popStackFrame(),n}return null},Function._validate

Chrome Cache Entry: 380

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	HTML document, ASCII text, with CRLF line terminators
Category:	downloaded
Size (bytes):	6755
Entropy (8bit):	4.382105108928836
Encrypted:	false
SSDEEP:
MD5:	FC8F88CBA5F7A9F7464EEA70A5C54570
SHA1:	E500F83B63807B0FEBFDC6ED68B3F7BD75B8B6F3
SHA-256:	553195C7DAAD5047582D7E4DE634D363456E3F04877F48E8A48F3F8A0AC3B322
SHA-512:	EF972AC61993CD98D08318A1F71ED5130CAD9BFD09397F9451C662D10F90F743FEFB8898D54F71F54EFA1CA73627C39E5C7FBAC0D96E435BC06FE5CE41B1EA28
Malicious:	false
Reputation:	unknown
URL:	https://jameskolcreative-my.sharepoint.com/_forms/spfxsinglesignon.aspx
Preview:	.. <!DOCTYPE html>.. <html>.... <head>.. <title>SPFx MSAL V3 Single Sign On Redirect Page</title>.. <script type='text/javascript' src='https://jameskolcreative-my.sharepoint.com/_layouts/15/msal_browser_min.js'></script>.. <script type='text/javascript'>.. const DEFAULT_CLIENT_ID = '08e18876-6177-487e-b8b5-cf950c1e598c';.... const STORAGE_KEYS = {.. AUTHORITY: 'spfx.msal.authority',.. CLIENT_ID: 'spfx.msal.clientId',.. V1_CLIENT_ID: 'msalRedirectClientId',.. IS_REDIRECT_IN_PROGRESS: 'spfx.msal.isRedirectInProgress',.. REDIRECTED_FROM: 'spfx.msal.redirectedFrom',.. SHOULD_USE_MSAL_BROWSER: 'spfx.msal.shouldUseMsalBrowser',.. MSAL_V1_OVERRIDE: 'spfx.msalv1.override',.. };.... const storageState = {.. authority: loadItem(STORAGE_KEYS.AUTHORITY),.. clientId: loadItem(STORAGE_KEYS.CLI

Chrome Cache Entry: 381

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (62566)
Category:	downloaded
Size (bytes):	442274
Entropy (8bit):	5.23756244421286
Encrypted:	false
SSDEEP:
MD5:	0923C5067D442BC9FD6852D9F4B126B6
SHA1:	9DB707189A5DF62987E8EB785B516C6F0ADEE954
SHA-256:	0EA06C6DD73E23B87944ABA0536BB52A1A762B381E5E5CBB21CA5362257AA82F
SHA-512:	A81043C13F1514CDBABF234E66A3B6F8D8071D5B2852BD26473DBE753F63DACE98A091D0F4635C4DBA4A133690AB242108D39103A83220C66FD0A835122E7D32
Malicious:	false
Reputation:	unknown
URL:	https://res-1.cdn.office.net/files/odsp-web-prod_2024-10-25.006/wacowlhostwebpack/35.js
Preview:	/! For license information please see 35.js.LICENSE.txt /."use strict";(self.odspNextWebpackJsonp=self.odspNextWebpackJsonp\|\|[]).push([[35],{491:(e,t,n)=>{n.d(t,{a:()=>i});var a=n(148),i=function(){function e(){this._nonceMap=new Map,this._NONCE_REGEX=/nonce="([^"]*)"/}return e.getNonceManager=function(){return null==this._nonceManager&&(this._nonceManager=new e),this._nonceManager},e.prototype.getNonceFromResource=function(e,t){var n=this,i=this._getKey(e),r=this._getNonce(i);if(r&&t)return Promise.resolve(r);var o=new Headers;o.append("Authorization","Bearer"),o.append("Accept-Auth","PoP");var s={method:"HEAD",headers:o,credentials:"omit"};return this._qosMonitor=new a.c("NonceManager.GetShrNonce"),fetch(e,s).then(function(t){var a,o,s,c=t.headers.get("www-authenticate");if(401===t.status&&c){var d=c.match(n._NONCE_REGEX);if(2!==(null==d?void 0:d.length)){var l=new Error("Unable to fetch nonce from wwwAuthenticate Header: "+c);return null===(a=n._qosMonitor)\|\|void 0===a\|\|a.writeUne

Chrome Cache Entry: 382

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (46591)
Category:	dropped
Size (bytes):	142367
Entropy (8bit):	5.430597817875451
Encrypted:	false
SSDEEP:
MD5:	CCAA31FD031C4C856EB7B986FD9F447B
SHA1:	0A809EABCDB95FA04DE5F8409B3BC994ED65CBD1
SHA-256:	3D40B4129B8B4C284908636AE46D72EA053F286FB5FE45DB78351B5B2CFC1EB9
SHA-512:	4B5B2271DB5F640FEBF13A7C0BDBD630C73530000F1593046D090585D1752E239D894614E23E801BE4C6A379406B6EF521423FA27C3865C3CD4ABB0A64823780
Malicious:	false
Reputation:	unknown
Preview:	/!. ------------------------------------------- START OF THIRD PARTY NOTICE -----------------------------------------. * . * This file is based on or incorporates material from the projects listed below (Third Party IP). The original copyright notice and the license under which Microsoft received such Third Party IP, are set forth below. Such licenses and notices are provided for informational purposes only. Microsoft licenses the Third Party IP to you under the licensing terms for the Microsoft product. Microsoft reserves all other rights not expressly granted under this agreement, whether by implication, estoppel or otherwise.. * . * json2.js (2016-05-01). * https://github.com/douglascrockford/JSON-js. * License: Public Domain. * . * Provided for Informational Purposes Only. * . * ----------------------------------------------- END OF THIRD PARTY NOTICE ------------------------------------------. */!function(e){function t(t){for(var n,r,i=t[0],a=t[1],s=0,u=[];s<i.length;s++)

Static File Info

General

File type:	CDFV2 Microsoft Outlook Message
Entropy (8bit):	6.67847931403546
TrID:	Outlook Message (71009/1) 58.92% Outlook Form Template (41509/1) 34.44% Generic OLE2 / Multistream Compound File (8008/1) 6.64%
File name:	Invoice.msg
File size:	658'944 bytes
MD5:	9d28d181cba5235a5024af3311bfa697
SHA1:	77ae21a95788d86aaada4861743a979bb547b113
SHA256:	d2f69c24241e5bd6d5f1b8bc68719f43cb3833de602b89a301ee852d298693f5
SHA512:	756d924e280a45fa8ebd4142c70e591437a0b0e8724f154c3b3eedc0b8436d669860413ff57523e2faee4b35a72195af0d91e3fd4ebe3fd8f3753eeeef05d686
SSDEEP:	6144:ObmYcxNj+BIygK/VTrV1JzyId8UtR+oFGNvXBYV8hDQimuSfHepBDQimuSQngUEE:FgV1B5RvFGN+V2QimfOQimfgrNsk5Rv
TLSH:	97E46E2175E95A09F27B8F3189E391979536BCC2FE11D79F3181330E1671A81D8A2B2F
File Content Preview:	........................>...................................#...................~...............................H...I..........................................................................................................................................

Static Mail

General

Subject:	Invoice
From:	Midhila Murali <Midhila.Murali@arabianfood.om>
To:	Midhila Murali <Midhila.Murali@arabianfood.om>
Cc:
BCC:
Date:	Wed, 06 Nov 2024 11:08:13 +0100
Communications:	Some people who received this message don't often get email from midhila.murali@arabianfood.om. Learn why this is important<https://aka.ms/LearnAboutSenderIdentification> Good Afternoon, Please see attached that was emailed for your review. Regards, Midhila Murali HR Admin & Purchase Asst. [cid:image002.png@01DB2FEE.36E71F40] +968 95174374 [cid:image003.png@01DB2FEE.36E71F40] [cid:image004.png@01DB2FEE.36E71F40] +968 26983900 [cid:image005.png@01DB2FEE.36E71F40]+968 26983909 [cid:image007.png@01DB2FEE.36E71F40] P.O.BOX: 268, PC:320 [cid:image008.png@01DB2FEE.36E71F40] Sultanate Of Oman [cid:image009.png@01DB2FEE.36E71F40]Midhila.Murali@arabianfood.om<mailto:Midhila.Murali@arabianfood.om> [cid:image010.png@01DB2FEE.36E71F40]www.arabianfood.om<https://che01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.arabianfood.om%2F&data=05%7C02%7Cpatrick.tran%40bdo.ch%7C0f7f883b690a4b63075b08dcfe4af9a0%7C880a79fec93e4143b972dca563afc136%7C0%7C0%7C638664848787667170%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C40000%7C%7C%7C&sdata=7jBX8idYKZWI33z0%2BZmZ3ePjX%2B%2BNGRNHdIT0mi%2Fskow%3D&reserved=0> [cid:image011.png@01DB2FEE.36E71F40] <https://che01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.linkedin.com%2Fcompany%2Farabian-food-production-company%2F&data=05%7C02%7Cpatrick.tran%40bdo.ch%7C0f7f883b690a4b63075b08dcfe4af9a0%7C880a79fec93e4143b972dca563afc136%7C0%7C0%7C638664848787688133%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C40000%7C%7C%7C&sdata=89cuturwjrOMwgmyGUXgDGWWcaGF5LMl8eI7X1H7ipw%3D&reserved=0> [cid:image012.png@01DB2FEE.36E71F40] <https://che01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.instagram.com%2Fdanaeggs%2F&data=05%7C02%7Cpatrick.tran%40bdo.ch%7C0f7f883b690a4b63075b08dcfe4af9a0%7C880a79fec93e4143b972dca563afc136%7C0%7C0%7C638664848787699770%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C40000%7C%7C%7C&sdata=3vXcSXJ2DJw9enaY5znSDozcb%2BZ2A0lak7LAELzK0Q8%3D&reserved=0> [cid:image013.png@01DB2FEE.36E71F40] <https://che01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.facebook.com%2Fdanaeggs&data=05%7C02%7Cpatrick.tran%40bdo.ch%7C0f7f883b690a4b63075b08dcfe4af9a0%7C880a79fec93e4143b972dca563afc136%7C0%7C0%7C638664848787713135%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C40000%7C%7C%7C&sdata=HzgOdVjFUwa92f%2B%2FhROu8iSzhXl1kM8czZStwXmbI%2FE%3D&reserved=0> [cid:image014.png@01DB2FEE.36E71F40] [cid:image015.png@01DB2FEE.36E71F40] <https://che01.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftwitter.com%2FDanaEggs&data=05%7C02%7Cpatrick.tran%40bdo.ch%7C0f7f883b690a4b63075b08dcfe4af9a0%7C880a79fec93e4143b972dca563afc136%7C0%7C0%7C638664848787729953%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C40000%7C%7C%7C&sdata=7hWIzPD8IT1EQIW14vH3On7AnQjBDVV873naJ4d9W20%3D&reserved=0> [cid:image016.png@01DB2FEE.36E71F40] [A white background with many triangles Description automatically generated]
Attachments:	image001.png image002.png image003.png image004.png image005.png image006.png image007.png image008.png image009.png image010.png image011.png image012.png image013.png image014.png image015.png image016.png image017.png Invoice

Headers

Key	Value
Received	from DB9PR06MB8536.eurprd06.prod.outlook.com
ZR1P278MB1085.CHEP278.PROD.OUTLOOK.COM with HTTPS; Wed, 6 Nov 2024 10	14:38
ARC-Seal	i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none;
ARC-Message-Signature	i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
h=From	Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
ARC-Authentication-Results	i=1; mx.microsoft.com 1; spf=pass
by GV0P278MB0177.CHEP278.PROD.OUTLOOK.COM (2603	10a6:710:30::5) with
2024 10	08:13 +0000
(2603	10a6:10:28c::33) with Microsoft SMTP Server (version=TLS1_2,
Transport; Wed, 6 Nov 2024 10	08:17 +0000
Authentication-Results	spf=pass (sender IP is 40.107.22.87)
Received-SPF	Pass (protection.outlook.com: domain of arabianfood.om
via Frontend Transport; Wed, 6 Nov 2024 10	08:34 +0000
DKIM-Signature	v=1; a=rsa-sha256; c=relaxed/relaxed;
by VI1PR10MB7753.EURPRD10.PROD.OUTLOOK.COM (2603	10a6:800:1c6::12) with
Authentication-Results-Original	spf=pass (sender IP is 40.107.20.116)
15.20.8137.17 via Frontend Transport; Wed, 6 Nov 2024 10	08:16 +0000
by DBAPR06MB6966.eurprd06.prod.outlook.com (2603	10a6:10:1ae::17) with
([fe80	:6f69:5842:db1b:a7c%5]) with mapi id 15.20.8137.018; Wed, 6 Nov 2024
10	08:13 +0000
From	Midhila Murali <Midhila.Murali@arabianfood.om>
To	Midhila Murali <Midhila.Murali@arabianfood.om>
Subject	Invoice
Thread-Topic	Invoice
Thread-Index	AdswL10nPVq7GenWQu+pT4MhyrYnLQAAY9Mg
Date	Wed, 6 Nov 2024 10:08:13 +0000
Message-ID	<DB9PR06MB8536FD2C0FF0B3DFED9B76ADEE532@DB9PR06MB8536.eurprd06.prod.outlook.com>
References	<DB9PR06MB85363C0EE5A5E4DA635AEA74EE532@DB9PR06MB8536.eurprd06.prod.outlook.com>
In-Reply-To	<DB9PR06MB85363C0EE5A5E4DA635AEA74EE532@DB9PR06MB8536.eurprd06.prod.outlook.com>
Accept-Language	en-US
Content-Language	en-US
X-MS-Has-Attach	yes
X-MS-TNEF-Correlator	Authentication-Results-Original: dkim=none (message not signed)
x-ms-traffictypediagnostic	DB9PR06MB8536:EE_\|DBAPR06MB6966:EE_\|DU2PEPF00028CFF:EE_\|VI1PR10MB7753:EE_\|ZR1PEPF0000077B:EE_\|GV0P278MB0177:EE_\|ZR1P278MB1085:EE_
X-MS-Office365-Filtering-Correlation-Id	0f7f883b-690a-4b63-075b-08dcfe4af9a0
X-MS-Exchange-SenderADCheck	0
X-MS-Exchange-AntiSpam-Relay	0
X-Microsoft-Antispam-Untrusted	BCL:0;ARA:13230040\|14060799003\|48200799018\|35042699022\|9140799003\|376014\|7416014\|61400799027\|3613699012\|8096899003;
X-Microsoft-Antispam-Message-Info-Original	=?us-ascii?Q?iX3bTqd2qEiEhHtC8KFdjT/kZeVbSVsP+dPjoJ7ercNCQZvThMgcs4qLyH+G?=
X-Forefront-Antispam-Report-Untrusted	CIP:40.107.20.116;CTRY:IE;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:EUR05-DB8-obe.outbound.protection.outlook.com;PTR:mail-db8eur05on2116.outbound.protection.outlook.com;CAT:NONE;SFS:(13230040)(14060799003)(48200799018)(35042699022)(9140799003)(376014)(7416014)(61400799027)(3613699012)(8096899003);DIR:OUT;SFP:1101;
X-MS-Exchange-AntiSpam-MessageData-Original-ChunkCount	1
X-MS-Exchange-AntiSpam-MessageData-Original-0	=?us-ascii?Q?E39hnPT4Gjn66o52N8CMdpKmjeBGizZVzFg7tHKPVGNpxx4f2xfSrT/Mp/ds?=
Content-Type	multipart/mixed;
MIME-Version	1.0
X-MS-Exchange-Transport-CrossTenantHeadersStamped	GV0P278MB0177
Return-Path	APTDesignatedContacts+SRS=bICvT=SB=arabianfood.om=Midhila.Murali@bdo.global
X-EOPAttributedMessage	1
X-MS-Exchange-Transport-CrossTenantHeadersStripped	ZR1PEPF0000077B.CHEP278.PROD.OUTLOOK.COM
X-MS-Exchange-Transport-CrossTenantHeadersPromoted	ZR1PEPF0000077B.CHEP278.PROD.OUTLOOK.COM
X-MS-Office365-Filtering-Correlation-Id-Prvs	8ea05df7-b6ae-430b-3078-08dcfe4aef31
X-LD-Processed	e6504ea0-d819-45c0-b8c6-64690f272b63,ExtAddr
X-MS-Exchange-AtpMessageProperties	SA\|SL
X-ExternalRecipientOutboundConnectors	e6504ea0-d819-45c0-b8c6-64690f272b63
X-Auto-Response-Suppress	DR, OOF, AutoReply
X-MS-Exchange-Organization-ExpirationStartTime	06 Nov 2024 10:08:34.8817
X-MS-Exchange-Organization-ExpirationStartTimeReason	OriginalSubmit
X-MS-Exchange-Organization-ExpirationInterval	1:00:00:00.0000000
X-MS-Exchange-Organization-ExpirationIntervalReason	OriginalSubmit
X-MS-Exchange-Organization-Network-Message-Id	0f7f883b-690a-4b63-075b-08dcfe4af9a0
X-EOPTenantAttributedMessage	880a79fe-c93e-4143-b972-dca563afc136:0
X-MS-Exchange-Organization-MessageDirectionality	Incoming
X-MS-PublicTrafficType	Email
X-MS-Exchange-Organization-AuthSource	ZR1PEPF0000077B.CHEP278.PROD.OUTLOOK.COM
X-MS-Exchange-Organization-AuthAs	Anonymous
X-MS-Exchange-Organization-SCL	1
X-Microsoft-Antispam	BCL:0;ARA:13230040\|4073199012\|5063199012\|5073199012\|22003199012\|35042699022\|8096899003\|3613699012;
X-Forefront-Antispam-Report	CIP:40.107.22.87;CTRY:NL;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:EUR05-AM6-obe.outbound.protection.outlook.com;PTR:mail-am6eur05on2087.outbound.protection.outlook.com;CAT:NONE;SFTY:9.25;SFS:(13230040)(4073199012)(5063199012)(5073199012)(22003199012)(35042699022)(8096899003)(3613699012);DIR:INB;SFTY:9.25;
X-MS-Exchange-CrossTenant-OriginalArrivalTime	06 Nov 2024 10:08:34.7723
X-MS-Exchange-CrossTenant-Network-Message-Id	0f7f883b-690a-4b63-075b-08dcfe4af9a0
X-MS-Exchange-CrossTenant-Id	880a79fe-c93e-4143-b972-dca563afc136
X-MS-Exchange-CrossTenant-AuthSource	ZR1PEPF0000077B.CHEP278.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-AuthAs	Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader	Internet
X-MS-Exchange-Transport-EndToEndLatency	00:06:03.3798109
X-MS-Exchange-Processed-By-BccFoldering	15.20.8114.031
X-Microsoft-Antispam-Mailbox-Delivery	ucf:0;jmr:0;auth:0;dest:I;ENG:(910001)(944506478)(944626604)(920097)(930097)(140003)(1420198);
X-Microsoft-Antispam-Message-Info	=?us-ascii?Q?XjVfM8QLY4FkoegQ0SW2Ry8/Azf9AUdtFmsvNJikcAN9+grGJn569+Jb5vgK?=
date	Wed, 06 Nov 2024 11:08:13 +0100

File Icon


Icon Hash:	c4e1928eacb280a2

Description:	Adversaries may abuse Internet browser extensions to establish persistent access to victim systems. Browser extensions or plugins are small programs that can add functionality and customize aspects of Internet browsers. They can be installed directly or through a browser's app store and generally have access and permissions to everything that the browser can access.
Tactics:	Persistence
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Process: Process Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Invoice.msg

Overview

General Information

Detection

Signatures

Classification

Process Tree

Yara Signatures

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

Phishing

Compliance

Networking

System Summary

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

LLM Input / Output

Created / dropped Files

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

C:\Users\user\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

C:\Users\user\AppData\Local\Microsoft\FontCache\4\CatalogCacheMetaData.xml

C:\Users\user\AppData\Local\Microsoft\FontCache\4\Catalog\ListAll.Json

C:\Users\user\AppData\Local\Microsoft\FontCache\4\PreviewFont\flat_officeFontsPreview_4_40.ttf

C:\Users\user\AppData\Local\Microsoft\Office\16.0\AddInClassifierCache\OfficeSharedEntities.bin

C:\Users\user\AppData\Local\Microsoft\Office\16.0\AddInClassifierCache\OfficeSharedEntitiesUpdated.bin

C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\BD9BBBC7-9B69-46C8-A9B6-898DCFF18D67

C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-journal

C:\Users\user\AppData\Roaming\Microsoft\Office\MSO3072.acl

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

Chrome Cache Entry: 367

Chrome Cache Entry: 371

Chrome Cache Entry: 379

Chrome Cache Entry: 380

Chrome Cache Entry: 381

Chrome Cache Entry: 382

Static File Info

General

Static Mail

General

Headers

File Icon

Windows Analysis Report
Invoice.msg