Edit tour

Windows Analysis Report
SWIFT.xls

Overview

General Information

Sample name:	SWIFT.xls
Analysis ID:	1578835
MD5:	ed7928a72e06e8122d90ae9eb43736d6
SHA1:	784a817af018202ee02bad8760c85b996942a38b
SHA256:	e5d3f77e814bb0dfe7773205bf105a2b9d08f6f0245b7c1808e1c72748e180e9
Tags:	exploitxlsuser-nfsec_pl
Infos:

Detection

Score:	76
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Document exploit detected (process start blacklist hit)

Excel sheet contains many unusual embedded objects

Microsoft Office drops suspicious files

Sigma detected: File With Uncommon Extension Created By An Office Application

Sigma detected: Suspicious Microsoft Office Child Process

Document embeds suspicious OLE2 link

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

JA3 SSL client fingerprint seen in connection with other malware

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Sample execution stops while process was sleeping (likely an evasion)

Searches for the Microsoft Outlook file path

Sigma detected: Excel Network Connections

Sigma detected: Suspicious Office Outbound Connections

Uses a known web browser user agent for HTTP communication

Classification

Process Tree

System is w10x64

EXCEL.EXE (PID: 1812 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding MD5: 4A871771235598812032C822E6F68F19)

mshta.exe (PID: 5664 cmdline: C:\Windows\SysWOW64\mshta.exe -Embedding MD5: 06B02D5C097C7DB1F109749C45F3F505)

splwow64.exe (PID: 6716 cmdline: C:\Windows\splwow64.exe 12288 MD5: 77DE7761B037061C7C112FD3C5B91E73)

Acrobat.exe (PID: 1708 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" -Embedding MD5: 24EAD1C46A47022347DC0F05F6EFBB8C)

EXCEL.EXE (PID: 7104 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\user\Desktop\SWIFT.xls" MD5: 4A871771235598812032C822E6F68F19)

cleanup

Sigma Signatures

System Summary

Sigma detected: File With Uncommon Extension Created By An Office Application

Source: File created

Author: Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule), Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE, ProcessId: 1812, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\mniscreenthinkinggoodforentiretimegoodfotbusubessthings[1].hta

Sigma detected: Suspicious Microsoft Office Child Process

Source: Process started

Author: Florian Roth (Nextron Systems), Markus Neis, FPT.EagleEye Team, Vadim Khrykov, Cyb3rEng, Michael Haag, Christopher Peacock @securepeacock, @scythe_io: Data: Command: C:\Windows\SysWOW64\mshta.exe -Embedding, CommandLine: C:\Windows\SysWOW64\mshta.exe -Embedding, CommandLine|base64offset|contains: Iyb, Image: C:\Windows\SysWOW64\mshta.exe, NewProcessName: C:\Windows\SysWOW64\mshta.exe, OriginalFileName: C:\Windows\SysWOW64\mshta.exe, ParentCommandLine: "C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding, ParentImage: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE, ParentProcessId: 1812, ParentProcessName: EXCEL.EXE, ProcessCommandLine: C:\Windows\SysWOW64\mshta.exe -Embedding, ProcessId: 5664, ProcessName: mshta.exe

Sigma detected: Excel Network Connections

Source: Network Connection

Author: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Florian Roth '@Neo23x0", Tim Shelton: Data: DestinationIp: 14.103.79.10, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE, Initiated: true, ProcessId: 1812, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49811

Sigma detected: Suspicious Office Outbound Connections

Source: Network Connection

Author: X__Junior (Nextron Systems): Data: DestinationIp: 192.168.2.5, DestinationIsIpv6: false, DestinationPort: 49811, EventID: 3, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE, Initiated: true, ProcessId: 1812, Protocol: tcp, SourceIp: 14.103.79.10, SourceIsIpv6: false, SourcePort: 443

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: SWIFT.xls	Virustotal: Detection: 25%			Perma Link
Source: SWIFT.xls	ReversingLabs: Detection: 26%

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

File opened: C:\Program Files (x86)\Microsoft Office\root\vfs\SystemX86\MSVCR100.dll

Jump to behavior

Source: unknown

HTTPS traffic detected: 14.103.79.10:443 -> 192.168.2.5:49811 version: TLS 1.2

Software Vulnerabilities

Document exploit detected (process start blacklist hit)

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

Process created: C:\Windows\SysWOW64\mshta.exe

Source: global traffic

DNS query: name: s.deemos.com

Source: global traffic	TCP traffic: 192.168.2.5:49811 -> 14.103.79.10:443
Source: global traffic	TCP traffic: 192.168.2.5:49820 -> 57.129.55.225:80
Source: global traffic	TCP traffic: 192.168.2.5:49811 -> 14.103.79.10:443
Source: global traffic	TCP traffic: 192.168.2.5:49811 -> 14.103.79.10:443
Source: global traffic	TCP traffic: 192.168.2.5:49811 -> 14.103.79.10:443
Source: global traffic	TCP traffic: 192.168.2.5:49811 -> 14.103.79.10:443
Source: global traffic	TCP traffic: 192.168.2.5:49811 -> 14.103.79.10:443
Source: global traffic	TCP traffic: 192.168.2.5:49811 -> 14.103.79.10:443
Source: global traffic	TCP traffic: 192.168.2.5:49811 -> 14.103.79.10:443
Source: global traffic	TCP traffic: 192.168.2.5:49811 -> 14.103.79.10:443
Source: global traffic	TCP traffic: 192.168.2.5:49811 -> 14.103.79.10:443

Source: global traffic	TCP traffic: 192.168.2.5:49811 -> 14.103.79.10:443
Source: global traffic	TCP traffic: 14.103.79.10:443 -> 192.168.2.5:49811
Source: global traffic	TCP traffic: 192.168.2.5:49811 -> 14.103.79.10:443
Source: global traffic	TCP traffic: 192.168.2.5:49811 -> 14.103.79.10:443
Source: global traffic	TCP traffic: 14.103.79.10:443 -> 192.168.2.5:49811
Source: global traffic	TCP traffic: 14.103.79.10:443 -> 192.168.2.5:49811
Source: global traffic	TCP traffic: 192.168.2.5:49811 -> 14.103.79.10:443
Source: global traffic	TCP traffic: 192.168.2.5:49811 -> 14.103.79.10:443
Source: global traffic	TCP traffic: 14.103.79.10:443 -> 192.168.2.5:49811
Source: global traffic	TCP traffic: 14.103.79.10:443 -> 192.168.2.5:49811
Source: global traffic	TCP traffic: 192.168.2.5:49811 -> 14.103.79.10:443
Source: global traffic	TCP traffic: 192.168.2.5:49811 -> 14.103.79.10:443
Source: global traffic	TCP traffic: 14.103.79.10:443 -> 192.168.2.5:49811
Source: global traffic	TCP traffic: 14.103.79.10:443 -> 192.168.2.5:49811
Source: global traffic	TCP traffic: 14.103.79.10:443 -> 192.168.2.5:49811
Source: global traffic	TCP traffic: 192.168.2.5:49811 -> 14.103.79.10:443
Source: global traffic	TCP traffic: 192.168.2.5:49811 -> 14.103.79.10:443
Source: global traffic	TCP traffic: 14.103.79.10:443 -> 192.168.2.5:49811
Source: global traffic	TCP traffic: 192.168.2.5:49820 -> 57.129.55.225:80
Source: global traffic	TCP traffic: 57.129.55.225:80 -> 192.168.2.5:49820
Source: global traffic	TCP traffic: 192.168.2.5:49820 -> 57.129.55.225:80
Source: global traffic	TCP traffic: 192.168.2.5:49820 -> 57.129.55.225:80
Source: global traffic	TCP traffic: 57.129.55.225:80 -> 192.168.2.5:49820
Source: global traffic	TCP traffic: 57.129.55.225:80 -> 192.168.2.5:49820
Source: global traffic	TCP traffic: 57.129.55.225:80 -> 192.168.2.5:49820
Source: global traffic	TCP traffic: 57.129.55.225:80 -> 192.168.2.5:49820
Source: global traffic	TCP traffic: 192.168.2.5:49820 -> 57.129.55.225:80
Source: global traffic	TCP traffic: 57.129.55.225:80 -> 192.168.2.5:49820
Source: global traffic	TCP traffic: 192.168.2.5:49820 -> 57.129.55.225:80
Source: global traffic	TCP traffic: 57.129.55.225:80 -> 192.168.2.5:49820
Source: global traffic	TCP traffic: 192.168.2.5:49820 -> 57.129.55.225:80
Source: global traffic	TCP traffic: 57.129.55.225:80 -> 192.168.2.5:49820
Source: global traffic	TCP traffic: 192.168.2.5:49820 -> 57.129.55.225:80
Source: global traffic	TCP traffic: 192.168.2.5:49820 -> 57.129.55.225:80
Source: global traffic	TCP traffic: 57.129.55.225:80 -> 192.168.2.5:49820
Source: global traffic	TCP traffic: 192.168.2.5:49820 -> 57.129.55.225:80
Source: global traffic	TCP traffic: 57.129.55.225:80 -> 192.168.2.5:49820
Source: global traffic	TCP traffic: 57.129.55.225:80 -> 192.168.2.5:49820
Source: global traffic	TCP traffic: 192.168.2.5:49820 -> 57.129.55.225:80
Source: global traffic	TCP traffic: 57.129.55.225:80 -> 192.168.2.5:49820
Source: global traffic	TCP traffic: 192.168.2.5:49820 -> 57.129.55.225:80
Source: global traffic	TCP traffic: 192.168.2.5:49820 -> 57.129.55.225:80
Source: global traffic	TCP traffic: 57.129.55.225:80 -> 192.168.2.5:49820
Source: global traffic	TCP traffic: 57.129.55.225:80 -> 192.168.2.5:49820
Source: global traffic	TCP traffic: 192.168.2.5:49820 -> 57.129.55.225:80
Source: global traffic	TCP traffic: 192.168.2.5:49820 -> 57.129.55.225:80
Source: global traffic	TCP traffic: 57.129.55.225:80 -> 192.168.2.5:49820
Source: global traffic	TCP traffic: 192.168.2.5:49820 -> 57.129.55.225:80
Source: global traffic	TCP traffic: 57.129.55.225:80 -> 192.168.2.5:49820
Source: global traffic	TCP traffic: 192.168.2.5:49820 -> 57.129.55.225:80
Source: global traffic	TCP traffic: 57.129.55.225:80 -> 192.168.2.5:49820
Source: global traffic	TCP traffic: 192.168.2.5:49820 -> 57.129.55.225:80
Source: global traffic	TCP traffic: 192.168.2.5:49820 -> 57.129.55.225:80
Source: global traffic	TCP traffic: 192.168.2.5:49820 -> 57.129.55.225:80

Source: excel.exe

Memory has grown: Private usage: 2MB later: 125MB

Source: Joe Sandbox View

JA3 fingerprint: 6271f898ce5be7dd52b0fc260d0662b3

Source: global traffic	HTTP traffic detected: GET /lqSa1Aoh?&linen=frightened&trumpet HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: s.deemos.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /225/enn/mniscreenthinkinggoodforentiretimegoodfotbusubessthings.hta HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoConnection: Keep-AliveHost: 57.129.55.225

Source: unknown	TCP traffic detected without corresponding DNS query: 57.129.55.225
Source: unknown	TCP traffic detected without corresponding DNS query: 57.129.55.225
Source: unknown	TCP traffic detected without corresponding DNS query: 57.129.55.225
Source: unknown	TCP traffic detected without corresponding DNS query: 57.129.55.225
Source: unknown	TCP traffic detected without corresponding DNS query: 57.129.55.225
Source: unknown	TCP traffic detected without corresponding DNS query: 57.129.55.225
Source: unknown	TCP traffic detected without corresponding DNS query: 57.129.55.225
Source: unknown	TCP traffic detected without corresponding DNS query: 57.129.55.225
Source: unknown	TCP traffic detected without corresponding DNS query: 57.129.55.225
Source: unknown	TCP traffic detected without corresponding DNS query: 57.129.55.225
Source: unknown	TCP traffic detected without corresponding DNS query: 57.129.55.225
Source: unknown	TCP traffic detected without corresponding DNS query: 57.129.55.225
Source: unknown	TCP traffic detected without corresponding DNS query: 57.129.55.225
Source: unknown	TCP traffic detected without corresponding DNS query: 57.129.55.225
Source: unknown	TCP traffic detected without corresponding DNS query: 57.129.55.225
Source: unknown	TCP traffic detected without corresponding DNS query: 57.129.55.225
Source: unknown	TCP traffic detected without corresponding DNS query: 57.129.55.225
Source: unknown	TCP traffic detected without corresponding DNS query: 57.129.55.225
Source: unknown	TCP traffic detected without corresponding DNS query: 57.129.55.225
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /lqSa1Aoh?&linen=frightened&trumpet HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: s.deemos.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /225/enn/mniscreenthinkinggoodforentiretimegoodfotbusubessthings.hta HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoConnection: Keep-AliveHost: 57.129.55.225

Source: global traffic

DNS traffic detected: DNS query: s.deemos.com

Source: 57C8EDB95DF3F0AD4EE2DC2B8CFD41570.0.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab
Source: SWIFT.xls, B833F2D7.emf.0.dr, 1DA485C4.emf.0.dr, 6AB36EAE.emf.0.dr, 96874680.emf.11.dr, 52C65A13.emf.0.dr, 477FA321.emf.0.dr, C1710E42.emf.0.dr, 6E440000.0.dr, 5691B099.emf.0.dr	String found in binary or memory: http://www.wowform.com
Source: SWIFT.xls, 6E440000.0.dr	String found in binary or memory: https://s.deemos.com/lqSa1Aoh?&linen=fri

Source: unknown	Network traffic detected: HTTP traffic on port 49811 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49811

Source: unknown

HTTPS traffic detected: 14.103.79.10:443 -> 192.168.2.5:49811 version: TLS 1.2

System Summary

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Source: screenshot	OCR: document is protected have 3 p dick ACRFEVRTGL BJZFPPV.APT GRX BJZFPPV.'APT BJZFPPV.APT KLIZ! 2 3 se
Source: screenshot	OCR: document is protected have 3 p dick ACRFEVRTGL BJZFPPV.APT GRX BJZFPPV.'APT BJZFPPV.APT KLIZ! 2 3 se
Source: screenshot	OCR: document is protected 3 p dick Or&r C 1 Desch ption Of Product 1 Descri ption Of Prcoct 2 2 3 sets p
Source: screenshot	OCR: document is protected 3 p dick Or&r C 1 Desch ption Of Product 1 Descri ption Of Prcoct 2 2 3 sets p
Source: screenshot	OCR: document is protected lcm2 Descripti lcm258 Descripti Qty l_k-its sets thit 42450 23.22600 Rice CRE
Source: screenshot	OCR: document is protected CD the d Qty 2 3 sets pcs S23226_m 30'000.oo 3'000.oo 3'160.oo 3'000.oo 3'400.
Source: screenshot	OCR: document is protected ttu d (i) $2 CD 2 3 sets pcs S23226_m 30'000.oo 3'000.oo 3'160.oo 3'000.oo 3'4
Source: screenshot	OCR: document is protected ttu d (i) $2 CD 2 3 sets pcs S23226_m 30'000.oo 3'000.oo 3'160.oo 3'000.oo 3'4

Excel sheet contains many unusual embedded objects

Source: SWIFT.xls	OLE: Microsoft Excel 2007+
Source: 6E440000.0.dr	OLE: Microsoft Excel 2007+

Microsoft Office drops suspicious files

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\mniscreenthinkinggoodforentiretimegoodfotbusubessthings[1].hta

Jump to behavior

Source: SWIFT.xls	Stream path 'MBd006D439F/\x1Ole' : https://s.deemos.com/lqSa1Aoh?&linen=frightened&trumpetw1h_xA=cAqHv.uzUqGJGExMrwr0C189bJ8UxUrTSRsvVXoyB6u2P8khUsj3kZjszVQATKdfwBGnCZ97z8Zc264Ud6YN6Z0LbeNJy3iAuOTvym2XXgObYQbDZLezhLoVDJCW9M6N4jk6UdrSdj9DqFB6c3dVBMuggpH8HEZBLT8mGhsKLsKAn8obIIdPxMDiR6wZalIppgtRVhZB6QmMwlTiU2M595Vlpnbd3_\oV8'GV5
Source: 6E440000.0.dr	Stream path 'MBD006D439F/\x1Ole' : https://s.deemos.com/lqSa1Aoh?&linen=frightened&trumpetw1h_xA=cAqHv.uzUqGJGExMrwr0C189bJ8UxUrTSRsvVXoyB6u2P8khUsj3kZjszVQATKdfwBGnCZ97z8Zc264Ud6YN6Z0LbeNJy3iAuOTvym2XXgObYQbDZLezhLoVDJCW9M6N4jk6UdrSdj9DqFB6c3dVBMuggpH8HEZBLT8mGhsKLsKAn8obIIdPxMDiR6wZalIppgtRVhZB6QmMwlTiU2M595Vlpnbd3_\oV8'GV5

Source: C:\Windows\SysWOW64\mshta.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE			Jump to behavior

Source: classification engine

Classification label: mal76.expl.winXLS@8/31@1/2

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Common AppData\Microsoft\Office\Heartbeat\HeartbeatCache.xml

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\C1710E42.emf

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\{5D006A8F-8CE3-4E17-938B-10A3E65C5780} - OProcSessId.dat

Jump to behavior

Source: SWIFT.xls	OLE indicator, Workbook stream: true
Source: 6E440000.0.dr	OLE indicator, Workbook stream: true

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SWIFT.xls	Virustotal: Detection: 25%
Source: SWIFT.xls	ReversingLabs: Detection: 26%

Source: unknown	Process created: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process created: C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\mshta.exe -Embedding
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" -Embedding
Source: unknown	Process created: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\user\Desktop\SWIFT.xls"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process created: C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\mshta.exe -Embedding	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: c2r32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: mshtml.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msiso.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: uxtheme.dll	Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

File opened: C:\Program Files (x86)\Microsoft Office\root\vfs\SystemX86\MSVCR100.dll

Jump to behavior

Source: SWIFT.xls

Initial sample: OLE indicators vbamacros = False

Source: SWIFT.xls

Initial sample: OLE indicators encrypted = True

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: SWIFT.xls	Stream path 'MBD006D439E/MBD006D2A09/MBD00049180/CONTENTS' entropy: 7.9671168067 (max. 8.0)
Source: SWIFT.xls	Stream path 'MBD006D439E/MBD006D2A09/Workbook' entropy: 7.98367556288 (max. 8.0)
Source: SWIFT.xls	Stream path 'Workbook' entropy: 7.99809337537 (max. 8.0)
Source: 6E440000.0.dr	Stream path 'MBD006D439E/MBD006D2A09/MBD00049180/CONTENTS' entropy: 7.9671168067 (max. 8.0)
Source: 6E440000.0.dr	Stream path 'MBD006D439E/MBD006D2A09/Workbook' entropy: 7.98367556288 (max. 8.0)
Source: 6E440000.0.dr	Stream path 'Workbook' entropy: 7.99829492284 (max. 8.0)

Source: C:\Windows\splwow64.exe

Window / User API: threadDelayed 741

Jump to behavior

Source: C:\Windows\splwow64.exe	Last function: Thread delayed
Source: C:\Windows\splwow64.exe	Last function: Thread delayed

Source: C:\Windows\splwow64.exe	Thread delayed: delay time: 120000			Jump to behavior
Source: C:\Windows\splwow64.exe	Thread delayed: delay time: 120000			Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

Process information queried: ProcessInformation

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	13 Exploitation for Client Execution	1 DLL Side-Loading	1 Process Injection	2 Masquerading	OS Credential Dumping	1 Process Discovery	Remote Services	1 Email Collection	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Extra Window Memory Injection	1 Virtualization/Sandbox Evasion	Security Account Manager	1 Application Window Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Process Injection	NTDS	1 File and Directory Discovery	Distributed Component Object Model	Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	2 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Extra Window Memory Injection	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
SWIFT.xls	25%	Virustotal		Browse
SWIFT.xls	26%	ReversingLabs	Document-PDF.Trojan.Heuristic

Name	IP	Active	Malicious	Reputation
bg.microsoft.map.fastly.net	199.232.214.172	true	false	high
s.deemos.com	14.103.79.10	true	false	unknown
s-part-0035.t-0009.t-msedge.net	13.107.246.63	true	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://s.deemos.com/lqSa1Aoh?&linen=frightened&trumpet	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://s.deemos.com/lqSa1Aoh?&linen=fri	SWIFT.xls, 6E440000.0.dr	false		unknown
http://www.wowform.com	SWIFT.xls, B833F2D7.emf.0.dr, 1DA485C4.emf.0.dr, 6AB36EAE.emf.0.dr, 96874680.emf.11.dr, 52C65A13.emf.0.dr, 477FA321.emf.0.dr, C1710E42.emf.0.dr, 6E440000.0.dr, 5691B099.emf.0.dr	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
14.103.79.10	s.deemos.com	China		18002	WORLDPHONE-INASNumberforInterdomainRoutingIN	false
57.129.55.225	unknown	Belgium		2686	ATGS-MMD-ASUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1578835
Start date and time:	2024-12-20 15:20:07 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 21s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	13
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SWIFT.xls
Detection:	MAL
Classification:	mal76.expl.winXLS@8/31@1/2
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .xls Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Active ActiveX Object Active ActiveX Object Scroll down Close Viewer

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, sppsvc.exe, WMIADAP.exe, SIHClient.exe, svchost.exe, MavInject32.exe
Excluded IPs from analysis (whitelisted): 52.109.28.46, 92.122.16.236, 52.113.194.132, 52.109.89.19, 199.232.214.172, 104.208.16.89, 184.28.90.27, 52.168.112.67, 20.190.181.4, 20.109.210.53, 13.107.246.63
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, otelrules.afd.azureedge.net, weu-azsc-000.roaming.officeapps.live.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, eur.roaming1.live.com.akadns.net, mobile.events.data.microsoft.com, ecs-office.s-0005.s-msedge.net, roaming.officeapps.live.com, osiprod-weu-buff-azsc-000.westeurope.cloudapp.azure.com, ocsp.digicert.com, login.live.com, onedscolprdcus11.centralus.cloudapp.azure.com, e16604.g.akamaiedge.net, officeclient.microsoft.com, prod.fs.microsoft.com.akadns.net, wu-b-net.trafficmanager.net, ecs.office.com, self-events-data.trafficmanager.net, fs.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, otelrules.azureedge.net, prod.configsvc1.live.com.akadns.net, self.events.data.microsoft.com, ctldl.windowsupdate.com, prod.roaming1.live.com.akadns.net, s-0005-office.config.skype.com, fe3cr.delivery.mp.microsoft.com, s-0005.s-msedge.net, config.officeapps.live.com, onedsco
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
09:22:05	API Interceptor	781x Sleep call for process: splwow64.exe modified

LLM Input / Output

Input	Output
URL: Office document Model: Joe Sandbox AI	{ "contains_trigger_text": true, "trigger_text": "This document is protected", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_fake_security_alerts": false }

URL: Office document Model: Joe Sandbox AI	{ "brands": [ "Microsoft Office" ] }
	{ "brands": [ "Microsoft Office" ] }
URL: Screenshot id: 4 Model: Joe Sandbox AI	{ "contains_trigger_text": false, "trigger_text": "unknown", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_fake_security_alerts": false }

URL: Screenshot id: 14 Model: Joe Sandbox AI	{ "contains_trigger_text": false, "trigger_text": "unknown", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_fake_security_alerts": false }

URL: Screenshot id: 10 Model: Joe Sandbox AI	{ "contains_trigger_text": false, "trigger_text": "unknown", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_fake_security_alerts": false }

URL: Screenshot id: 8 Model: Joe Sandbox AI	{ "contains_trigger_text": true, "trigger_text": "This document is protected", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_fake_security_alerts": false }

URL: Screenshot id: 13 Model: Joe Sandbox AI	{ "contains_trigger_text": false, "trigger_text": "unknown", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_fake_security_alerts": false }

URL: Screenshot id: 5 Model: Joe Sandbox AI	{ "contains_trigger_text": true, "trigger_text": "This document is protected", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_fake_security_alerts": false }

URL: Screenshot id: 12 Model: Joe Sandbox AI	{ "contains_trigger_text": false, "trigger_text": "unknown", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_fake_security_alerts": false }

URL: Screenshot id: 3 Model: Joe Sandbox AI	{ "contains_trigger_text": true, "trigger_text": "This document is protected", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_fake_security_alerts": false }

URL: Screenshot id: 11 Model: Joe Sandbox AI	{ "contains_trigger_text": true, "trigger_text": "This document is protected", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_fake_security_alerts": false }

URL: Screenshot id: 16 Model: Joe Sandbox AI	{ "contains_trigger_text": false, "trigger_text": "unknown", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_fake_security_alerts": false }

URL: Screenshot id: 1 Model: Joe Sandbox AI	{ "contains_trigger_text": true, "trigger_text": "This document is protected", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_fake_security_alerts": false }

URL: Screenshot id: 2 Model: Joe Sandbox AI	{ "contains_trigger_text": true, "trigger_text": "This document is protected", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_fake_security_alerts": false }

URL: Screenshot id: 6 Model: Joe Sandbox AI	{ "contains_trigger_text": true, "trigger_text": "Purchase", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_fake_security_alerts": false }

URL: Screenshot id: 4 Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }
URL: Screenshot id: 15 Model: Joe Sandbox AI	{ "contains_trigger_text": false, "trigger_text": "unknown", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_fake_security_alerts": false }

URL: Screenshot id: 7 Model: Joe Sandbox AI	{ "contains_trigger_text": true, "trigger_text": "This document is protected", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_fake_security_alerts": false }

URL: Screenshot id: 9 Model: Joe Sandbox AI	{ "contains_trigger_text": true, "trigger_text": "This document is protected", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_fake_security_alerts": false }

URL: Screenshot id: 14 Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }
URL: Screenshot id: 10 Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }
URL: Screenshot id: 5 Model: Joe Sandbox AI	{ "brands": [ "Microsoft Office" ] }
	{ "brands": [ "Microsoft Office" ] }
URL: Screenshot id: 16 Model: Joe Sandbox AI	{ "brands": [ "Microsoft", "Excel" ] }
	{ "brands": [ "Microsoft", "Excel" ] }
URL: Screenshot id: 12 Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }
URL: Screenshot id: 13 Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }
URL: Screenshot id: 3 Model: Joe Sandbox AI	{ "brands": [ "Microsoft Office" ] }
	{ "brands": [ "Microsoft Office" ] }
URL: Screenshot id: 8 Model: Joe Sandbox AI	{ "brands": [ "Microsoft Office" ] }
	{ "brands": [ "Microsoft Office" ] }
URL: Screenshot id: 1 Model: Joe Sandbox AI	{ "brands": [ "Microsoft Office" ] }
	{ "brands": [ "Microsoft Office" ] }
URL: Screenshot id: 11 Model: Joe Sandbox AI	{ "brands": [ "Microsoft Office" ] }
	{ "brands": [ "Microsoft Office" ] }
URL: Screenshot id: 15 Model: Joe Sandbox AI	{ "brands": [ "Microsoft", "Excel" ] }
	{ "brands": [ "Microsoft", "Excel" ] }
URL: Screenshot id: 2 Model: Joe Sandbox AI	{ "brands": [ "Microsoft Office" ] }
	{ "brands": [ "Microsoft Office" ] }
URL: Screenshot id: 9 Model: Joe Sandbox AI	{ "brands": [ "Microsoft Office" ] }
	{ "brands": [ "Microsoft Office" ] }
URL: Screenshot id: 6 Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }
URL: Screenshot id: 7 Model: Joe Sandbox AI	{ "brands": [ "Microsoft Office" ] }
	{ "brands": [ "Microsoft Office" ] }

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
s-part-0035.t-0009.t-msedge.net	Invoice for 04-09-24 fede39.admr.org.html	Get hash	malicious	Unknown	Browse	13.107.246.63
	https://p.placed.com/api/v2/sync/impression?partner=barkley&plaid=0063o000014sWgoAAE&version=1.0&payload_campaign_identifier=71700000100870630&payload_timestamp=5943094174221506287&payload_type=impression&redirect=http%3A%2F%2Fgoogle.com%2Famp%2Fs%2Fgoal.com.co%2Fwp%2Fpayment	Get hash	malicious	HTMLPhisher	Browse	13.107.246.63
	ktyihkdfesf.exe	Get hash	malicious	Vidar	Browse	13.107.246.63
	pjthjsdjgjrtavv.exe	Get hash	malicious	Vidar	Browse	13.107.246.63
	Laurier Partners Proposal.eml	Get hash	malicious	HTMLPhisher	Browse	13.107.246.63
	file.exe	Get hash	malicious	LummaC, Amadey, Cryptbot, LummaC Stealer	Browse	13.107.246.63
	https://drive.google.com/file/d/1zySfUjQ3GqIVAlBHIX3CXdgIcWIqrMkO/view?usp=sharing_eil&ts=67645d30	Get hash	malicious	Unknown	Browse	13.107.246.63
	1734647107dd7eab79078510a75c9c904ec20f028e4e5eeaf98868f69fdfb304d2c24675ce436.dat-decoded.exe	Get hash	malicious	XWorm	Browse	13.107.246.63
	17346471071098118b26fa2e7fe54471af2f31e15cc65aad0de660d0190f83c19fa638201a790.dat-decoded.exe	Get hash	malicious	Njrat	Browse	13.107.246.63
	1734647107a511924ae4323dadec335a6dd4daac1533c80e42a10385a9bac8294ee73069f5190.dat-decoded.exe	Get hash	malicious	AsyncRAT	Browse	13.107.246.63
bg.microsoft.map.fastly.net	tmp.zip	Get hash	malicious	Unknown	Browse	199.232.210.172
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, PureLog Stealer, Stealc, zgRAT	Browse	199.232.210.172
	https://p.placed.com/api/v2/sync/impression?partner=barkley&plaid=0063o000014sWgoAAE&version=1.0&payload_campaign_identifier=71700000100870630&payload_timestamp=5943094174221506287&payload_type=impression&redirect=http%3A%2F%2Fgoogle.com%2Famp%2Fs%2Fgoal.com.co%2Fwp%2Fpayment	Get hash	malicious	HTMLPhisher	Browse	199.232.214.172
	Dec 2024_12192924_Image.pdf	Get hash	malicious	HTMLPhisher	Browse	199.232.214.172
	invoice.docm	Get hash	malicious	Unknown	Browse	199.232.214.172
	bad.txt	Get hash	malicious	AsyncRAT	Browse	199.232.214.172
	ep_setup.exe	Get hash	malicious	Unknown	Browse	199.232.214.172
	2JSGOlbNym.dll	Get hash	malicious	Unknown	Browse	199.232.214.172
	4hSuRTwnWJ.dll	Get hash	malicious	Unknown	Browse	199.232.214.172
	I3FtIOCni3.dll	Get hash	malicious	GhostRat	Browse	199.232.214.172

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
WORLDPHONE-INASNumberforInterdomainRoutingIN	Owari.arm.elf	Get hash	malicious	Unknown	Browse	14.103.40.223
	ZEjcJZcrXc.elf	Get hash	malicious	Mirai	Browse	114.69.243.134
	SecuriteInfo.com.Linux.Siggen.9999.14080.25460.elf	Get hash	malicious	Mirai	Browse	14.103.40.233
	3b4m3C11Vd.elf	Get hash	malicious	Mirai	Browse	14.103.92.59
	HTUyCRuDev.elf	Get hash	malicious	Unknown	Browse	114.69.243.149
	XoQ5jUCXz6.elf	Get hash	malicious	Mirai	Browse	14.103.40.218
	x86_32.elf	Get hash	malicious	Mirai	Browse	114.69.243.142
	qD1LXlBAL2.elf	Get hash	malicious	Mirai	Browse	14.103.40.250
	uVpRlUULE0.elf	Get hash	malicious	Mirai	Browse	114.69.243.138
	mEMZ7TZ7CE.elf	Get hash	malicious	Unknown	Browse	14.102.85.180
ATGS-MMD-ASUS	arm7.elf	Get hash	malicious	Mirai	Browse	57.50.158.22
	nsharm.elf	Get hash	malicious	Mirai	Browse	33.241.131.44
	la.bot.powerpc.elf	Get hash	malicious	Mirai	Browse	56.198.189.231
	la.bot.arm.elf	Get hash	malicious	Mirai	Browse	57.146.109.82
	la.bot.sparc.elf	Get hash	malicious	Mirai	Browse	33.211.47.171
	la.bot.m68k.elf	Get hash	malicious	Mirai	Browse	33.172.49.9
	la.bot.sh4.elf	Get hash	malicious	Mirai	Browse	48.171.43.225
	la.bot.mips.elf	Get hash	malicious	Mirai	Browse	50.15.59.79
	https://ryouthed.com/click.php?key=ij553tkpbj8t1lsuduh3&SUB_ID_SHORT=47f1db28f063a1d38918a2dcc31e91eb&COST_CPC=0.000050&PLACEMENT_ID=25101964&CAMPAIGN_ID=1170410&PUBLISHER_ID=2361353&ZONE_ID=4463547	Get hash	malicious	Unknown	Browse	34.49.73.131
	la.bot.arm6.elf	Get hash	malicious	Mirai	Browse	57.234.154.183

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
6271f898ce5be7dd52b0fc260d0662b3	QhR8Zp6fZs.lnk	Get hash	malicious	RHADAMANTHYS	Browse	14.103.79.10
	https://registry.paratext.org	Get hash	malicious	Unknown	Browse	14.103.79.10
	Payment_Failure_Notice_Office365_sdf_[13019].html	Get hash	malicious	HTMLPhisher	Browse	14.103.79.10
	R4qP4YM0QX.lnk	Get hash	malicious	Unknown	Browse	14.103.79.10
	https://launch.app/plainsart	Get hash	malicious	HTMLPhisher	Browse	14.103.79.10
	Order_948575494759.xls	Get hash	malicious	Unknown	Browse	14.103.79.10
	Order_948575494759.xls	Get hash	malicious	Unknown	Browse	14.103.79.10
	YF3YnL4ksc.exe	Get hash	malicious	Unknown	Browse	14.103.79.10
	https://ce4.ajax.a8b.co/get?redir=1&id=d4vCW7zizPl1mo0GYx0ELgo+CCIybH9/c4qC7CeWEuI=&uri=//the-western-fire-chiefs-association.jimdosite.com	Get hash	malicious	Unknown	Browse	14.103.79.10
	IIC0XbKFjS.lnk	Get hash	malicious	RHADAMANTHYS	Browse	14.103.79.10

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	118
Entropy (8bit):	3.5700810731231707
Encrypted:	false
SSDEEP:	3:QaklTlAlXMLLmHlIlFLlmIK/5lTn84vlJlhlXlDHlA6l3l6Als:QFulcLk04/5p8GVz6QRq
MD5:	573220372DA4ED487441611079B623CD
SHA1:	8F9D967AC6EF34640F1F0845214FBC6994C0CB80
SHA-256:	BE84B842025E4241BFE0C9F7B8F86A322E4396D893EF87EA1E29C74F47B6A22D
SHA-512:	F19FA3583668C3AF92A9CEF7010BD6ECEC7285F9C8665F2E9528DBA606F105D9AF9B1DB0CF6E7F77EF2E395943DC0D5CB37149E773319078688979E4024F9DD7
Malicious:	false
Reputation:	high, very likely benign file
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.H.e.a.r.t.b.e.a.t.C.a.c.h.e./.>.

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	data
Category:	dropped
Size (bytes):	227002
Entropy (8bit):	3.392780893644728
Encrypted:	false
SSDEEP:	1536:WKPC4iyzDtrh1cK3XEivK7VK/3AYvYwgF/rRoL+sn:DPCaJ/3AYvYwglFoL+sn
MD5:	87EDBEE38F56C20298F25D5D3D4D1B5C
SHA1:	7F904E9615AC3186A87472EF366DD8202855B0B7
SHA-256:	A46B56D3ABCC137D1872DDF20EED4BCD7D04518282282ADB32DDCCF70D7FFBA6
SHA-512:	BBEBC1FCD5BC9AE042DD5782425BA8C47BF3EAC283B2487FC4E3FF6BF8101306DAB081E5135594165D4DC1AC120FF125AADBC5B3FFE7C646183C04DF77865E0D
Malicious:	false
Preview:	Adobe Acrobat Reader (64-bit) 23.6.20320....?A12_AV2_Search_18px.............................................................................................................KKK KKK.KKK.KKK.KKK.KKK.KKK@........................................KKK`KKK.KKK.KKK.KKK.KKK.KKK.KKK.KKK.KKK.............................KKKPKKK.KKK.KKK.KKK.........KKKPKKK.KKK.KKK.........................KKK.KKK.KKK.KKK0....................KKK.KKK.KKK.KKK`....................KKK`KKK.KKK.............................KKK@KKK.KKK.....................KKK.KKK.KKK0................................KKK.KKK.....................KKK.KKK.....................................KKK.KKK.....................KKK.KKK.KKK0................................KKK.KKK.....................KKK`KKK.KKK.............................KKK@KKK.KKK.....................KKK.KKK.KKK.KKK@....................KKK.KKK.KKK.KKK`........................KKKPKKK.KKK.KKK.KKK.........KKKPKKK.KKK.KKK.KKK.............................KKK`KKK.KKK.KKK.KKK.KKK.KKK.KKK.KKK.KKK

File type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Fri Dec 20 10:40:27 2024, Security: 1
Entropy (8bit):	7.781464205116081
TrID:	Microsoft Excel sheet (30009/1) 47.99% Microsoft Excel sheet (alternate) (24509/1) 39.20% Generic OLE2 / Multistream Compound File (8008/1) 12.81%
File name:	SWIFT.xls
File size:	699'392 bytes
MD5:	ed7928a72e06e8122d90ae9eb43736d6
SHA1:	784a817af018202ee02bad8760c85b996942a38b
SHA256:	e5d3f77e814bb0dfe7773205bf105a2b9d08f6f0245b7c1808e1c72748e180e9
SHA512:	7cbd2c5cda4c2fa86a4a6c77b90172582ff35dea7a724d2fdb1bfd4d9213372c3fb53a2b6e3886d4346fe48fe7ac45774f79e94462f3e98f5d9018ffa84f6653
SSDEEP:	12288:TsMo+aBfwVmefX0ygphV4Bzvwq6LGMxIH7KbpNE473f9tR8IO0mvg99Gr+3nKcA:IM2bphV4dH6LDIH7KJry/G9kKz
TLSH:	EDE40222F6C9DE47E856173553A322435B33BC6A5F634A0B6354732A3EB36C0C913A67
File Content Preview:	........................>...............................................................................a.......c..............................................................................................................................................

Has Summary Info:
Application Name:	Microsoft Excel
Encrypted Document:	True
Contains Word Document Stream:	False
Contains Workbook/Book Stream:	True
Contains PowerPoint Document Stream:	False
Contains Visio Document Stream:	False
Contains ObjectPool Stream:	False
Flash Objects Count:	0
Contains VBA Macros:	False

Code Page:	1252
Author:
Last Saved By:
Create Time:	2006-09-16 00:00:00
Last Saved Time:	2024-12-20 10:40:27
Creating Application:	Microsoft Excel
Security:	1

Document Code Page:	1252
Thumbnail Scaling Desired:	False
Contains Dirty Links:	False
Shared Document:	False
Changed Hyperlinks:	False
Application Version:	786432

General
Stream Path:	\x1CompObj
CLSID:
File Type:	data
Stream Size:	114
Entropy:	4.25248375192737
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . . . F & . . . M i c r o s o f t O f f i c e E x c e l 2 0 0 3 W o r k s h e e t . . . . . B i f f 8 . . . . . E x c e l . S h e e t . 8 . 9 q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 26 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 32 30 30 33 20 57 6f 72 6b 73 68 65 65 74 00 06 00 00 00 42 69 66 66 38 00 0e 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

General
Stream Path:	\x5DocumentSummaryInformation
CLSID:
File Type:	data
Stream Size:	244
Entropy:	2.889430592781307
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , 0 . . . . . . . . . . . . . . H . . . . . . . P . . . . . . . X . . . . . . . ` . . . . . . . h . . . . . . . p . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . S h e e t 1 . . . . . S h e e t 2 . . . . . S h e e t 3 . . . . . . . . . . . . . . . . . W o r k s h e e t s . . . . . . . . .
Data Raw:	fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 c4 00 00 00 08 00 00 00 01 00 00 00 48 00 00 00 17 00 00 00 50 00 00 00 0b 00 00 00 58 00 00 00 10 00 00 00 60 00 00 00 13 00 00 00 68 00 00 00 16 00 00 00 70 00 00 00 0d 00 00 00 78 00 00 00 0c 00 00 00 a1 00 00 00 02 00 00 00 e4 04 00 00

General
Stream Path:	\x5SummaryInformation
CLSID:
File Type:	data
Stream Size:	200
Entropy:	3.292068105701867
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . + ' 0 . . . . . . . . . . . . . . @ . . . . . . . H . . . . . . . T . . . . . . . ` . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . \| . # . @ . . . . . R . . . . . . . . .
Data Raw:	fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 98 00 00 00 07 00 00 00 01 00 00 00 40 00 00 00 04 00 00 00 48 00 00 00 08 00 00 00 54 00 00 00 12 00 00 00 60 00 00 00 0c 00 00 00 78 00 00 00 0d 00 00 00 84 00 00 00 13 00 00 00 90 00 00 00 02 00 00 00 e4 04 00 00 1e 00 00 00 04 00 00 00

General
Stream Path:	MBD006D439E/\x1CompObj
CLSID:
File Type:	data
Stream Size:	114
Entropy:	4.25248375192737
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . . . F & . . . M i c r o s o f t O f f i c e E x c e l 2 0 0 3 W o r k s h e e t . . . . . B i f f 8 . . . . . E x c e l . S h e e t . 8 . 9 q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 26 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 32 30 30 33 20 57 6f 72 6b 73 68 65 65 74 00 06 00 00 00 42 69 66 66 38 00 0e 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

General
Stream Path:	MBD006D439E/\x5DocumentSummaryInformation
CLSID:
File Type:	data
Stream Size:	248
Entropy:	2.7990677635209242
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , 0 . . . . . . . . . . . . . . P . . . . . . . X . . . . . . . d . . . . . . . l . . . . . . . t . . . . . . . \| . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . C a i s s e 2 0 2 4 . . . . . . . . . . . . . . . . . W o r k s h e e t s . . . . . . . . . .
Data Raw:	fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 c8 00 00 00 09 00 00 00 01 00 00 00 50 00 00 00 0f 00 00 00 58 00 00 00 17 00 00 00 64 00 00 00 0b 00 00 00 6c 00 00 00 10 00 00 00 74 00 00 00 13 00 00 00 7c 00 00 00 16 00 00 00 84 00 00 00 0d 00 00 00 8c 00 00 00 0c 00 00 00 a4 00 00 00

General
Stream Path:	MBD006D439E/\x5SummaryInformation
CLSID:
File Type:	data
Stream Size:	244
Entropy:	3.8527227374003603
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . + ' 0 . . . . . . . . . . . . . . H . . . . . . . P . . . . . . . p . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t C o r p o r a t i o n . . . . . . . . . . . 9 1 9 7 4 . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . @ . . . . c ? . @ . . . . Q w R . . . . . . . . .
Data Raw:	fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 c4 00 00 00 08 00 00 00 01 00 00 00 48 00 00 00 04 00 00 00 50 00 00 00 08 00 00 00 70 00 00 00 12 00 00 00 80 00 00 00 0b 00 00 00 98 00 00 00 0c 00 00 00 a4 00 00 00 0d 00 00 00 b0 00 00 00 13 00 00 00 bc 00 00 00 02 00 00 00 e4 04 00 00

General
Stream Path:	MBD006D439E/MBD006D2A09/\x1CompObj
CLSID:
File Type:	data
Stream Size:	114
Entropy:	4.25248375192737
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . . . F & . . . M i c r o s o f t O f f i c e E x c e l 2 0 0 3 W o r k s h e e t . . . . . B i f f 8 . . . . . E x c e l . S h e e t . 8 . 9 q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 26 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 32 30 30 33 20 57 6f 72 6b 73 68 65 65 74 00 06 00 00 00 42 69 66 66 38 00 0e 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

General
Stream Path:	MBD006D439E/MBD006D2A09/\x5DocumentSummaryInformation
CLSID:
File Type:	data
Stream Size:	248
Entropy:	3.0523231150355867
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , 0 . . . . . . . . . . . . . . H . . . . . . . P . . . . . . . X . . . . . . . ` . . . . . . . h . . . . . . . p . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . P u r c h a s e O r d e r T e m p l a t e . . . . . . . . . . . . . . . . . . . . . . W o r k s h e e t s . . . . . . . . . . . .
Data Raw:	fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 c8 00 00 00 08 00 00 00 01 00 00 00 48 00 00 00 17 00 00 00 50 00 00 00 0b 00 00 00 58 00 00 00 10 00 00 00 60 00 00 00 13 00 00 00 68 00 00 00 16 00 00 00 70 00 00 00 0d 00 00 00 78 00 00 00 0c 00 00 00 a2 00 00 00 02 00 00 00 e4 04 00 00

General
Stream Path:	MBD006D439E/MBD006D2A09/\x5SummaryInformation
CLSID:
File Type:	data
Stream Size:	256
Entropy:	4.119175032995043
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . + ' 0 . . . . . . . . . . . . . . H . . . . . . . P . . . . . . . \| . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $ . . . B r a t i s l a v M i l o j e v i c \| E L M E D d . o . o . . . . . . . . . . . 9 1 9 7 4 . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . N ; . . @ . . . . . . . @ . . . + d R . . . . . . . . .
Data Raw:	fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 d0 00 00 00 08 00 00 00 01 00 00 00 48 00 00 00 04 00 00 00 50 00 00 00 08 00 00 00 7c 00 00 00 12 00 00 00 8c 00 00 00 0b 00 00 00 a4 00 00 00 0c 00 00 00 b0 00 00 00 0d 00 00 00 bc 00 00 00 13 00 00 00 c8 00 00 00 02 00 00 00 e4 04 00 00

General
Stream Path:	MBD006D439E/MBD006D2A09/MBD00049180/\x1CompObj
CLSID:
File Type:	data
Stream Size:	94
Entropy:	4.345966460061678
Base64 Encoded:	False
Data ASCII:	. . . . . . e . . D E S T . . . . . . A c r o b a t D o c u m e n t . . . . . . . . . A c r o E x c h . D o c u m e n t . D C . 9 q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 65 ca 01 b8 fc a1 d0 11 85 ad 44 45 53 54 00 00 11 00 00 00 41 63 72 6f 62 61 74 20 44 6f 63 75 6d 65 6e 74 00 00 00 00 00 15 00 00 00 41 63 72 6f 45 78 63 68 2e 44 6f 63 75 6d 65 6e 74 2e 44 43 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

General
Stream Path:	MBD006D439E/MBD006D2A09/MBD00049180/\x1Ole
CLSID:
File Type:	data
Stream Size:	20
Entropy:	0.5689955935892812
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . .
Data Raw:	01 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

General
Stream Path:	MBD006D439E/MBD006D2A09/MBD00049180/CONTENTS
CLSID:
File Type:	PDF document, version 1.7, 1 pages
Stream Size:	20909
Entropy:	7.967116806702583
Base64 Encoded:	True
Data ASCII:	% P D F - 1 . 7 . % . 1 0 o b j . < < . / T y p e / C a t a l o g . / P a g e s 2 0 R . / A c r o F o r m 3 0 R . > > . e n d o b j . 4 0 o b j . < < . / P r o d u c e r ( 3 . 0 . 4 \\ ( 5 . 0 . 8 \\ ) ) . / M o d D a t e ( D : 2 0 2 3 0 9 2 2 0 3 2 2 4 8 + 0 2 ' 0 0 ' ) . > > . e n d o b j . 2 0 o b j . < < . / T y p e / P a g e s . / K i d s [ 5 0 R ] . / C o u n t 1 . > > . e n d o b j . 3 0 o b j . < < . / F i e l d s [ ] . / D R 6 0 R . > > . e n d
Data Raw:	25 50 44 46 2d 31 2e 37 0a 25 f6 e4 fc df 0a 31 20 30 20 6f 62 6a 0a 3c 3c 0a 2f 54 79 70 65 20 2f 43 61 74 61 6c 6f 67 0a 2f 50 61 67 65 73 20 32 20 30 20 52 0a 2f 41 63 72 6f 46 6f 72 6d 20 33 20 30 20 52 0a 3e 3e 0a 65 6e 64 6f 62 6a 0a 34 20 30 20 6f 62 6a 0a 3c 3c 0a 2f 50 72 6f 64 75 63 65 72 20 28 33 2e 30 2e 34 20 5c 28 35 2e 30 2e 38 5c 29 20 29 0a 2f 4d 6f 64 44 61 74 65

General
Stream Path:	MBD006D439E/MBD006D2A09/Workbook
CLSID:
File Type:	Applesoft BASIC program data, first line number 16
Stream Size:	134792
Entropy:	7.983675562880349
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . / . 6 . . . . . . . . ) . D @ : 4 w . B . N S . . [ . . . . . R . . K . . . . . . . 3 . . . \\ . p . . . i . ) = @ . Y 9 u ? 8 . S q . . = N . . = . . x . ^ . > . ) i . . 7 Y . J ; . a ^ { B . . 2 m . . v 7 w . C . M c H , l U y , . W V B . . . g . a . . . 9 . . . . = . . . f 2 . . . . X . . . . < ) N > L . . . . . . . . . . . . . . ' [ . . . . . . . . J = . . . 2 ' . l C . @ . . . . . . . " . . . . . . . . 5 t . . . . . . . . 1 . . . p . S p . n . R . . h f ) z 1 . . . C E
Data Raw:	09 08 10 00 00 06 05 00 ab 1f cd 07 c1 00 01 00 06 04 00 00 2f 00 36 00 01 00 01 00 01 00 f7 04 c7 29 d9 df ad 44 c7 40 ff 3a b9 34 77 ec 08 42 ea 18 b9 4e 81 a9 53 00 e1 12 5b 85 8f 9a 13 9f 01 d7 93 1e dc 9b 95 52 02 16 ba 4b f0 b0 e1 00 02 00 b0 04 c1 00 02 00 f0 33 e2 00 00 00 5c 00 70 00 0a ec 83 09 9b 69 df ad a9 29 9a d7 ef ea c1 3d 40 c6 d4 b9 a8 59 ec 39 75 3f 38 e7 0a d5

General
Stream Path:	MBD006D439E/MBD006D34A9/\x1CompObj
CLSID:
File Type:	data
Stream Size:	114
Entropy:	4.25248375192737
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . . . F & . . . M i c r o s o f t O f f i c e E x c e l 2 0 0 3 W o r k s h e e t . . . . . B i f f 8 . . . . . E x c e l . S h e e t . 8 . 9 q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 26 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 32 30 30 33 20 57 6f 72 6b 73 68 65 65 74 00 06 00 00 00 42 69 66 66 38 00 0e 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

General
Stream Path:	MBD006D439E/MBD006D34A9/\x5DocumentSummaryInformation
CLSID:
File Type:	data
Stream Size:	364
Entropy:	3.4605270620647737
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , 0 . . . < . . . . . . . . . . . P . . . . . . . X . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ( . ) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . S h e e t 1 . . . . . S h e e t 2 . . . . . S h e e t 3 . . . . . S h e e t 4 . . . . . S h e e t 5 . . . . . S h e e t 6 . . .
Data Raw:	fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 3c 01 00 00 09 00 00 00 01 00 00 00 50 00 00 00 0f 00 00 00 58 00 00 00 17 00 00 00 78 00 00 00 0b 00 00 00 80 00 00 00 10 00 00 00 88 00 00 00 13 00 00 00 90 00 00 00 16 00 00 00 98 00 00 00 0d 00 00 00 a0 00 00 00 0c 00 00 00 17 01 00 00

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SWIFT.xls

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files (x86)\Microsoft Office\root\vfs\Common AppData\Microsoft\OFFICE\Heartbeat\HeartbeatCache.xml

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\IconCacheAcro65536.dat

C:\Users\user\AppData\Local\Microsoft\Office\Features\1-7FeatureCache.txt (copy)

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\1DA485C4.emf

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\42DE055B.emf

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\477FA321.emf

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\52C65A13.emf

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\5691B099.emf

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\614B87A0.emf

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\6AB36EAE.emf

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\8D597FDA.emf

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\96874680.emf

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\B0B3EDC6.emf

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\B5B1F9FD.emf

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\B833F2D7.emf

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\C1710E42.emf

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\C463FEEC.emf

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\E235F70F.emf

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\mniscreenthinkinggoodforentiretimegoodfotbusubessthings[1].hta

C:\Users\user\AppData\Local\Temp\6D759481.tmp

C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6 2024-12-20 09-22-17-800.log

C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6.log

C:\Users\user\AppData\Local\Temp\acrobat_sbx\acroNGLLog.txt

Windows Analysis Report
SWIFT.xls

General
Stream Path:	MBD006D439E/MBD006D34A9/\x5SummaryInformation
CLSID:
File Type:	data
Stream Size:	264
Entropy:	3.861977664967372
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . + ' 0 . . . . . . . . . . . . . . P . . . . . . . X . . . . . . . p . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 1 9 7 4 . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . 4 . . @ . . . . 9 . @ . . . . C p R . . . . . . . . .
Data Raw:	fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 d8 00 00 00 09 00 00 00 01 00 00 00 50 00 00 00 02 00 00 00 58 00 00 00 04 00 00 00 70 00 00 00 08 00 00 00 84 00 00 00 12 00 00 00 94 00 00 00 0b 00 00 00 ac 00 00 00 0c 00 00 00 b8 00 00 00 0d 00 00 00 c4 00 00 00 13 00 00 00 d0 00 00 00

General
Stream Path:	MBD006D439E/MBD006D34A9/Workbook
CLSID:
File Type:	Applesoft BASIC program data, first line number 16
Stream Size:	28794
Entropy:	3.895705393727193
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . \\ . p . . . . 9 1 9 7 4 B . . . . a . . . . . . . . = . . . . . . . . . . . . . . . . . . . . . . . . . . . . . T h i s W o r k b o o k . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . = . . . x . < . - . 9 .
Data Raw:	09 08 10 00 00 06 05 00 ab 1f cd 07 c9 80 01 00 06 04 00 00 e1 00 02 00 b0 04 c1 00 02 00 00 00 e2 00 00 00 5c 00 70 00 05 00 00 39 31 39 37 34 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20

General
Stream Path:	MBD006D439E/MBd006D26D0/\x1CompObj
CLSID:
File Type:	data
Stream Size:	114
Entropy:	4.219515110876372
Base64 Encoded:	False
Data ASCII:	. . . . . . 0 . . . . . . . . . . . . . F ! . . . M i c r o s o f t O f f i c e E x c e l W o r k s h e e t . . . . . E x c e l M L 1 2 . . . . . E x c e l . S h e e t . 1 2 . 9 q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 30 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 21 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 57 6f 72 6b 73 68 65 65 74 00 0a 00 00 00 45 78 63 65 6c 4d 4c 31 32 00 0f 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 31 32 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

General
Stream Path:	MBD006D439E/MBd006D26D0/Package
CLSID:
File Type:	Microsoft Excel 2007+
Stream Size:	14238
Entropy:	7.304582151499508
Base64 Encoded:	True
Data ASCII:	P K . . . . . . . . . . ! . . ~ . . . . . . . . . [ C o n t e n t _ T y p e s ] . x m l . ( . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	50 4b 03 04 14 00 06 00 08 00 00 00 21 00 8c e9 8c 8c 7e 01 00 00 8c 05 00 00 13 00 dc 01 5b 43 6f 6e 74 65 6e 74 5f 54 79 70 65 73 5d 2e 78 6d 6c 20 a2 d8 01 28 a0 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

General
Stream Path:	MBD006D439E/Workbook
CLSID:
File Type:	Applesoft BASIC program data, first line number 16
Stream Size:	215117
Entropy:	7.7174755790684175
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . \\ . p . . . . 9 1 9 7 4 B . . . . a . . . . . . . . = . . . . . . . . . . . . . . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . = . . . . . # . 8 . . . . . . . X . @ . . . . . . . . . . " . . . . . . . . . . . . . . . . . .
Data Raw:	09 08 10 00 00 06 05 00 ab 1f cd 07 c1 00 01 00 06 04 00 00 e1 00 02 00 b0 04 c1 00 02 00 00 00 e2 00 00 00 5c 00 70 00 05 00 00 39 31 39 37 34 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20

General
Stream Path:	MBd006D439F/\x1Ole
CLSID:
File Type:	data
Stream Size:	660
Entropy:	4.594258403837487
Base64 Encoded:	False
Data ASCII:	. . . . . F + . I . . . . . . . . . . . . . . . y . . . K . . . . h . t . t . p . s . : . / . / . s . . . d . e . e . m . o . s . . . c . o . m . / . l . q . S . a . 1 . A . o . h . ? . & . l . i . n . e . n . = . f . r . i . g . h . t . e . n . e . d . & . t . r . u . m . p . e . t . . . . w 1 h _ x . A = c A q H v . u z U q . G J G E x M . r . w r 0 C . . . . . . . . . . . . . . . . . . . 1 . 8 . 9 . b . J . 8 . U . x . U . r . T . S . R . s . v . V . X . o . y . B . 6 . u . 2 . P . 8 . k . h . U . s . j
Data Raw:	01 00 00 02 09 da 46 2b c3 14 c4 49 00 00 00 00 00 00 00 00 00 00 00 00 a8 00 00 00 e0 c9 ea 79 f9 ba ce 11 8c 82 00 aa 00 4b a9 0b a4 00 00 00 68 00 74 00 74 00 70 00 73 00 3a 00 2f 00 2f 00 73 00 2e 00 64 00 65 00 65 00 6d 00 6f 00 73 00 2e 00 63 00 6f 00 6d 00 2f 00 6c 00 71 00 53 00 61 00 31 00 41 00 6f 00 68 00 3f 00 26 00 6c 00 69 00 6e 00 65 00 6e 00 3d 00 66 00 72 00 69 00

General
Stream Path:	Workbook
CLSID:
File Type:	Applesoft BASIC program data, first line number 16
Stream Size:	269152
Entropy:	7.998093375369374
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . / . 6 . . . . . . . . . f T A ' ! . T V . . m h L } / . 8 . < . . [ I . . . . . . . 3 . . . \\ . p . F ` . y . 1 . r . 0 I Y . V & o ) b Q . k s 6 7 ` . d E K . . . ^ M s N V . . w . * i . H . . . > s . j l f 7 J . . 3 O c ] . . I A L B . . . H a . . . 6 . . . = . . . . . . . . . . x Q ( A . f j . . b 4 8 . . . 2 . . . . " . . . . P > . . . . P . . . . . . . . = . . . _ 4 4 . . m . t @ . . . # . . . . . . " . . . . ` . . . . % . . . ! y . . . B 1 . . . . . k K S . . ! . O
Data Raw:	09 08 10 00 00 06 05 00 ab 1f cd 07 c1 00 01 00 06 04 00 00 2f 00 36 00 01 00 01 00 01 00 fb 11 c7 08 66 54 c5 41 e1 27 21 8d e0 c7 08 c5 ea 9a d0 54 56 a7 0b c3 2e 86 6d 68 4c 7d 2f 04 df c0 38 f1 ea 9a 05 bc 3c 0c 97 1c 5b 49 89 eb e1 00 02 00 b0 04 c1 00 02 00 8a 33 e2 00 00 00 5c 00 70 00 88 d1 46 cf 60 ed 19 79 0c cd 31 fa 01 72 2e 30 a1 d2 cd 49 fb 59 08 fe a5 f5 56 26 6f 9b

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 20, 2024 15:21:54.018548012 CET	49811	443	192.168.2.5	14.103.79.10
Dec 20, 2024 15:21:54.018635035 CET	443	49811	14.103.79.10	192.168.2.5
Dec 20, 2024 15:21:54.018708944 CET	49811	443	192.168.2.5	14.103.79.10
Dec 20, 2024 15:21:54.019040108 CET	49811	443	192.168.2.5	14.103.79.10
Dec 20, 2024 15:21:54.019069910 CET	443	49811	14.103.79.10	192.168.2.5
Dec 20, 2024 15:21:55.670550108 CET	443	49811	14.103.79.10	192.168.2.5
Dec 20, 2024 15:21:55.670830011 CET	49811	443	192.168.2.5	14.103.79.10
Dec 20, 2024 15:21:55.699790955 CET	49811	443	192.168.2.5	14.103.79.10
Dec 20, 2024 15:21:55.699842930 CET	443	49811	14.103.79.10	192.168.2.5
Dec 20, 2024 15:21:55.700783968 CET	443	49811	14.103.79.10	192.168.2.5
Dec 20, 2024 15:21:55.700877905 CET	49811	443	192.168.2.5	14.103.79.10
Dec 20, 2024 15:21:55.701332092 CET	49811	443	192.168.2.5	14.103.79.10
Dec 20, 2024 15:21:55.743361950 CET	443	49811	14.103.79.10	192.168.2.5
Dec 20, 2024 15:21:57.298877954 CET	443	49811	14.103.79.10	192.168.2.5
Dec 20, 2024 15:21:57.299019098 CET	443	49811	14.103.79.10	192.168.2.5
Dec 20, 2024 15:21:57.299138069 CET	49811	443	192.168.2.5	14.103.79.10
Dec 20, 2024 15:21:57.304349899 CET	49811	443	192.168.2.5	14.103.79.10
Dec 20, 2024 15:21:57.304377079 CET	443	49811	14.103.79.10	192.168.2.5
Dec 20, 2024 15:21:57.306093931 CET	49820	80	192.168.2.5	57.129.55.225
Dec 20, 2024 15:21:57.427445889 CET	80	49820	57.129.55.225	192.168.2.5
Dec 20, 2024 15:21:57.427541971 CET	49820	80	192.168.2.5	57.129.55.225
Dec 20, 2024 15:21:57.427826881 CET	49820	80	192.168.2.5	57.129.55.225
Dec 20, 2024 15:21:57.547875881 CET	80	49820	57.129.55.225	192.168.2.5
Dec 20, 2024 15:21:58.703012943 CET	80	49820	57.129.55.225	192.168.2.5
Dec 20, 2024 15:21:58.703057051 CET	80	49820	57.129.55.225	192.168.2.5
Dec 20, 2024 15:21:58.703097105 CET	80	49820	57.129.55.225	192.168.2.5
Dec 20, 2024 15:21:58.703159094 CET	49820	80	192.168.2.5	57.129.55.225
Dec 20, 2024 15:21:58.703193903 CET	80	49820	57.129.55.225	192.168.2.5
Dec 20, 2024 15:21:58.703227997 CET	49820	80	192.168.2.5	57.129.55.225
Dec 20, 2024 15:21:58.703232050 CET	80	49820	57.129.55.225	192.168.2.5
Dec 20, 2024 15:21:58.703250885 CET	49820	80	192.168.2.5	57.129.55.225
Dec 20, 2024 15:21:58.703268051 CET	80	49820	57.129.55.225	192.168.2.5
Dec 20, 2024 15:21:58.703344107 CET	49820	80	192.168.2.5	57.129.55.225
Dec 20, 2024 15:21:58.703344107 CET	49820	80	192.168.2.5	57.129.55.225
Dec 20, 2024 15:21:58.703866959 CET	80	49820	57.129.55.225	192.168.2.5
Dec 20, 2024 15:21:58.703922987 CET	49820	80	192.168.2.5	57.129.55.225
Dec 20, 2024 15:21:58.704085112 CET	80	49820	57.129.55.225	192.168.2.5
Dec 20, 2024 15:21:58.704118013 CET	80	49820	57.129.55.225	192.168.2.5
Dec 20, 2024 15:21:58.704144955 CET	49820	80	192.168.2.5	57.129.55.225
Dec 20, 2024 15:21:58.704154015 CET	80	49820	57.129.55.225	192.168.2.5
Dec 20, 2024 15:21:58.704185009 CET	49820	80	192.168.2.5	57.129.55.225
Dec 20, 2024 15:21:58.704207897 CET	49820	80	192.168.2.5	57.129.55.225
Dec 20, 2024 15:21:58.823880911 CET	80	49820	57.129.55.225	192.168.2.5
Dec 20, 2024 15:21:58.823966980 CET	80	49820	57.129.55.225	192.168.2.5
Dec 20, 2024 15:21:58.823966026 CET	49820	80	192.168.2.5	57.129.55.225
Dec 20, 2024 15:21:58.824027061 CET	49820	80	192.168.2.5	57.129.55.225
Dec 20, 2024 15:21:58.827976942 CET	80	49820	57.129.55.225	192.168.2.5
Dec 20, 2024 15:21:58.828044891 CET	49820	80	192.168.2.5	57.129.55.225
Dec 20, 2024 15:21:58.897053957 CET	80	49820	57.129.55.225	192.168.2.5
Dec 20, 2024 15:21:58.897147894 CET	49820	80	192.168.2.5	57.129.55.225
Dec 20, 2024 15:21:58.897268057 CET	80	49820	57.129.55.225	192.168.2.5
Dec 20, 2024 15:21:58.897322893 CET	49820	80	192.168.2.5	57.129.55.225
Dec 20, 2024 15:21:58.971995115 CET	49820	80	192.168.2.5	57.129.55.225
Dec 20, 2024 15:21:58.972059011 CET	49820	80	192.168.2.5	57.129.55.225

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 20, 2024 15:21:53.275732994 CET	51117	53	192.168.2.5	1.1.1.1
Dec 20, 2024 15:21:54.017867088 CET	53	51117	1.1.1.1	192.168.2.5

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 20, 2024 15:21:08.963913918 CET	1.1.1.1	192.168.2.5	0x18a4	No error (0)	bg.microsoft.map.fastly.net		199.232.214.172	A (IP address)	IN (0x0001)	false
Dec 20, 2024 15:21:08.963913918 CET	1.1.1.1	192.168.2.5	0x18a4	No error (0)	bg.microsoft.map.fastly.net		199.232.210.172	A (IP address)	IN (0x0001)	false
Dec 20, 2024 15:21:17.353897095 CET	1.1.1.1	192.168.2.5	0xbfb2	No error (0)	shed.dual-low.s-part-0035.t-0009.t-msedge.net	s-part-0035.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 20, 2024 15:21:17.353897095 CET	1.1.1.1	192.168.2.5	0xbfb2	No error (0)	s-part-0035.t-0009.t-msedge.net		13.107.246.63	A (IP address)	IN (0x0001)	false
Dec 20, 2024 15:21:29.700484991 CET	1.1.1.1	192.168.2.5	0xd2b3	No error (0)	shed.dual-low.s-part-0035.t-0009.t-msedge.net	s-part-0035.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 20, 2024 15:21:29.700484991 CET	1.1.1.1	192.168.2.5	0xd2b3	No error (0)	s-part-0035.t-0009.t-msedge.net		13.107.246.63	A (IP address)	IN (0x0001)	false
Dec 20, 2024 15:21:54.017867088 CET	1.1.1.1	192.168.2.5	0x8b92	No error (0)	s.deemos.com		14.103.79.10	A (IP address)	IN (0x0001)	false
Dec 20, 2024 15:22:13.524734020 CET	1.1.1.1	192.168.2.5	0xba34	No error (0)	bg.microsoft.map.fastly.net		199.232.214.172	A (IP address)	IN (0x0001)	false
Dec 20, 2024 15:22:13.524734020 CET	1.1.1.1	192.168.2.5	0xba34	No error (0)	bg.microsoft.map.fastly.net		199.232.210.172	A (IP address)	IN (0x0001)	false