Joe Sandbox Cloud Basic Analysis Report
Edit tour

Windows Analysis Report
DanielEmployee-Handbook-84408.doc

Overview

General Information

Sample name:DanielEmployee-Handbook-84408.doc
Analysis ID:1648840
MD5:38df9ff0fcbd2e8312b9f33cfb7978b7
SHA1:3a6a98181d6eb63f67a10a746f5b490633eebc9f
SHA256:ce09989dc9e230fc9c09a072cb940c1c9c3a79bf4afc6acb3b9ada8a9d11b2f7
Infos:

Detection

Gabagool
Score:64
Range:0 - 100
Confidence:100%

Signatures

Yara detected Gabagool
AI detected landing page (webpage, office document or email)
AI detected suspicious Javascript
HTML page contains hidden URLs
HTML page contains suspicious javascript code
Creates files inside the system directory
Deletes files inside the Windows folder
HTML body contains low number of good links
HTML body contains password input but no form action
HTML body with high number of embedded images detected
HTML page contains hidden javascript code
HTML title does not match URL
Javascript checks online IP of machine
Uses Javascript AES encryption / decryption (likely to hide suspicious Javascript code)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

Process Tree

  • System is w10x64_ra
  • WINWORD.EXE (PID: 6980 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\user\Desktop\DanielEmployee-Handbook-84408.doc" /o "" MD5: 1A0C2C2E7D9C4BC18E91604E9B0C7678)
  • chrome.exe (PID: 6232 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://daniel.abovetheaether.com/gNGIAEMgkIAhAAGA0YgAQyCggDEAAYCBgNGB4yCggEEAAYCBgNGB4yCggFEAAYCBgNGB4yCggGEAAYCBgNGB4yCgg/dy7iZ8OaB7nkwN4Pv5njsA4#MZGFuaWVsLmhpbm5pQHNlbHV0aW9uLmNo MD5: E81F54E6C1129887AEA47E7D092680BF)
    • chrome.exe (PID: 2908 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=1852,i,15677767103116438675,16553663629396892910,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version --mojo-platform-channel-handle=2208 /prefetch:3 MD5: E81F54E6C1129887AEA47E7D092680BF)
  • cleanup

Yara Signatures

HTML

SourceRuleDescriptionAuthorStrings
0.6.pages.csvJoeSecurity_GabagoolYara detected GabagoolJoe Security

    Sigma Signatures

    No Sigma rule has matched

    Suricata Signatures

    No Suricata rule has matched

    Joe Sandbox Signatures

    • Phishing
    • Compliance
    • Software Vulnerabilities
    • Networking
    • System Summary
    • Hooking and other Techniques for Hiding and Protection
    • Malware Analysis System Evasion
    • Language, Device and Operating System Detection

    Click to jump to signature section

    Show All Signature Results

    Phishing

    barindex
    Source: Yara matchFile source: 0.6.pages.csv, type: HTML
    Source: Screenshot id: 8Joe Sandbox AI: Screenshot id: 8 contains QR code
    Source: Screenshot id: 9Joe Sandbox AI: Screenshot id: 9 contains QR code
    Source: 0.2..script.csvJoe Sandbox AI: Detected suspicious JavaScript with source url: https://daniel.abovetheaether.com/gNGIAEMgkIAhAAGA... This script exhibits several high-risk behaviors, including dynamic code execution, data exfiltration, and the use of obfuscated code/URLs. It appears to be a malicious script that collects sensitive user data and redirects to a suspicious domain. The script also uses a custom encryption function, which is a common technique used by malware to hide its true purpose. Overall, this script demonstrates a high level of risk and should be treated with caution.
    Source: https://daniel.abovetheaether.com/gNGIAEMgkIAhAAGA0YgAQyCggDEAAYCBgNGB4yCggEEAAYCBgNGB4yCggFEAAYCBgNGB4yCggGEAAYCBgNGB4yCgg/dy7iZ8OaB7nkwN4Pv5njsA4/#MZGFuaWVsLmhpbm5pQHNlbHV0aW9uLmNoHTTP Parser: https://one.alketbilabs.ai/
    Source: https://daniel.abovetheaether.com/gNGIAEMgkIAhAAGA0YgAQyCggDEAAYCBgNGB4yCggEEAAYCBgNGB4yCggFEAAYCBgNGB4yCggGEAAYCBgNGB4yCgg/dy7iZ8OaB7nkwN4Pv5njsA4/HTTP Parser: window.location.href = atob(
    Source: https://daniel.abovetheaether.com/gNGIAEMgkIAhAAGA0YgAQyCggDEAAYCBgNGB4yCggEEAAYCBgNGB4yCggFEAAYCBgNGB4yCggGEAAYCBgNGB4yCgg/dy7iZ8OaB7nkwN4Pv5njsA4/#MZGFuaWVsLmhpbm5pQHNlbHV0aW9uLmNoHTTP Parser: Number of links: 0
    Source: https://daniel.abovetheaether.com/gNGIAEMgkIAhAAGA0YgAQyCggDEAAYCBgNGB4yCggEEAAYCBgNGB4yCggFEAAYCBgNGB4yCggGEAAYCBgNGB4yCgg/dy7iZ8OaB7nkwN4Pv5njsA4/#MZGFuaWVsLmhpbm5pQHNlbHV0aW9uLmNoHTTP Parser: <input type="password" .../> found but no <form action="...
    Source: https://daniel.abovetheaether.com/gNGIAEMgkIAhAAGA0YgAQyCggDEAAYCBgNGB4yCggEEAAYCBgNGB4yCggFEAAYCBgNGB4yCggGEAAYCBgNGB4yCgg/dy7iZ8OaB7nkwN4Pv5njsA4/#MZGFuaWVsLmhpbm5pQHNlbHV0aW9uLmNoHTTP Parser: Total embedded image size: 45708
    Source: https://daniel.abovetheaether.com/gNGIAEMgkIAhAAGA0YgAQyCggDEAAYCBgNGB4yCggEEAAYCBgNGB4yCggFEAAYCBgNGB4yCggGEAAYCBgNGB4yCgg/dy7iZ8OaB7nkwN4Pv5njsA4/#MZGFuaWVsLmhpbm5pQHNlbHV0aW9uLmNoHTTP Parser: Base64 decoded: 7348404680:AAG5cg3LfqrevShg6e68hVPGRbOn0uByDc4
    Source: https://daniel.abovetheaether.com/gNGIAEMgkIAhAAGA0YgAQyCggDEAAYCBgNGB4yCggEEAAYCBgNGB4yCggFEAAYCBgNGB4yCggGEAAYCBgNGB4yCgg/dy7iZ8OaB7nkwN4Pv5njsA4/#MZGFuaWVsLmhpbm5pQHNlbHV0aW9uLmNoHTTP Parser: Title: Account sign in does not match URL
    Source: https://daniel.abovetheaether.com/gNGIAEMgkIAhAAGA0YgAQyCggDEAAYCBgNGB4yCggEEAAYCBgNGB4yCggFEAAYCBgNGB4yCggGEAAYCBgNGB4yCgg/dy7iZ8OaB7nkwN4Pv5njsA4/HTTP Parser: let current_ip = null;function u7p0ddgu(plaintext, key) { const keysize = [16, 24, 32]; if (!keysize.includes(key.length)) { throw new error("incorrect aes key length. use a 16, 24, or 32 bytes key."); } // generate a random iv (initialization vector) const iv = cryptojs.lib.wordarray.random(16); // encrypt the plain text using aes with the given key and random iv const encrypted = cryptojs.aes.encrypt(cryptojs.enc.utf8.parse(plaintext), cryptojs.enc.utf8.parse(key), { iv: iv, mode: cryptojs.mode.cbc, padding: cryptojs.pad.pkcs7 }); // combine the iv and ciphertext (iv is necessary for decryption) const encrypteddata = iv.concat(encrypted.ciphertext); // convert the combined data to base64 for easy transmission or storage return cryptojs.enc.base64.stringify(encrypteddata);}let psk = "tkmfegrwkpckcq7hmgj2ab6fkpq+wd3ju5k4ektobb5socm8yosjwgf/qhrdip3pd/0luvdy3vyallb42ur+1q==";tb = "nzm0odqwndy4mdpbquc1y2cztgzxcmv2u2hnnmu2oghwuedsyk9umhvceurjna==";...
    Source: https://daniel.abovetheaether.com/gNGIAEMgkIAhAAGA0YgAQyCggDEAAYCBgNGB4yCggEEAAYCBgNGB4yCggFEAAYCBgNGB4yCggGEAAYCBgNGB4yCgg/dy7iZ8OaB7nkwN4Pv5njsA4/HTTP Parser: let usuuid = "tkmfegrwkpckcq7hmgj2ab6fkpq+wd3ju5k4ektobb5socm8yosjwgf/qhrdip3pd/0luvdy3vyallb42ur+1q=="; let policy = "xrhayzdlugvbr+c+/ccx6favvw8bhenhoagfxohejvipzw9bfgidd60tywt5vrao"; let sv = "0"; let sir = "0"; let tb = "nzm0odqwndy4mdpbquc1y2cztgzxcmv2u2hnnmu2oghwuedsyk9umhvceurjna=="; function decstr(encryptedstring, key) { const keysize = [16, 24, 32]; if (!keysize.includes(key.length)) { throw new error("incorrect aes key length. use a 16, 24, or 32 bytes key."); } const encrypteddata = cryptojs.enc.base64.parse(encryptedstring); const iv = cryptojs.lib.wordarray.create(encrypteddata.words.slice(0, 4)); const ciphertext = cryptojs.lib.wordarray.create( encrypteddata.words.slice(4) ); const decrypteddata = cryptojs.aes.decrypt( { ciphertext: ciphertext, }, cry...
    Source: https://daniel.abovetheaether.com/gNGIAEMgkIAhAAGA0YgAQyCggDEAAYCBgNGB4yCggEEAAYCBgNGB4yCggFEAAYCBgNGB4yCggGEAAYCBgNGB4yCgg/dy7iZ8OaB7nkwN4Pv5njsA4/#MZGFuaWVsLmhpbm5pQHNlbHV0aW9uLmNoHTTP Parser: <input type="password" .../> found
    Source: https://daniel.abovetheaether.com/gNGIAEMgkIAhAAGA0YgAQyCggDEAAYCBgNGB4yCggEEAAYCBgNGB4yCggFEAAYCBgNGB4yCggGEAAYCBgNGB4yCgg/dy7iZ8OaB7nkwN4Pv5njsA4/#MZGFuaWVsLmhpbm5pQHNlbHV0aW9uLmNoHTTP Parser: No favicon
    Source: https://daniel.abovetheaether.com/gNGIAEMgkIAhAAGA0YgAQyCggDEAAYCBgNGB4yCggEEAAYCBgNGB4yCggFEAAYCBgNGB4yCggGEAAYCBgNGB4yCgg/dy7iZ8OaB7nkwN4Pv5njsA4/#MZGFuaWVsLmhpbm5pQHNlbHV0aW9uLmNoHTTP Parser: No favicon
    Source: https://daniel.abovetheaether.com/gNGIAEMgkIAhAAGA0YgAQyCggDEAAYCBgNGB4yCggEEAAYCBgNGB4yCggFEAAYCBgNGB4yCggGEAAYCBgNGB4yCgg/dy7iZ8OaB7nkwN4Pv5njsA4/#MZGFuaWVsLmhpbm5pQHNlbHV0aW9uLmNoHTTP Parser: No favicon
    Source: https://daniel.abovetheaether.com/gNGIAEMgkIAhAAGA0YgAQyCggDEAAYCBgNGB4yCggEEAAYCBgNGB4yCggFEAAYCBgNGB4yCggGEAAYCBgNGB4yCgg/dy7iZ8OaB7nkwN4Pv5njsA4/#MZGFuaWVsLmhpbm5pQHNlbHV0aW9uLmNoHTTP Parser: No favicon
    Source: https://daniel.abovetheaether.com/gNGIAEMgkIAhAAGA0YgAQyCggDEAAYCBgNGB4yCggEEAAYCBgNGB4yCggFEAAYCBgNGB4yCggGEAAYCBgNGB4yCgg/dy7iZ8OaB7nkwN4Pv5njsA4/#MZGFuaWVsLmhpbm5pQHNlbHV0aW9uLmNoHTTP Parser: No favicon
    Source: https://daniel.abovetheaether.com/gNGIAEMgkIAhAAGA0YgAQyCggDEAAYCBgNGB4yCggEEAAYCBgNGB4yCggFEAAYCBgNGB4yCggGEAAYCBgNGB4yCgg/dy7iZ8OaB7nkwN4Pv5njsA4/#MZGFuaWVsLmhpbm5pQHNlbHV0aW9uLmNoHTTP Parser: No <meta name="author".. found
    Source: https://daniel.abovetheaether.com/gNGIAEMgkIAhAAGA0YgAQyCggDEAAYCBgNGB4yCggEEAAYCBgNGB4yCggFEAAYCBgNGB4yCggGEAAYCBgNGB4yCgg/dy7iZ8OaB7nkwN4Pv5njsA4/#MZGFuaWVsLmhpbm5pQHNlbHV0aW9uLmNoHTTP Parser: No <meta name="copyright".. found
    Source: unknownHTTPS traffic detected: 192.227.220.12:443 -> 192.168.2.16:49711 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 192.227.220.12:443 -> 192.168.2.16:49710 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 192.227.220.12:443 -> 192.168.2.16:49716 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 104.18.94.41:443 -> 192.168.2.16:49721 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 104.18.95.41:443 -> 192.168.2.16:49726 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 104.18.94.41:443 -> 192.168.2.16:49731 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 142.251.40.196:443 -> 192.168.2.16:49734 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 104.17.24.14:443 -> 192.168.2.16:49745 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 104.26.0.170:443 -> 192.168.2.16:49746 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 151.101.194.137:443 -> 192.168.2.16:49749 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 172.67.68.147:443 -> 192.168.2.16:49750 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 104.26.8.44:443 -> 192.168.2.16:49751 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 35.190.80.1:443 -> 192.168.2.16:49752 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 104.26.8.44:443 -> 192.168.2.16:49755 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 23.209.72.31:443 -> 192.168.2.16:49759 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 23.209.72.31:443 -> 192.168.2.16:49760 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 23.216.132.53:443 -> 192.168.2.16:49761 version: TLS 1.2
    Source: chrome.exeMemory has grown: Private usage: 11MB later: 33MB
    Source: winword.exeMemory has grown: Private usage: 22MB later: 59MB
    Source: unknownTCP traffic detected without corresponding DNS query: 142.250.176.195
    Source: unknownTCP traffic detected without corresponding DNS query: 199.232.214.172
    Source: unknownTCP traffic detected without corresponding DNS query: 142.250.176.195
    Source: unknownTCP traffic detected without corresponding DNS query: 199.232.214.172
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: global trafficHTTP traffic detected: GET /gNGIAEMgkIAhAAGA0YgAQyCggDEAAYCBgNGB4yCggEEAAYCBgNGB4yCggFEAAYCBgNGB4yCggGEAAYCBgNGB4yCgg/dy7iZ8OaB7nkwN4Pv5njsA4 HTTP/1.1Host: daniel.abovetheaether.comConnection: keep-alivesec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
    Source: global trafficHTTP traffic detected: GET /gNGIAEMgkIAhAAGA0YgAQyCggDEAAYCBgNGB4yCggEEAAYCBgNGB4yCggFEAAYCBgNGB4yCggGEAAYCBgNGB4yCgg/dy7iZ8OaB7nkwN4Pv5njsA4/ HTTP/1.1Host: daniel.abovetheaether.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentsec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
    Source: global trafficHTTP traffic detected: GET /turnstile/v0/api.js HTTP/1.1Host: challenges.cloudflare.comConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: */*Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptSec-Fetch-Storage-Access: activeReferer: https://daniel.abovetheaether.com/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
    Source: global trafficHTTP traffic detected: GET /turnstile/v0/b/708f7a809116/api.js HTTP/1.1Host: challenges.cloudflare.comConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: */*Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptSec-Fetch-Storage-Access: activeReferer: https://daniel.abovetheaether.com/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
    Source: global trafficHTTP traffic detected: GET /cdn-cgi/challenge-platform/h/b/turnstile/if/ov2/av0/rcv/zash8/0x4AAAAAABCZW8FRIuiyUZVo/auto/fbE/new/normal/auto/ HTTP/1.1Host: challenges.cloudflare.comConnection: keep-alivesec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: cross-siteSec-Fetch-Mode: navigateSec-Fetch-Dest: iframeSec-Fetch-Storage-Access: activeReferer: https://daniel.abovetheaether.com/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
    Source: global trafficHTTP traffic detected: GET /cdn-cgi/challenge-platform/h/b/orchestrate/chl_api/v1?ray=926519525f71438a&lang=auto HTTP/1.1Host: challenges.cloudflare.comConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: */*Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptSec-Fetch-Storage-Access: activeReferer: https://challenges.cloudflare.com/cdn-cgi/challenge-platform/h/b/turnstile/if/ov2/av0/rcv/zash8/0x4AAAAAABCZW8FRIuiyUZVo/auto/fbE/new/normal/auto/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
    Source: global trafficHTTP traffic detected: GET /cdn-cgi/challenge-platform/h/b/cmg/1 HTTP/1.1Host: challenges.cloudflare.comConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageSec-Fetch-Storage-Access: activeReferer: https://challenges.cloudflare.com/cdn-cgi/challenge-platform/h/b/turnstile/if/ov2/av0/rcv/zash8/0x4AAAAAABCZW8FRIuiyUZVo/auto/fbE/new/normal/auto/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
    Source: global trafficHTTP traffic detected: GET /favicon.ico HTTP/1.1Host: daniel.abovetheaether.comConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://daniel.abovetheaether.com/gNGIAEMgkIAhAAGA0YgAQyCggDEAAYCBgNGB4yCggEEAAYCBgNGB4yCggFEAAYCBgNGB4yCggGEAAYCBgNGB4yCgg/dy7iZ8OaB7nkwN4Pv5njsA4/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9Cookie: PHPSESSID=l2lscvaue5qu6u5a3gur4pc3u3; cookie_test=test; js_enabled=true
    Source: global trafficHTTP traffic detected: GET /cdn-cgi/challenge-platform/h/b/cmg/1 HTTP/1.1Host: challenges.cloudflare.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptySec-Fetch-Storage-Access: activeAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
    Source: global trafficHTTP traffic detected: GET /cdn-cgi/challenge-platform/h/b/flow/ov1/368719083:1742973996:LzswHp7nSv2AMlJYtgWZMvWDcz_EDLtcZKVIZY1hq3A/926519525f71438a/io8R8izqWTc4uow7QgZfuDgSbi148PzUIj.vhIbyc64-1742975864-1.1.1.1-bkrn3NAEDePA4SKgiQN80tJPqWAS3uLYk3Qdn4JA0GcWWuHZBiJy3JphVyWVWJnk HTTP/1.1Host: challenges.cloudflare.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptySec-Fetch-Storage-Access: activeAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
    Source: global trafficHTTP traffic detected: GET /cdn-cgi/challenge-platform/h/b/d/926519525f71438a/1742975865943/PfhuddysdPN7kjP HTTP/1.1Host: challenges.cloudflare.comConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageSec-Fetch-Storage-Access: activeReferer: https://challenges.cloudflare.com/cdn-cgi/challenge-platform/h/b/turnstile/if/ov2/av0/rcv/zash8/0x4AAAAAABCZW8FRIuiyUZVo/auto/fbE/new/normal/auto/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
    Source: global trafficHTTP traffic detected: GET /cdn-cgi/challenge-platform/h/b/d/926519525f71438a/1742975865943/PfhuddysdPN7kjP HTTP/1.1Host: challenges.cloudflare.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptySec-Fetch-Storage-Access: activeAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
    Source: global trafficHTTP traffic detected: GET /cdn-cgi/challenge-platform/h/b/pat/926519525f71438a/1742975865943/3b93c1f95d7a057303351ccf8bbd8648e33381b6c6533a34154bb2bf304ca069/m-PZqVtlr_hNiC8 HTTP/1.1Host: challenges.cloudflare.comConnection: keep-aliveCache-Control: max-age=0sec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: */*Sec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptySec-Fetch-Storage-Access: activeReferer: https://challenges.cloudflare.com/cdn-cgi/challenge-platform/h/b/turnstile/if/ov2/av0/rcv/zash8/0x4AAAAAABCZW8FRIuiyUZVo/auto/fbE/new/normal/auto/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
    Source: global trafficHTTP traffic detected: GET /cdn-cgi/challenge-platform/h/b/flow/ov1/368719083:1742973996:LzswHp7nSv2AMlJYtgWZMvWDcz_EDLtcZKVIZY1hq3A/926519525f71438a/io8R8izqWTc4uow7QgZfuDgSbi148PzUIj.vhIbyc64-1742975864-1.1.1.1-bkrn3NAEDePA4SKgiQN80tJPqWAS3uLYk3Qdn4JA0GcWWuHZBiJy3JphVyWVWJnk HTTP/1.1Host: challenges.cloudflare.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptySec-Fetch-Storage-Access: activeAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
    Source: global trafficHTTP traffic detected: GET /gNGIAEMgkIAhAAGA0YgAQyCggDEAAYCBgNGB4yCggEEAAYCBgNGB4yCggFEAAYCBgNGB4yCggGEAAYCBgNGB4yCgg/dy7iZ8OaB7nkwN4Pv5njsA4/ HTTP/1.1Host: daniel.abovetheaether.comConnection: keep-aliveCache-Control: max-age=0Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-Dest: documentsec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Referer: https://daniel.abovetheaether.com/gNGIAEMgkIAhAAGA0YgAQyCggDEAAYCBgNGB4yCggEEAAYCBgNGB4yCggFEAAYCBgNGB4yCggGEAAYCBgNGB4yCgg/dy7iZ8OaB7nkwN4Pv5njsA4/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9Cookie: PHPSESSID=l2lscvaue5qu6u5a3gur4pc3u3; cookie_test=test; js_enabled=true
    Source: global trafficHTTP traffic detected: GET /ajax/libs/crypto-js/4.0.0/crypto-js.min.js HTTP/1.1Host: cdnjs.cloudflare.comConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: */*Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptSec-Fetch-Storage-Access: activeReferer: https://daniel.abovetheaether.com/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
    Source: global trafficHTTP traffic detected: GET /ajax/libs/crypto-js/4.1.1/crypto-js.min.js HTTP/1.1Host: cdnjs.cloudflare.comConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"Intervention: <https://www.chromestatus.com/feature/5718547946799104>; level="warning"sec-ch-ua-mobile: ?0Accept: */*Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptSec-Fetch-Storage-Access: activeReferer: https://daniel.abovetheaether.com/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
    Source: global trafficHTTP traffic detected: GET /jquery-3.6.0.min.js HTTP/1.1Host: code.jquery.comConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"Intervention: <https://www.chromestatus.com/feature/5718547946799104>; level="warning"sec-ch-ua-mobile: ?0Accept: */*Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptSec-Fetch-Storage-Access: activeReferer: https://daniel.abovetheaether.com/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
    Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: one.alketbilabs.aiConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptySec-Fetch-Storage-Access: activeAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
    Source: global trafficHTTP traffic detected: GET /json/ HTTP/1.1Host: ipapi.coConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: */*Origin: https://daniel.abovetheaether.comSec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://daniel.abovetheaether.com/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
    Source: global trafficHTTP traffic detected: GET /json/ HTTP/1.1Host: ipapi.coConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: */*Origin: https://daniel.abovetheaether.comSec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://daniel.abovetheaether.com/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
    Source: global trafficHTTP traffic detected: GET /json/ HTTP/1.1Host: ipapi.coConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptySec-Fetch-Storage-Access: activeAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
    Source: global trafficHTTP traffic detected: GET /json/ HTTP/1.1Host: ipapi.coConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptySec-Fetch-Storage-Access: activeAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
    Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: one.alketbilabs.aiConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptySec-Fetch-Storage-Access: activeAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
    Source: global trafficHTTP traffic detected: GET /c1c6b6c8-tqvjjjs8quzswro4bao3s3c1piu6ptnorcwywjhitls/logintenantbranding/0/illustration?ts=638514625352065626 HTTP/1.1Host: aadcdn.msauthimages.netConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageSec-Fetch-Storage-Access: activeReferer: https://daniel.abovetheaether.com/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
    Source: global trafficHTTP traffic detected: GET /c1c6b6c8-tqvjjjs8quzswro4bao3s3c1piu6ptnorcwywjhitls/logintenantbranding/0/bannerlogo?ts=638514609278239123 HTTP/1.1Host: aadcdn.msauthimages.netConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageSec-Fetch-Storage-Access: activeReferer: https://daniel.abovetheaether.com/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
    Source: global trafficHTTP traffic detected: GET /c1c6b6c8-tqvjjjs8quzswro4bao3s3c1piu6ptnorcwywjhitls/logintenantbranding/0/illustration?ts=638514625352065626 HTTP/1.1Host: aadcdn.msauthimages.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptySec-Fetch-Storage-Access: activeAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
    Source: global trafficDNS traffic detected: DNS query: daniel.abovetheaether.com
    Source: global trafficDNS traffic detected: DNS query: challenges.cloudflare.com
    Source: global trafficDNS traffic detected: DNS query: www.google.com
    Source: global trafficDNS traffic detected: DNS query: cdnjs.cloudflare.com
    Source: global trafficDNS traffic detected: DNS query: one.alketbilabs.ai
    Source: global trafficDNS traffic detected: DNS query: code.jquery.com
    Source: global trafficDNS traffic detected: DNS query: ipapi.co
    Source: global trafficDNS traffic detected: DNS query: a.nel.cloudflare.com
    Source: global trafficDNS traffic detected: DNS query: aadcdn.msauthimages.net
    Source: unknownHTTP traffic detected: POST /cdn-cgi/challenge-platform/h/b/flow/ov1/368719083:1742973996:LzswHp7nSv2AMlJYtgWZMvWDcz_EDLtcZKVIZY1hq3A/926519525f71438a/io8R8izqWTc4uow7QgZfuDgSbi148PzUIj.vhIbyc64-1742975864-1.1.1.1-bkrn3NAEDePA4SKgiQN80tJPqWAS3uLYk3Qdn4JA0GcWWuHZBiJy3JphVyWVWJnk HTTP/1.1Host: challenges.cloudflare.comConnection: keep-aliveContent-Length: 3492sec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"Content-Type: text/plain;charset=UTF-8cf-chl: io8R8izqWTc4uow7QgZfuDgSbi148PzUIj.vhIbyc64-1742975864-1.1.1.1-bkrn3NAEDePA4SKgiQN80tJPqWAS3uLYk3Qdn4JA0GcWWuHZBiJy3JphVyWVWJnkcf-chl-ra: 0sec-ch-ua-mobile: ?0Accept: */*Origin: https://challenges.cloudflare.comSec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptySec-Fetch-Storage-Access: activeReferer: https://challenges.cloudflare.com/cdn-cgi/challenge-platform/h/b/turnstile/if/ov2/av0/rcv/zash8/0x4AAAAAABCZW8FRIuiyUZVo/auto/fbE/new/normal/auto/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 26 Mar 2025 07:57:45 GMTContent-Type: text/htmlContent-Length: 58296Connection: closeVary: Accept-EncodingETag: "67e22d7a-e3b8"
    Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49744
    Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49741
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49740
    Source: unknownNetwork traffic detected: HTTP traffic on port 49746 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49769 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49738
    Source: unknownNetwork traffic detected: HTTP traffic on port 49736 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49736
    Source: unknownNetwork traffic detected: HTTP traffic on port 49759 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49753 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49734
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
    Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49711 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49728 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49749 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49721 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49729
    Source: unknownNetwork traffic detected: HTTP traffic on port 49752 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49728
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49726
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49769
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49768
    Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49723
    Source: unknownNetwork traffic detected: HTTP traffic on port 49756 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49721
    Source: unknownNetwork traffic detected: HTTP traffic on port 49758 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49765
    Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49761
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49760
    Source: unknownNetwork traffic detected: HTTP traffic on port 49741 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49729 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49748 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49760 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49745 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49719 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49719
    Source: unknownNetwork traffic detected: HTTP traffic on port 49751 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49716
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49759
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49758
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49757
    Source: unknownNetwork traffic detected: HTTP traffic on port 49738 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49755 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49756
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49711
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49755
    Source: unknownNetwork traffic detected: HTTP traffic on port 49757 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49710
    Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49754
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49753
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49752
    Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49751
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49750
    Source: unknownNetwork traffic detected: HTTP traffic on port 49726 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49740 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49761 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49765 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49747 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49744 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49768 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49723 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49716 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49750 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49749
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49748
    Source: unknownNetwork traffic detected: HTTP traffic on port 49754 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49747
    Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49746
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49745
    Source: unknownHTTPS traffic detected: 192.227.220.12:443 -> 192.168.2.16:49711 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 192.227.220.12:443 -> 192.168.2.16:49710 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 192.227.220.12:443 -> 192.168.2.16:49716 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 104.18.94.41:443 -> 192.168.2.16:49721 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 104.18.95.41:443 -> 192.168.2.16:49726 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 104.18.94.41:443 -> 192.168.2.16:49731 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 142.251.40.196:443 -> 192.168.2.16:49734 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 104.17.24.14:443 -> 192.168.2.16:49745 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 104.26.0.170:443 -> 192.168.2.16:49746 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 151.101.194.137:443 -> 192.168.2.16:49749 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 172.67.68.147:443 -> 192.168.2.16:49750 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 104.26.8.44:443 -> 192.168.2.16:49751 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 35.190.80.1:443 -> 192.168.2.16:49752 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 104.26.8.44:443 -> 192.168.2.16:49755 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 23.209.72.31:443 -> 192.168.2.16:49759 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 23.209.72.31:443 -> 192.168.2.16:49760 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 23.216.132.53:443 -> 192.168.2.16:49761 version: TLS 1.2
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Windows\SystemTemp\scoped_dir6232_828999298
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile deleted: C:\Windows\SystemTemp\scoped_dir6232_828999298
    Source: classification engineClassification label: mal64.phis.winDOC@23/12@28/196
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEFile created: C:\Users\user\Desktop\~$nielEmployee-Handbook-84408.doc
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\{FA79433B-70D6-49F0-A3A7-4591853CE6E6} - OProcSessId.dat
    Source: DanielEmployee-Handbook-84408.docOLE indicator, Word Document stream: true
    Source: DanielEmployee-Handbook-84408.docOLE document summary: title field not present or empty
    Source: DanielEmployee-Handbook-84408.docOLE document summary: author field not present or empty
    Source: DanielEmployee-Handbook-84408.docOLE document summary: edited time not present or 0
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEFile read: C:\Users\desktop.ini
    Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\user\Desktop\DanielEmployee-Handbook-84408.doc" /o ""
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess created: unknown unknown
    Source: unknownProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://daniel.abovetheaether.com/gNGIAEMgkIAhAAGA0YgAQyCggDEAAYCBgNGB4yCggEEAAYCBgNGB4yCggFEAAYCBgNGB4yCggGEAAYCBgNGB4yCgg/dy7iZ8OaB7nkwN4Pv5njsA4#MZGFuaWVsLmhpbm5pQHNlbHV0aW9uLmNo
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=1852,i,15677767103116438675,16553663629396892910,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version --mojo-platform-channel-handle=2208 /prefetch:3
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=1852,i,15677767103116438675,16553663629396892910,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version --mojo-platform-channel-handle=2208 /prefetch:3
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{77F10CF0-3DB5-4966-B520-B7C54FD35ED6}\InProcServer32
    Source: Window RecorderWindow detected: More than 3 window changes detected
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common
    Source: DanielEmployee-Handbook-84408.docInitial sample: OLE summary codepage = 1200
    Source: DanielEmployee-Handbook-84408.docInitial sample: OLE document summary codepagedoc = 1200
    Source: DanielEmployee-Handbook-84408.docInitial sample: OLE indicators vbamacros = False
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information queried: ProcessInformation
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

    Mitre Att&ck Matrix

    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
    Gather Victim Identity Information1
    Scripting    		Valid AccountsWindows Management Instrumentation2
    Browser Extensions    		1
    Process Injection    		11
    Masquerading    		OS Credential Dumping1
    Process Discovery    		Remote ServicesData from Local System1
    Encrypted Channel    		Exfiltration Over Other Network MediumAbuse Accessibility Features
    CredentialsDomainsDefault AccountsScheduled Task/Job1
    Scripting    		1
    Extra Window Memory Injection    		1
    Process Injection    		LSASS Memory1
    File and Directory Discovery    		Remote Desktop ProtocolData from Removable Media3
    Ingress Tool Transfer    		Exfiltration Over BluetoothNetwork Denial of Service
    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
    Deobfuscate/Decode Files or Information    		Security Account Manager2
    System Information Discovery    		SMB/Windows Admin SharesData from Network Shared Drive4
    Non-Application Layer Protocol    		Automated ExfiltrationData Encrypted for Impact
    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
    File Deletion    		NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput Capture5
    Application Layer Protocol    		Traffic DuplicationData Destruction
    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
    Extra Window Memory Injection    		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact

    Screenshots

    Download Video

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    No Antivirus matches

    Dropped Files

    No Antivirus matches

    Unpacked PE Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    SourceDetectionScannerLabelLink
    https://daniel.abovetheaether.com/gNGIAEMgkIAhAAGA0YgAQyCggDEAAYCBgNGB4yCggEEAAYCBgNGB4yCggFEAAYCBgNGB4yCggGEAAYCBgNGB4yCgg/dy7iZ8OaB7nkwN4Pv5njsA40%Avira URL Cloudsafe
    https://challenges.cloudflare.com/cdn-cgi/challenge-platform/h/b/pat/926519525f71438a/1742975865943/3b93c1f95d7a057303351ccf8bbd8648e33381b6c6533a34154bb2bf304ca069/m-PZqVtlr_hNiC80%Avira URL Cloudsafe
    https://challenges.cloudflare.com/cdn-cgi/challenge-platform/h/b/turnstile/if/ov2/av0/rcv/zash8/0x4AAAAAABCZW8FRIuiyUZVo/auto/fbE/new/normal/auto/0%Avira URL Cloudsafe
    https://daniel.abovetheaether.com/favicon.ico0%Avira URL Cloudsafe
    https://challenges.cloudflare.com/cdn-cgi/challenge-platform/h/b/flow/ov1/368719083:1742973996:LzswHp7nSv2AMlJYtgWZMvWDcz_EDLtcZKVIZY1hq3A/926519525f71438a/io8R8izqWTc4uow7QgZfuDgSbi148PzUIj.vhIbyc64-1742975864-1.1.1.1-bkrn3NAEDePA4SKgiQN80tJPqWAS3uLYk3Qdn4JA0GcWWuHZBiJy3JphVyWVWJnk0%Avira URL Cloudsafe
    https://challenges.cloudflare.com/cdn-cgi/challenge-platform/h/b/orchestrate/chl_api/v1?ray=926519525f71438a&lang=auto0%Avira URL Cloudsafe
    https://challenges.cloudflare.com/cdn-cgi/challenge-platform/h/b/d/926519525f71438a/1742975865943/PfhuddysdPN7kjP0%Avira URL Cloudsafe
    https://daniel.abovetheaether.com/gNGIAEMgkIAhAAGA0YgAQyCggDEAAYCBgNGB4yCggEEAAYCBgNGB4yCggFEAAYCBgNGB4yCggGEAAYCBgNGB4yCgg/dy7iZ8OaB7nkwN4Pv5njsA4/0%Avira URL Cloudsafe
    https://one.alketbilabs.ai/0%Avira URL Cloudsafe
    https://aadcdn.msauthimages.net/c1c6b6c8-tqvjjjs8quzswro4bao3s3c1piu6ptnorcwywjhitls/logintenantbranding/0/bannerlogo?ts=6385146092782391230%Avira URL Cloudsafe
    https://aadcdn.msauthimages.net/c1c6b6c8-tqvjjjs8quzswro4bao3s3c1piu6ptnorcwywjhitls/logintenantbranding/0/illustration?ts=6385146253520656260%Avira URL Cloudsafe
    https://a.nel.cloudflare.com/report/v4?s=xo%2BjOKkmIL8zIEumm0uX7HJAxmNcBe9ozzwr5pys8SJFMKqKYbGmZjML955IGzrH63DUkU6kw9uN4iY6Vn4Nj%2BepcjXsQYPbAt05NLs1WrkVW8G167W1wO23S%2BB7HbpwViCtng%3D%3D0%Avira URL Cloudsafe
    https://ipapi.co/json/0%Avira URL Cloudsafe
    https://a.nel.cloudflare.com/report/v4?s=MF%2FKrewD2WefXkXNtV%2BuXoj%2FIH82XunU7iiFxQQ64H6PaaifF3GjveJKWXWOVHkNMjkmI0imlLTbaGO8%2B2MZAJzMJWsh58JJY%2BtMZ8JkaPW2kxi1MoTE9KypTndR%2B51dwG31iQ%3D%3D0%Avira URL Cloudsafe

    Domains and IPs

    Contacted Domains

    NameIPActiveMaliciousAntivirus DetectionReputation
    daniel.abovetheaether.com
    		192.227.220.12
    		truetrue
      		unknown
      ipapi.co
      		104.26.8.44
      		truefalse
        		high
        a.nel.cloudflare.com
        		35.190.80.1
        		truefalse
          		high
          e329293.dscd.akamaiedge.net
          		23.209.72.31
          		truefalse
            		high
            code.jquery.com
            		151.101.194.137
            		truefalse
              		high
              cdnjs.cloudflare.com
              		104.17.24.14
              		truefalse
                		high
                challenges.cloudflare.com
                		104.18.94.41
                		truefalse
                  		high
                  www.google.com
                  		142.251.40.196
                  		truefalse
                    		high
                    s-0005.dual-s-msedge.net
                    		52.123.129.14
                    		truefalse
                      		high
                      one.alketbilabs.ai
                      		104.26.0.170
                      		truetrue
                        		unknown
                        aadcdn.msauthimages.net
                        		unknown
                        		unknownfalse
                          		high

                          Contacted URLs

                          NameMaliciousAntivirus DetectionReputation
                          https://challenges.cloudflare.com/cdn-cgi/challenge-platform/h/b/cmg/1false
                            		high
                            https://aadcdn.msauthimages.net/c1c6b6c8-tqvjjjs8quzswro4bao3s3c1piu6ptnorcwywjhitls/logintenantbranding/0/bannerlogo?ts=638514609278239123false
                            • Avira URL Cloud: safe
                            		unknown
                            https://code.jquery.com/jquery-3.6.0.min.jsfalse
                              		high
                              https://cdnjs.cloudflare.com/ajax/libs/crypto-js/4.1.1/crypto-js.min.jsfalse
                                		high
                                https://a.nel.cloudflare.com/report/v4?s=MF%2FKrewD2WefXkXNtV%2BuXoj%2FIH82XunU7iiFxQQ64H6PaaifF3GjveJKWXWOVHkNMjkmI0imlLTbaGO8%2B2MZAJzMJWsh58JJY%2BtMZ8JkaPW2kxi1MoTE9KypTndR%2B51dwG31iQ%3D%3Dfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://daniel.abovetheaether.com/gNGIAEMgkIAhAAGA0YgAQyCggDEAAYCBgNGB4yCggEEAAYCBgNGB4yCggFEAAYCBgNGB4yCggGEAAYCBgNGB4yCgg/dy7iZ8OaB7nkwN4Pv5njsA4false
                                • Avira URL Cloud: safe
                                		unknown
                                https://challenges.cloudflare.com/turnstile/v0/api.jsfalse
                                  		high
                                  https://aadcdn.msauthimages.net/c1c6b6c8-tqvjjjs8quzswro4bao3s3c1piu6ptnorcwywjhitls/logintenantbranding/0/illustration?ts=638514625352065626false
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://challenges.cloudflare.com/cdn-cgi/challenge-platform/h/b/turnstile/if/ov2/av0/rcv/zash8/0x4AAAAAABCZW8FRIuiyUZVo/auto/fbE/new/normal/auto/false
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://daniel.abovetheaether.com/favicon.icofalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://challenges.cloudflare.com/cdn-cgi/challenge-platform/h/b/pat/926519525f71438a/1742975865943/3b93c1f95d7a057303351ccf8bbd8648e33381b6c6533a34154bb2bf304ca069/m-PZqVtlr_hNiC8false
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://challenges.cloudflare.com/turnstile/v0/b/708f7a809116/api.jsfalse
                                    		high
                                    https://challenges.cloudflare.com/cdn-cgi/challenge-platform/h/b/d/926519525f71438a/1742975865943/PfhuddysdPN7kjPfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://challenges.cloudflare.com/cdn-cgi/challenge-platform/h/b/flow/ov1/368719083:1742973996:LzswHp7nSv2AMlJYtgWZMvWDcz_EDLtcZKVIZY1hq3A/926519525f71438a/io8R8izqWTc4uow7QgZfuDgSbi148PzUIj.vhIbyc64-1742975864-1.1.1.1-bkrn3NAEDePA4SKgiQN80tJPqWAS3uLYk3Qdn4JA0GcWWuHZBiJy3JphVyWVWJnkfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://daniel.abovetheaether.com/gNGIAEMgkIAhAAGA0YgAQyCggDEAAYCBgNGB4yCggEEAAYCBgNGB4yCggFEAAYCBgNGB4yCggGEAAYCBgNGB4yCgg/dy7iZ8OaB7nkwN4Pv5njsA4/#MZGFuaWVsLmhpbm5pQHNlbHV0aW9uLmNotrue
                                      		unknown
                                      https://daniel.abovetheaether.com/gNGIAEMgkIAhAAGA0YgAQyCggDEAAYCBgNGB4yCggEEAAYCBgNGB4yCggFEAAYCBgNGB4yCggGEAAYCBgNGB4yCgg/dy7iZ8OaB7nkwN4Pv5njsA4/true
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://challenges.cloudflare.com/cdn-cgi/challenge-platform/h/b/orchestrate/chl_api/v1?ray=926519525f71438a&lang=autofalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://one.alketbilabs.ai/true
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://a.nel.cloudflare.com/report/v4?s=xo%2BjOKkmIL8zIEumm0uX7HJAxmNcBe9ozzwr5pys8SJFMKqKYbGmZjML955IGzrH63DUkU6kw9uN4iY6Vn4Nj%2BepcjXsQYPbAt05NLs1WrkVW8G167W1wO23S%2BB7HbpwViCtng%3D%3Dfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://cdnjs.cloudflare.com/ajax/libs/crypto-js/4.0.0/crypto-js.min.jsfalse
                                        		high
                                        https://ipapi.co/json/false
                                        • Avira URL Cloud: safe
                                        		unknown

                                        World Map of Contacted IPs

                                        • No. of IPs < 25%
                                        • 25% < No. of IPs < 50%
                                        • 50% < No. of IPs < 75%
                                        • 75% < No. of IPs

                                        Public IPs

                                        IPDomainCountryFlagASNASN NameMalicious
                                        104.26.8.44
                                        		ipapi.coUnited States
                                        		13335CLOUDFLARENETUSfalse
                                        23.204.23.20
                                        		unknownUnited States
                                        		16625AKAMAI-ASUSfalse
                                        142.250.80.110
                                        		unknownUnited States
                                        		15169GOOGLEUSfalse
                                        104.18.94.41
                                        		challenges.cloudflare.comUnited States
                                        		13335CLOUDFLARENETUSfalse
                                        142.251.40.227
                                        		unknownUnited States
                                        		15169GOOGLEUSfalse
                                        142.251.32.99
                                        		unknownUnited States
                                        		15169GOOGLEUSfalse
                                        52.123.129.14
                                        		s-0005.dual-s-msedge.netUnited States
                                        		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                                        20.189.173.17
                                        		unknownUnited States
                                        		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                                        192.227.220.12
                                        		daniel.abovetheaether.comUnited States
                                        		36352AS-COLOCROSSINGUStrue
                                        142.251.40.196
                                        		www.google.comUnited States
                                        		15169GOOGLEUSfalse
                                        151.101.194.137
                                        		code.jquery.comUnited States
                                        		54113FASTLYUSfalse
                                        35.190.80.1
                                        		a.nel.cloudflare.comUnited States
                                        		15169GOOGLEUSfalse
                                        23.209.72.31
                                        		e329293.dscd.akamaiedge.netUnited States
                                        		20940AKAMAI-ASN1EUfalse
                                        52.109.20.38
                                        		unknownUnited States
                                        		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                                        104.17.24.14
                                        		cdnjs.cloudflare.comUnited States
                                        		13335CLOUDFLARENETUSfalse
                                        1.1.1.1
                                        		unknownAustralia
                                        		13335CLOUDFLARENETUSfalse
                                        104.26.0.170
                                        		one.alketbilabs.aiUnited States
                                        		13335CLOUDFLARENETUStrue
                                        23.216.132.53
                                        		unknownUnited States
                                        		7016CCCH-3USfalse
                                        172.67.68.147
                                        		unknownUnited States
                                        		13335CLOUDFLARENETUSfalse
                                        52.111.251.17
                                        		unknownUnited States
                                        		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                                        104.18.95.41
                                        		unknownUnited States
                                        		13335CLOUDFLARENETUSfalse
                                        142.250.65.206
                                        		unknownUnited States
                                        		15169GOOGLEUSfalse
                                        142.251.40.163
                                        		unknownUnited States
                                        		15169GOOGLEUSfalse
                                        142.251.163.84
                                        		unknownUnited States
                                        		15169GOOGLEUSfalse

                                        Private

                                        IP
                                        192.168.2.16
                                        192.168.2.23

                                        General Information

                                        Joe Sandbox version:42.0.0 Malachite
                                        Analysis ID:1648840
                                        Start date and time:2025-03-26 08:56:27 +01:00
                                        Joe Sandbox product:CloudBasic
                                        Overall analysis duration:
                                        Hypervisor based Inspection enabled:false
                                        Report type:full
                                        Cookbook file name:defaultwindowsinteractivecookbook.jbs
                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                        Number of analysed new started processes analysed:17
                                        Number of new started drivers analysed:0
                                        Number of existing processes analysed:0
                                        Number of existing drivers analysed:0
                                        Number of injected processes analysed:0
                                        Technologies:
                                        • EGA enabled
                                        Analysis Mode:stream
                                        Analysis stop reason:Timeout
                                        Sample name:DanielEmployee-Handbook-84408.doc
                                        Detection:MAL
                                        Classification:mal64.phis.winDOC@23/12@28/196
                                        Cookbook Comments:
                                        • Found application associated with file extension: .doc
                                        • Exclude process from analysis (whitelisted): svchost.exe
                                        • Excluded IPs from analysis (whitelisted): 52.109.20.38, 23.204.23.20, 52.111.251.17, 52.111.251.19, 52.111.251.16, 52.111.251.18, 52.123.129.14, 20.190.152.21
                                        • Excluded domains from analysis (whitelisted): ecs.office.com, fs.microsoft.com, prod.configsvc1.live.com.akadns.net, scus-azsc-config.officeapps.live.com, prod-na.naturallanguageeditorservice.osi.office.net.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, e16604.dscf.akamaiedge.net, prod-canc-resolver.naturallanguageeditorservice.osi.office.net.akadns.net, prod1.naturallanguageeditorservice.osi.office.net.akadns.net, dual-s-0005-office.config.skype.com, nleditor.osi.office.net, login.live.com, config.officeapps.live.com, us.configsvc1.live.com.akadns.net, officeclient.microsoft.com, ecs.office.trafficmanager.net, prod.fs.microsoft.com.akadns.net
                                        • Not all processes where analyzed, report is missing behavior information
                                        • Report size getting too big, too many NtQueryAttributesFile calls found.
                                        • Report size getting too big, too many NtQueryValueKey calls found.
                                        • Report size getting too big, too many NtReadVirtualMemory calls found.
                                        • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                        • VT rate limit hit for: daniel.abovetheaether.com

                                        Created / dropped Files

                                        C:\Users\user\AppData\Local\Temp\~DF659E278ACAB8B99C.TMP

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):512
                                        Entropy (8bit):0.0
                                        Encrypted:false
                                        SSDEEP:
                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                        Malicious:false
                                        Reputation:unknown
                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                        C:\Users\user\Desktop\~$nielEmployee-Handbook-84408.doc

                                        Download File
                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):162
                                        Entropy (8bit):2.5726726094536483
                                        Encrypted:false
                                        SSDEEP:
                                        MD5:1134C7BF8DA025A2589B4BE9D867449B
                                        SHA1:F3318281E4A150F1E2E53B6B147F2BA6FA1C02DA
                                        SHA-256:29B4EC383B129F47A0CC64E0E2A42E2694AFC88651DCEF719D379DC58ED9D1EC
                                        SHA-512:98473CADDFBF82386FFBF5FA8B891BCA0CB5D9041E1C4B9D58CA869E537FE08E403542E1FECE58344135BE43E86CB4129B5361E3D6CC474C2426A41701748785
                                        Malicious:false
                                        Reputation:unknown
                                        Preview:...........................................................W...a.jX....V......=B]..........a.j.........N...................................C]....}..j.....W...=.j

                                        Chrome Cache Entry: 76

                                        Download File
                                        Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                        File Type:ASCII text, with very long lines (65447)
                                        Category:downloaded
                                        Size (bytes):89501
                                        Entropy (8bit):5.289893677458563
                                        Encrypted:false
                                        SSDEEP:
                                        MD5:8FB8FEE4FCC3CC86FF6C724154C49C42
                                        SHA1:B82D238D4E31FDF618BAE8AC11A6C812C03DD0D4
                                        SHA-256:FF1523FB7389539C84C65ABA19260648793BB4F5E29329D2EE8804BC37A3FE6E
                                        SHA-512:F3DE1813A4160F9239F4781938645E1589B876759CD50B7936DBD849A35C38FFAED53F6A61DBDD8A1CF43CF4A28AA9FFFBFDDEEC9A3811A1BB4EE6DF58652B31
                                        Malicious:false
                                        Reputation:unknown
                                        URL:https://code.jquery.com/jquery-3.6.0.min.js
                                        Preview:/*! jQuery v3.6.0 | (c) OpenJS Foundation and other contributors | jquery.org/license */.!function(e,t){"use strict";"object"==typeof module&&"object"==typeof module.exports?module.exports=e.document?t(e,!0):function(e){if(!e.document)throw new Error("jQuery requires a window with a document");return t(e)}:t(e)}("undefined"!=typeof window?window:this,function(C,e){"use strict";var t=[],r=Object.getPrototypeOf,s=t.slice,g=t.flat?function(e){return t.flat.call(e)}:function(e){return t.concat.apply([],e)},u=t.push,i=t.indexOf,n={},o=n.toString,v=n.hasOwnProperty,a=v.toString,l=a.call(Object),y={},m=function(e){return"function"==typeof e&&"number"!=typeof e.nodeType&&"function"!=typeof e.item},x=function(e){return null!=e&&e===e.window},E=C.document,c={type:!0,src:!0,nonce:!0,noModule:!0};function b(e,t,n){var r,i,o=(n=n||E).createElement("script");if(o.text=e,t)for(r in c)(i=t[r]||t.getAttribute&&t.getAttribute(r))&&o.setAttribute(r,i);n.head.appendChild(o).parentNode.removeChild(o)}funct

                                        Chrome Cache Entry: 80

                                        Download File
                                        Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                        File Type:PNG image data, 16 x 35, 8-bit/color RGB, non-interlaced
                                        Category:downloaded
                                        Size (bytes):61
                                        Entropy (8bit):4.068159130770306
                                        Encrypted:false
                                        SSDEEP:
                                        MD5:1253F72A1ED35E642EEB30DEC52CCEDD
                                        SHA1:9F5DC4347E76E55FADA9897F17BEE89663E012A8
                                        SHA-256:7201D968F30B5D1B69C0AEFFB40CBADF1192E0FF6ED9AA4C6D9F1AA10A381EC2
                                        SHA-512:F7D9F24652C5D7AFC4909A50B9B232CC475BFD7775C7E33483F63B5AECCABDBC3ACF0B6CC99AA4B849043BFD64520FC7FE82EC5432362F2F21846F12851B5533
                                        Malicious:false
                                        Reputation:unknown
                                        URL:https://challenges.cloudflare.com/cdn-cgi/challenge-platform/h/b/d/926519525f71438a/1742975865943/PfhuddysdPN7kjP
                                        Preview:.PNG........IHDR.......#........5....IDAT.....$.....IEND.B`.

                                        Chrome Cache Entry: 82

                                        Download File
                                        Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                        File Type:JSON data
                                        Category:dropped
                                        Size (bytes):772
                                        Entropy (8bit):4.768305351375119
                                        Encrypted:false
                                        SSDEEP:
                                        MD5:35B55021B21E95AB37525855A0A3C9E3
                                        SHA1:64BD159F18C94EA130019C306693D1108E011FBF
                                        SHA-256:975388D22FB5E84E383A0B6E1AEBD9256D934315C61D961D386909AD77935EBE
                                        SHA-512:7EB2E322D93C22F23C99C943A72FEB472EED53F79B4521EB68A261DD2910B595ADD968CA789EC117BD3BAED5DB2F7E86A7366ADB6831454AF9E5838813F2D181
                                        Malicious:false
                                        Reputation:unknown
                                        Preview:{. "ip": "161.77.13.20",. "network": "161.77.0.0/19",. "version": "IPv4",. "city": "Springfield",. "region": "Massachusetts",. "region_code": "MA",. "country": "US",. "country_name": "United States",. "country_code": "US",. "country_code_iso3": "USA",. "country_capital": "Washington",. "country_tld": ".us",. "continent_code": "NA",. "in_eu": false,. "postal": "01101",. "latitude": 42.0986,. "longitude": -72.5931,. "timezone": "America/New_York",. "utc_offset": "-0400",. "country_calling_code": "+1",. "currency": "USD",. "currency_name": "Dollar",. "languages": "en-US,es-US,haw,fr",. "country_area": 9629091.0,. "country_population": 327167434,. "asn": "AS7849",. "org": "CROCKERCOM".}

                                        Chrome Cache Entry: 83

                                        Download File
                                        Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                        File Type:ASCII text, with very long lines (47992), with no line terminators
                                        Category:downloaded
                                        Size (bytes):47992
                                        Entropy (8bit):5.605846858683577
                                        Encrypted:false
                                        SSDEEP:
                                        MD5:CF3402D7483B127DED4069D651EA4A22
                                        SHA1:BDE186152457CACF9C35477B5BDDA5BCB56B1F45
                                        SHA-256:EAB5D90A71736F267AF39FDF32CAA8C71673FD06703279B01E0F92B0D7BE0BFC
                                        SHA-512:9CE42EBC3F672A2AEFC4376F43D38CA9ED9D81AA5B3C1EEF60032BCC98A1C399BE68D71FD1D5F9DE6E98C4CE0B800F6EF1EF5E83D417FBFFA63EEF2408DA55D8
                                        Malicious:false
                                        Reputation:unknown
                                        URL:https://cdnjs.cloudflare.com/ajax/libs/crypto-js/4.0.0/crypto-js.min.js
                                        Preview:!function(t,e){"object"==typeof exports?module.exports=exports=e():"function"==typeof define&&define.amd?define([],e):t.CryptoJS=e()}(this,function(){var h,t,e,r,i,n,f,o,s,c,a,l,d,m,x,b,H,z,A,u,p,_,v,y,g,B,w,k,S,C,D,E,R,M,F,P,W,O,I,U,K,X,L,j,N,T,q,Z,V,G,J,$,Q,Y,tt,et,rt,it,nt,ot,st,ct,at,ht,lt,ft,dt,ut,pt,_t,vt,yt,gt,Bt,wt,kt,St,bt=bt||function(l){var t;if("undefined"!=typeof window&&window.crypto&&(t=window.crypto),!t&&"undefined"!=typeof window&&window.msCrypto&&(t=window.msCrypto),!t&&"undefined"!=typeof global&&global.crypto&&(t=global.crypto),!t&&"function"==typeof require)try{t=require("crypto")}catch(t){}function i(){if(t){if("function"==typeof t.getRandomValues)try{return t.getRandomValues(new Uint32Array(1))[0]}catch(t){}if("function"==typeof t.randomBytes)try{return t.randomBytes(4).readInt32LE()}catch(t){}}throw new Error("Native crypto module could not be used to get secure random number.")}var r=Object.create||function(t){var e;return n.prototype=t,e=new n,n.prototype=null

                                        Chrome Cache Entry: 84

                                        Download File
                                        Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                        File Type:PNG image data, 2 x 2, 8-bit/color RGB, non-interlaced
                                        Category:dropped
                                        Size (bytes):61
                                        Entropy (8bit):3.990210155325004
                                        Encrypted:false
                                        SSDEEP:
                                        MD5:9246CCA8FC3C00F50035F28E9F6B7F7D
                                        SHA1:3AA538440F70873B574F40CD793060F53EC17A5D
                                        SHA-256:C07D7D29E3C20FA6CA4C5D20663688D52BAD13E129AD82CE06B80EB187D9DC84
                                        SHA-512:A2098304D541DF4C71CDE98E4C4A8FB1746D7EB9677CEBA4B19FF522EFDD981E484224479FD882809196B854DBC5B129962DBA76198D34AAECF7318BD3736C6B
                                        Malicious:false
                                        Reputation:unknown
                                        Preview:.PNG........IHDR...............s....IDAT.....$.....IEND.B`.

                                        Chrome Cache Entry: 85

                                        Download File
                                        Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                        File Type:HTML document, ASCII text, with very long lines (56756)
                                        Category:downloaded
                                        Size (bytes):58296
                                        Entropy (8bit):6.052265860508475
                                        Encrypted:false
                                        SSDEEP:
                                        MD5:CBB42513032D6C09E496731AC16C20A9
                                        SHA1:C92F38A701AAD58408451D24DD4C47B05F158CF0
                                        SHA-256:D189695B2F3BB92369881F2428FA861DCA9D9A94C638D9BDC4E2FA747D6F315B
                                        SHA-512:3D76F1018AFCEABA7CBB4083F4A5B5758966EC2AA5D5C6B07D72361782809F7ED4BD34ED9E0C4154D01A2DB7192155DE8251E5A834DD90B8D9823D916E1B7285
                                        Malicious:false
                                        Reputation:unknown
                                        URL:https://daniel.abovetheaether.com/favicon.ico
                                        Preview:<!doctype html>.<html>..<head>...<meta charset="utf-8" />...<meta name="viewport" content="width=device-width, initial-scale=1.0" />...<title>404 Not Found</title>...<style>....* {.....margin: 0;.....padding: 0;.....box-sizing: border-box;....}....html {.....height: 100%;....}....body {.....height: 100%;.....font-size: 14px;....}.....container {.....display: flex;.....flex-direction: column;.....align-items: center;.....height: 100%;.....padding-top: 12%;....}.....logo img {.... display: block;.... width: 100px;....}.....logo img + img {.... margin-top: 12px;....}.....title {.....margin-top: 24px;.....font-size: 110px;.....color: #333;.....letter-spacing: 10px;....}.....desc {.....font-size: 16px;.....color: #777;.....text-align: center;.....line-height: 24px;....}.....footer {...../* position: absolute;.....left: 0;.....bottom: 32px;.....width: 100%; */.....margin-top: 24px;.....text-align: center;.....font-size: 12px;....}.....footer .btlink {.....color: #20a53a;.....text-de

                                        Chrome Cache Entry: 86

                                        Download File
                                        Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                        File Type:JSON data
                                        Category:dropped
                                        Size (bytes):40
                                        Entropy (8bit):4.120950594454667
                                        Encrypted:false
                                        SSDEEP:
                                        MD5:B09F000BFB98ABD880BC77E05456FFEA
                                        SHA1:FBADFA7F41B709507692B8FCEA597474EED91E2C
                                        SHA-256:0A721532497036FF7D8B228DD8D4EF5E91777B0BD2B11F49F5B2CCDDD55EB259
                                        SHA-512:F2E0CF9FD6D14EAF9BE953052515A598E9F96186FB82D5FA8D3E9B01F9706284DE8DDDF343AB69CF566EDEB28C659D65E0D608F99A5717A7CBFB2CC48ADA15A7
                                        Malicious:false
                                        Reputation:unknown
                                        Preview:{"detail":"Method \"GET\" not allowed."}

                                        Chrome Cache Entry: 87

                                        Download File
                                        Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                        File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 1920x1080, components 3
                                        Category:dropped
                                        Size (bytes):295316
                                        Entropy (8bit):7.920261603808197
                                        Encrypted:false
                                        SSDEEP:
                                        MD5:27BEB1F15D918943C685AF9DF98DB3E6
                                        SHA1:00771E6D0370A101BE0037FAAD66CB21A47B2F01
                                        SHA-256:9299CD0C2E68B1531C8A2CD00B7ECDF49E358E4009796BFC04BDB1E95A1AAA35
                                        SHA-512:A66118EBE8C0A9B2514B0249231C54F1B1AE69FB763C11DB8925C84625946256F6AC9CA97140C7EDBD276F063644758931A8EF7EF59BA936EB93A997D2ED3137
                                        Malicious:false
                                        Reputation:unknown
                                        Preview:......JFIF.....H.H.....C................#.....+.!.#3-652-108?QE8<M=01F`GMTV[\[7DcjcXjQY[W...C.......)..)W:1:WWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWW......8...."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.`Y\..G.#]...B.N6.....]..z.i._M.....,C|.}}.Qn.s.e..'.,........H.7l6.O%}.......8e...^..A|.......pH.e..S..X. gP...Tw...&...~...-Q`\.....59.....,..8...)..D'i.aL....a.&.&.[%...^L.e.......,.q..a..a,..N;.....m..)..Z.$...yb.!.aD.Fy.jh....$..`.g]...J.5...y"..UN.@....R).q"<K|...*m......2o.D...q.3z`{zv.-.........V..z}h...O...#e.v..L..l@..p.$.r.NFO..\Nb.-.6.s...2.b..u.s

                                        Chrome Cache Entry: 88

                                        Download File
                                        Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                        File Type:ASCII text, with very long lines (48122)
                                        Category:downloaded
                                        Size (bytes):48123
                                        Entropy (8bit):5.342998089666478
                                        Encrypted:false
                                        SSDEEP:
                                        MD5:EA38BDA3C117E2FE01BD862003357394
                                        SHA1:767CCB3589E3067EE1B348DF2426A9E2E32CEE5C
                                        SHA-256:719423C7B70AC911F76D00B3AE514D108A8315EA60A80519820BE50C0E4C96EF
                                        SHA-512:F50FAB9DC2263F40216DF26C234AD390091F23185650E9B4E4748CF09CFEDF2D92A99FC81C986234580844393305AC2195E096DEDB64D9A25A99EF7BE510FFCA
                                        Malicious:false
                                        Reputation:unknown
                                        URL:https://challenges.cloudflare.com/turnstile/v0/b/708f7a809116/api.js
                                        Preview:"use strict";(function(){function jt(e,t,a,o,c,l,v){try{var h=e[l](v),s=h.value}catch(p){a(p);return}h.done?t(s):Promise.resolve(s).then(o,c)}function qt(e){return function(){var t=this,a=arguments;return new Promise(function(o,c){var l=e.apply(t,a);function v(s){jt(l,o,c,v,h,"next",s)}function h(s){jt(l,o,c,v,h,"throw",s)}v(void 0)})}}function V(e,t){return t!=null&&typeof Symbol!="undefined"&&t[Symbol.hasInstance]?!!t[Symbol.hasInstance](e):V(e,t)}function De(e,t,a){return t in e?Object.defineProperty(e,t,{value:a,enumerable:!0,configurable:!0,writable:!0}):e[t]=a,e}function Ve(e){for(var t=1;t<arguments.length;t++){var a=arguments[t]!=null?arguments[t]:{},o=Object.keys(a);typeof Object.getOwnPropertySymbols=="function"&&(o=o.concat(Object.getOwnPropertySymbols(a).filter(function(c){return Object.getOwnPropertyDescriptor(a,c).enumerable}))),o.forEach(function(c){De(e,c,a[c])})}return e}function Ir(e,t){var a=Object.keys(e);if(Object.getOwnPropertySymbols){var o=Object.getOwnPropertyS

                                        Chrome Cache Entry: 89

                                        Download File
                                        Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                        File Type:ASCII text, with very long lines (48316), with no line terminators
                                        Category:downloaded
                                        Size (bytes):48316
                                        Entropy (8bit):5.6346993394709
                                        Encrypted:false
                                        SSDEEP:
                                        MD5:2CA03AD87885AB983541092B87ADB299
                                        SHA1:1A17F60BF776A8C468A185C1E8E985C41A50DC27
                                        SHA-256:8E3B0117F4DF4BE452C0B6AF5B8F0A0ACF9D4ADE23D08D55D7E312AF22077762
                                        SHA-512:13C412BD66747822C6938926DE1C52B0D98659B2ED48249471EC0340F416645EA9114F06953F1AE5F177DB03A5D62F1FB5D321B2C4EB17F3A1C865B0A274DC5C
                                        Malicious:false
                                        Reputation:unknown
                                        URL:https://cdnjs.cloudflare.com/ajax/libs/crypto-js/4.1.1/crypto-js.min.js
                                        Preview:!function(t,e){"object"==typeof exports?module.exports=exports=e():"function"==typeof define&&define.amd?define([],e):t.CryptoJS=e()}(this,function(){var n,o,s,a,h,t,e,l,r,i,c,f,d,u,p,S,x,b,A,H,z,_,v,g,y,B,w,k,m,C,D,E,R,M,F,P,W,O,I,U=U||function(h){var i;if("undefined"!=typeof window&&window.crypto&&(i=window.crypto),"undefined"!=typeof self&&self.crypto&&(i=self.crypto),!(i=!(i=!(i="undefined"!=typeof globalThis&&globalThis.crypto?globalThis.crypto:i)&&"undefined"!=typeof window&&window.msCrypto?window.msCrypto:i)&&"undefined"!=typeof global&&global.crypto?global.crypto:i)&&"function"==typeof require)try{i=require("crypto")}catch(t){}var r=Object.create||function(t){return e.prototype=t,t=new e,e.prototype=null,t};function e(){}var t={},n=t.lib={},o=n.Base={extend:function(t){var e=r(this);return t&&e.mixIn(t),e.hasOwnProperty("init")&&this.init!==e.init||(e.init=function(){e.$super.init.apply(this,arguments)}),(e.init.prototype=e).$super=this,e},create:function(){var t=this.extend();

                                        Static File Info

                                        General

                                        File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 5.1, Code page: 1200, Number of Characters: 0, Revision Number: 0, Security: 0, Number of Words: 0
                                        Entropy (8bit):6.722998073766099
                                        TrID:
                                        • Microsoft Excel sheet (30009/1) 78.94%
                                        • Generic OLE2 / Multistream Compound File (8008/1) 21.06%
                                        File name:DanielEmployee-Handbook-84408.doc
                                        File size:73'728 bytes
                                        MD5:38df9ff0fcbd2e8312b9f33cfb7978b7
                                        SHA1:3a6a98181d6eb63f67a10a746f5b490633eebc9f
                                        SHA256:ce09989dc9e230fc9c09a072cb940c1c9c3a79bf4afc6acb3b9ada8a9d11b2f7
                                        SHA512:b8fb53d6f2fd06f9d2d98fe844c65848425bd4830be2d52d1bde9730a3d4eee3b497eb2c7e3d14d639871326de79bebffeb8c04bab9e997823e1f5634c85d895
                                        SSDEEP:768:4V8hkFm/a5BpgYGDhiNsSk+RqQnOdAW9OVSJDYEQ+qSR10zktfe4gEA55BLAiVHv:Y8qFm/OADsFJWl9YQA45FePEA5/Px
                                        TLSH:B7736C8313D3A605F177E9B28677C2B47A317C684D779A2A16507E1EECB2A240F74B13
                                        File Content Preview:........................!......................................................................................................................................................................................................................................

                                        File Icon

                                        Icon Hash:35e1cc889a8a8599

                                        Static OLE Info

                                        General

                                        Document Type:OLE
                                        Number of OLE Files:1

                                        OLE File "DanielEmployee-Handbook-84408.doc"

                                        Indicators
                                        Has Summary Info:
                                        Application Name:None
                                        Encrypted Document:False
                                        Contains Word Document Stream:True
                                        Contains Workbook/Book Stream:False
                                        Contains PowerPoint Document Stream:False
                                        Contains Visio Document Stream:False
                                        Contains ObjectPool Stream:False
                                        Flash Objects Count:0
                                        Contains VBA Macros:False
                                        Summary
                                        Code Page:1200
                                        Title:
                                        Subject:
                                        Author:
                                        Keywords:
                                        Last Saved By:
                                        Revion Number:0
                                        Total Edit Time:0
                                        Last Printed:1601-01-01 00:00:00
                                        Create Time:1601-01-01 00:00:00
                                        Last Saved Time:1601-01-01 00:00:00
                                        Number of Words:0
                                        Number of Characters:0
                                        Security:0
                                        Document Summary
                                        Document Code Page:1200
                                        Number of Paragraphs:0
                                        Thumbnail Scaling Desired:False
                                        General
                                        Stream Path:\x5DocumentSummaryInformation
                                        CLSID:
                                        File Type:data
                                        Stream Size:104
                                        Entropy:2.479305463121663
                                        Base64 Encoded:False
                                        Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , 0 . . . 8 . . . . . . . . . . . . . . . . . . ( . . . . . . . 0 . . . . . . . . . . . . . . . . . . . . . . . . . .
                                        Data Raw:fe ff 00 00 05 01 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 38 00 00 00 03 00 00 00 01 00 00 00 20 00 00 00 0b 00 00 00 28 00 00 00 06 00 00 00 30 00 00 00 02 00 00 00 b0 04 00 00 0b 00 00 00 00 00 00 00 03 00 00 00 00 00 00 00
                                        General
                                        Stream Path:\x5SummaryInformation
                                        CLSID:
                                        File Type:data
                                        Stream Size:320
                                        Entropy:2.0282772532194504
                                        Base64 Encoded:False
                                        Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . + ' 0 . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . @ . . . . . . . . . . . . . . . . . . . 0 . . . . . . . . . . . . . . .
                                        Data Raw:fe ff 00 00 05 01 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 10 01 00 00 0e 00 00 00 01 00 00 00 78 00 00 00 04 00 00 00 80 00 00 00 10 00 00 00 8c 00 00 00 0c 00 00 00 94 00 00 00 05 00 00 00 a0 00 00 00 0b 00 00 00 ac 00 00 00 08 00 00 00 b8 00 00 00 0d 00 00 00 c4 00 00 00 09 00 00 00 d0 00 00 00
                                        General
                                        Stream Path:1Table
                                        CLSID:
                                        File Type:data
                                        Stream Size:5159
                                        Entropy:3.4474333568025113
                                        Base64 Encoded:False
                                        Data ASCII:Z . % . . . . . . . . . . . . . . . . . . . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . .
                                        Data Raw:5a 04 25 00 12 00 01 00 0b 01 0f 00 00 00 03 00 03 00 03 00 03 00 04 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00
                                        General
                                        Stream Path:Data
                                        CLSID:
                                        File Type:data
                                        Stream Size:44460
                                        Entropy:7.890653653613907
                                        Base64 Encoded:True
                                        Data ASCII:3 . . . D . d . . . . . . . . . . . . . . . . . . . . . @ . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . J . . . . . . . . . . . . . . . . . 3 . . . . . . . . . . . A . . . . . . . . . # . " . . . . . . . . . . . . . . . . . . . . . . . . R . . . . . . . . [ @ $ F . . s . g . q . . . . . . . D . . . . . . . F . i . . . . [ @ $ F . . s . g . . J F I F . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ( . . % . . . " 1 ! % ) + .
                                        Data Raw:33 1b 00 00 44 00 64 00 00 00 00 00 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 0b 40 0b e8 03 e8 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0f 00 04 f0 4a 00 00 00 b2 04 0a f0 08 00 00 00 01 04 00 00 00 0a 00 00 33 00 0b f0 12 00 00 00 7f 00 80 00 80 00 04 41 01 00 00 00 bf 01 02 00 02 00 23 00 22 f1 0c 00 00 00 90 03
                                        General
                                        Stream Path:WordDocument
                                        CLSID:
                                        File Type:data
                                        Stream Size:19968
                                        Entropy:4.015790294021357
                                        Base64 Encoded:False
                                        Data ASCII:. ! ` . . . . . . . . . . . . . . . . . . . . . . . . . A W N . 2 4 . 8 . . . . . . . . . . . . . . . . . . . . . . . N . . > . . > . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . \\ . . . @ . . . t . . . . . . . . . . . . . > . . . . . . .
                                        Data Raw:ec a5 c1 00 21 60 09 04 00 00 f8 12 bf 00 00 00 00 00 00 10 00 00 00 00 00 08 00 00 94 1b 00 00 0e 00 41 57 4e 00 32 34 2e 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 09 04 16 00 00 4e 00 00 3e c7 00 00 3e c7 00 00 ca 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff 0f 00 00 00 00 00 00 00 00 00 ff ff 0f 00 00 00 00 00