Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
http://excelworks.co.uk/downloads/Mortgage%20Calculator%20and%20Comparator.xlsx

Overview

General Information

Sample URL:http://excelworks.co.uk/downloads/Mortgage%20Calculator%20and%20Comparator.xlsx
Analysis ID:1541169
Infos:

Detection

Score:2
Range:0 - 100
Whitelisted:false
Confidence:40%

Signatures

Detected non-DNS traffic on DNS port
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sigma detected: Excel Network Connections
Sigma detected: Suspicious Office Outbound Connections
Stores files to the Windows start menu directory

Classification

Process Tree

  • System is w10x64_ra
  • chrome.exe (PID: 1092 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank" MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
    • chrome.exe (PID: 6700 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 --field-trial-handle=1956,i,4280184149685828023,13410173413634450761,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
    • EXCEL.EXE (PID: 5504 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\user\Downloads\Mortgage Calculator and Comparator.xlsx" MD5: 4A871771235598812032C822E6F68F19)
      • splwow64.exe (PID: 5952 cmdline: C:\Windows\splwow64.exe 12288 MD5: 77DE7761B037061C7C112FD3C5B91E73)
  • chrome.exe (PID: 6364 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" "http://excelworks.co.uk/downloads/Mortgage%20Calculator%20and%20Comparator.xlsx" MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
  • cleanup

Yara Signatures

No yara matches

Sigma Signatures

Sigma detected: Excel Network Connections
Source: Network ConnectionAuthor: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Florian Roth '@Neo23x0", Tim Shelton: Data: DestinationIp: 13.107.253.45, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE, Initiated: true, ProcessId: 5504, Protocol: tcp, SourceIp: 192.168.2.16, SourceIsIpv6: false, SourcePort: 49724
Sigma detected: Suspicious Office Outbound Connections
Source: Network ConnectionAuthor: X__Junior (Nextron Systems): Data: DestinationIp: 192.168.2.16, DestinationIsIpv6: false, DestinationPort: 49724, EventID: 3, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE, Initiated: true, ProcessId: 5504, Protocol: tcp, SourceIp: 13.107.253.45, SourceIsIpv6: false, SourcePort: 443

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: unknownHTTPS traffic detected: 4.245.163.56:443 -> 192.168.2.16:49718 version: TLS 1.2
Source: unknownHTTPS traffic detected: 20.190.160.20:443 -> 192.168.2.16:49720 version: TLS 1.2
Source: unknownHTTPS traffic detected: 4.245.163.56:443 -> 192.168.2.16:49722 version: TLS 1.2
Source: unknownHTTPS traffic detected: 13.107.253.45:443 -> 192.168.2.16:49724 version: TLS 1.2
Source: excel.exeMemory has grown: Private usage: 6MB later: 84MB
Source: chrome.exeMemory has grown: Private usage: 17MB later: 30MB
Source: global trafficTCP traffic: 192.168.2.16:60795 -> 1.1.1.1:53
Source: global trafficTCP traffic: 192.168.2.16:60795 -> 1.1.1.1:53
Source: global trafficTCP traffic: 192.168.2.16:60795 -> 1.1.1.1:53
Source: global trafficTCP traffic: 192.168.2.16:60795 -> 1.1.1.1:53
Source: global trafficTCP traffic: 192.168.2.16:60795 -> 1.1.1.1:53
Source: global trafficTCP traffic: 192.168.2.16:60795 -> 1.1.1.1:53
Source: global trafficTCP traffic: 192.168.2.16:60795 -> 1.1.1.1:53
Source: global trafficTCP traffic: 192.168.2.16:60795 -> 1.1.1.1:53
Source: global trafficTCP traffic: 192.168.2.16:60795 -> 1.1.1.1:53
Source: global trafficTCP traffic: 192.168.2.16:60795 -> 1.1.1.1:53
Source: global trafficTCP traffic: 192.168.2.16:60795 -> 1.1.1.1:53
Source: global trafficTCP traffic: 192.168.2.16:60795 -> 1.1.1.1:53
Source: global trafficTCP traffic: 192.168.2.16:60795 -> 1.1.1.1:53
Source: global trafficTCP traffic: 192.168.2.16:60795 -> 1.1.1.1:53
Source: global trafficTCP traffic: 192.168.2.16:60795 -> 1.1.1.1:53
Source: global trafficTCP traffic: 192.168.2.16:60795 -> 1.1.1.1:53
Source: global trafficTCP traffic: 192.168.2.16:60795 -> 1.1.1.1:53
Source: global trafficTCP traffic: 192.168.2.16:60795 -> 1.1.1.1:53
Source: global trafficTCP traffic: 192.168.2.16:60795 -> 1.1.1.1:53
Source: global trafficTCP traffic: 192.168.2.16:60795 -> 1.1.1.1:53
Source: global trafficTCP traffic: 192.168.2.16:60795 -> 1.1.1.1:53
Source: global trafficTCP traffic: 192.168.2.16:60795 -> 1.1.1.1:53
Source: global trafficTCP traffic: 192.168.2.16:60795 -> 1.1.1.1:53
Source: global trafficTCP traffic: 192.168.2.16:60795 -> 1.1.1.1:53
Source: global trafficTCP traffic: 192.168.2.16:60795 -> 1.1.1.1:53
Source: global trafficTCP traffic: 192.168.2.16:60795 -> 1.1.1.1:53
Source: global trafficTCP traffic: 192.168.2.16:60795 -> 1.1.1.1:53
Source: global trafficTCP traffic: 192.168.2.16:60795 -> 1.1.1.1:53
Source: global trafficTCP traffic: 192.168.2.16:60795 -> 1.1.1.1:53
Source: global trafficTCP traffic: 192.168.2.16:60795 -> 1.1.1.1:53
Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknownTCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknownTCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknownTCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknownTCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknownTCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknownTCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknownTCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknownTCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknownTCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknownTCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknownTCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknownTCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknownTCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknownTCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknownTCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknownTCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.20
Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.20
Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.20
Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.20
Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.20
Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.20
Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.20
Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.20
Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.20
Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.20
Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.20
Source: unknownTCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknownTCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknownTCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownTCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknownTCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknownTCP traffic detected without corresponding DNS query: 192.229.211.108
Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKContent-Type: application/vnd.openxmlformats-officedocument.spreadsheetml.sheetContent-Length: 241754Connection: keep-aliveKeep-Alive: timeout=15Last-Modified: Sat, 04 Mar 2017 10:05:09 GMTAccept-Ranges: bytesETag: "b4e68ccece94d21:0"Server: Microsoft-IIS/10.0X-Powered-By: ASP.NETDate: Thu, 24 Oct 2024 12:34:31 GMTData Raw: 50 4b 03 04 14 00 06 00 08 00 00 00 21 00 bf 54 4c 1a 86 02 00 00 d4 14 00 00 13 00 08 02 5b 43 6f 6e 74 65 6e 74 5f 54 79 70 65 73 5d 2e 78 6d 6c 20 a2 04 02 28 a0 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 cc 58 c1 72 da 30 10 bd 77 a6 ff e0 d1 b5 83 05 69 9b 26 19 20 87 a4 3d b6 99 49 fa 01 8a bc 60 15 59 d2 48 0a 81 bf af 6c ac b4 18 b0 85 ed 4e 7d 01 1b 6b f7 bd 7d 5a db 8f 9d de 6e 32 1e ad 41 1b 26 c5 0c 4d e2 31 8a 40 50 99 30 b1 9c a1 9f 4f df 46 57 28 32 96 88 84 70 29 60 86 b6 60 d0 ed fc fd bb e9 d3 56 81 89 5c b4 30 33 94 5a ab 6e 30 36 34 85 8c 98 58 2a 10 ee ca 42 ea 8c 58 77 aa 97 58 11 ba 22 4b c0 17 e3 f1 25 a6 52 58 10 76 64 f3 1c 68 3e bd 87 05 79 e1 36 fa ba 71 3f ef 98 3c 33 81 a2 bb dd ba 1c 6a 86 88 52 9c 51 62 1d 51 bc 16 49 05 64 24 17 0b 46 21 91 f4 25 73 a9 63 a3 34 90 c4 a4 00 36 e3 b1 d2 cc 21 ea 47 b0 d6 15 66 10 3e 8a f9 4b c1 b2 02 ca b2 9c 74 71 e1 78 8c 06 6e 2a 31 0d 44 4b 25 62 17 59 14 63 52 a6 cc 07 27 d7 09 56 f9 95 d3 4a 9c 8e 5b d7 c6 35 2b e8 e2 ef 35 79 75 7a e5 c4 7e b8 1e d1 2c 81 e8 81 68 fb 9d 64 6e 43 f0 86 e3 57 a9 57 cf 52 ae e2 7a 96 cd 68 fb fb 55 ec 5b 9c 11 26 bc 30
Source: global trafficHTTP traffic detected: GET /downloads/Mortgage%20Calculator%20and%20Comparator.xlsx HTTP/1.1Host: excelworks.co.ukConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9
Source: global trafficDNS traffic detected: DNS query: excelworks.co.uk
Source: global trafficDNS traffic detected: DNS query: www.google.com
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49722
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49720
Source: unknownNetwork traffic detected: HTTP traffic on port 49673 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49678 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49725 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49724 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49720 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49722 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49718
Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49715
Source: unknownNetwork traffic detected: HTTP traffic on port 49718 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49725
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49724
Source: unknownHTTPS traffic detected: 4.245.163.56:443 -> 192.168.2.16:49718 version: TLS 1.2
Source: unknownHTTPS traffic detected: 20.190.160.20:443 -> 192.168.2.16:49720 version: TLS 1.2
Source: unknownHTTPS traffic detected: 4.245.163.56:443 -> 192.168.2.16:49722 version: TLS 1.2
Source: unknownHTTPS traffic detected: 13.107.253.45:443 -> 192.168.2.16:49724 version: TLS 1.2
Source: classification engineClassification label: clean2.win@21/7@4/729
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\Downloads\289d11d1-8c6d-4ef4-abec-a2760236c5a4.tmp
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\{652179CC-8CDC-480B-97BB-EC30397C2068} - OProcSessId.dat
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEFile read: C:\Users\desktop.ini
Source: unknownProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 --field-trial-handle=1956,i,4280184149685828023,13410173413634450761,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: unknownProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "http://excelworks.co.uk/downloads/Mortgage%20Calculator%20and%20Comparator.xlsx"
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\user\Downloads\Mortgage Calculator and Comparator.xlsx"
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 --field-trial-handle=1956,i,4280184149685828023,13410173413634450761,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\user\Downloads\Mortgage Calculator and Comparator.xlsx"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{77F10CF0-3DB5-4966-B520-B7C54FD35ED6}\InProcServer32
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exeWindow / User API: threadDelayed 1276
Source: C:\Windows\splwow64.exeWindow / User API: threadDelayed 8116
Source: C:\Windows\splwow64.exeThread delayed: delay time: 120000
Source: C:\Windows\splwow64.exeThread delayed: delay time: 120000
Source: C:\Windows\splwow64.exeThread delayed: delay time: 120000
Source: C:\Windows\splwow64.exeThread delayed: delay time: 120000
Source: C:\Windows\splwow64.exeThread delayed: delay time: 120000
Source: C:\Windows\splwow64.exeThread delayed: delay time: 120000
Source: C:\Windows\splwow64.exeThread delayed: delay time: 120000
Source: C:\Windows\splwow64.exeThread delayed: delay time: 120000
Source: C:\Windows\splwow64.exeThread delayed: delay time: 120000
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information queried: ProcessInformation
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
Registry Run Keys / Startup Folder		1
Process Injection		1
Masquerading		OS Credential Dumping1
Process Discovery		Remote ServicesData from Local System2
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
Registry Run Keys / Startup Folder		1
Virtualization/Sandbox Evasion		LSASS Memory1
Virtualization/Sandbox Evasion		Remote Desktop ProtocolData from Removable Media3
Non-Application Layer Protocol		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
Extra Window Memory Injection		1
Process Injection		Security Account Manager1
Application Window Discovery		SMB/Windows Admin SharesData from Network Shared Drive4
Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Extra Window Memory Injection		NTDS1
File and Directory Discovery		Distributed Component Object ModelInput Capture2
Ingress Tool Transfer		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets2
System Information Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
s-part-0017.t-0009.fb-t-msedge.net
13.107.253.45
truefalse
    www.google.com
    		142.250.185.196
    		truefalse
      excelworks.co.uk
      		217.160.0.56
      		truefalse
        s-part-0039.t-0009.t-msedge.net
        		13.107.246.67
        		truefalse
          s-part-0039.t-0009.fb-t-msedge.net
          		13.107.253.67
          		truefalse
            s-part-0032.t-0009.t-msedge.net
            		13.107.246.60
            		truefalse
              s-part-0029.t-0009.t-msedge.net
              		13.107.246.57
              		truefalse

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://excelworks.co.uk/downloads/Mortgage%20Calculator%20and%20Comparator.xlsxfalse
                  		unknown

                  World Map of Contacted IPs

                  • No. of IPs < 25%
                  • 25% < No. of IPs < 50%
                  • 50% < No. of IPs < 75%
                  • 75% < No. of IPs

                  Public IPs

                  IPDomainCountryFlagASNASN NameMalicious
                  52.113.194.132
                  		unknownUnited States
                  		8068MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                  217.160.0.56
                  		excelworks.co.ukGermany
                  		8560ONEANDONE-ASBrauerstrasse48DEfalse
                  142.250.74.206
                  		unknownUnited States
                  		15169GOOGLEUSfalse
                  172.217.18.3
                  		unknownUnited States
                  		15169GOOGLEUSfalse
                  13.107.253.45
                  		s-part-0017.t-0009.fb-t-msedge.netUnited States
                  		8068MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                  40.79.150.121
                  		unknownUnited States
                  		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                  74.125.206.84
                  		unknownUnited States
                  		15169GOOGLEUSfalse
                  239.255.255.250
                  		unknownReserved
                  		unknownunknownfalse
                  142.250.185.196
                  		www.google.comUnited States
                  		15169GOOGLEUSfalse
                  52.109.28.46
                  		unknownUnited States
                  		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                  142.250.186.110
                  		unknownUnited States
                  		15169GOOGLEUSfalse
                  184.28.90.27
                  		unknownUnited States
                  		16625AKAMAI-ASUSfalse
                  216.58.212.163
                  		unknownUnited States
                  		15169GOOGLEUSfalse

                  Private

                  IP
                  192.168.2.16
                  192.168.2.18
                  192.168.2.4
                  192.168.2.6
                  192.168.2.5

                  General Information

                  Joe Sandbox version:41.0.0 Charoite
                  Analysis ID:1541169
                  Start date and time:2024-10-24 14:33:56 +02:00
                  Joe Sandbox product:CloudBasic
                  Overall analysis duration:
                  Hypervisor based Inspection enabled:false
                  Report type:full
                  Cookbook file name:defaultwindowsinteractivecookbook.jbs
                  Sample URL:http://excelworks.co.uk/downloads/Mortgage%20Calculator%20and%20Comparator.xlsx
                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                  Number of analysed new started processes analysed:16
                  Number of new started drivers analysed:0
                  Number of existing processes analysed:0
                  Number of existing drivers analysed:0
                  Number of injected processes analysed:0
                  Technologies:
                  • EGA enabled
                  Analysis Mode:stream
                  Detection:CLEAN
                  Classification:clean2.win@21/7@4/729

                  Warnings

                  • Max analysis timeout: 600s exceeded, the analysis took too long
                  • Exclude process from analysis (whitelisted): svchost.exe
                  • Excluded IPs from analysis (whitelisted): 216.58.212.163
                  • Excluded domains from analysis (whitelisted): clientservices.googleapis.com
                  • Not all processes where analyzed, report is missing behavior information
                  • Report size getting too big, too many NtCreateKey calls found.
                  • Report size getting too big, too many NtQueryAttributesFile calls found.
                  • Report size getting too big, too many NtQueryValueKey calls found.
                  • Report size getting too big, too many NtReadVirtualMemory calls found.
                  • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                  • VT rate limit hit for: http://excelworks.co.uk/downloads/Mortgage%20Calculator%20and%20Comparator.xlsx

                  Created / dropped Files

                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

                  Download File
                  Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                  File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Thu Oct 24 11:34:30 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
                  Category:dropped
                  Size (bytes):2673
                  Entropy (8bit):3.977608547343463
                  Encrypted:false
                  SSDEEP:
                  MD5:D2C183132FD6C5BA3A8B4DB8EBB8EAA2
                  SHA1:56599BECB5F260B0683E59764FD0B37BF77BEF74
                  SHA-256:F698EEB64897F55E28B16F06E6F5D91756ACBC9FEFE0FBC68A0061DAD267D3F5
                  SHA-512:A2347F32531EEC9BD0834147910EC31A2D384FCB851CDE73C1FFC67C1D5A7D8B6CBD195A30C7B4EDAD3BBB0A667B1209F2C3616BF29E5B3EF2B8841F9CA3EFE5
                  Malicious:false
                  Reputation:unknown
                  Preview:L..................F.@.. ...$+.,....%0...&..N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.IXYCd....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VXYOd....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VXYOd....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VXYOd..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VXYPd...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i............OL......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

                  Download File
                  Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                  File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Thu Oct 24 11:34:30 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
                  Category:dropped
                  Size (bytes):2675
                  Entropy (8bit):3.9935801168055858
                  Encrypted:false
                  SSDEEP:
                  MD5:0CC9FDD1790D7758F602E07317FDDE6C
                  SHA1:22588F2273224103BE9A320D1289D323D980FCB3
                  SHA-256:4986ACB651AD1A0F9794515A2C9A02193C556154EA15833968E1B7C595DD8EF9
                  SHA-512:6EB733741758280416E928F8AC6D8913C47EF98D1B765BBBF906A934F71460C2099D59C3C58CDBF10C2B4B98B61D037AFB8BE8B387BD86A399C7C17C26D1B1EA
                  Malicious:false
                  Reputation:unknown
                  Preview:L..................F.@.. ...$+.,....=....&..N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.IXYCd....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VXYOd....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VXYOd....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VXYOd..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VXYPd...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i............OL......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

                  Download File
                  Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                  File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Oct 6 08:05:01 2023, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
                  Category:dropped
                  Size (bytes):2689
                  Entropy (8bit):4.00528146398373
                  Encrypted:false
                  SSDEEP:
                  MD5:1C397450CA4A5F5F5DCAB11C12AE4A1C
                  SHA1:E453B6B50558E0C95BC66C5111131295E1020F02
                  SHA-256:23C5DB3A3822899F0E660AA555A2535250ACBD2F0BEEF77D8CAF4EF28B22CE5A
                  SHA-512:7CD9F25CA929D6D1AA61E423AB7D9BB155ABEFB2A91B2CEFAC821D2CD9391DD9BCBD9FE4CE3FEC3ACACD35A3ED772FD5C8B4CE58988651BF8B0C1A903B78D9AF
                  Malicious:false
                  Reputation:unknown
                  Preview:L..................F.@.. ...$+.,.....Y.04...N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.IXYCd....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VXYOd....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VXYOd....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VXYOd..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VFW.E...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i............OL......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

                  Download File
                  Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                  File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Thu Oct 24 11:34:30 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
                  Category:dropped
                  Size (bytes):2677
                  Entropy (8bit):3.9923405817864204
                  Encrypted:false
                  SSDEEP:
                  MD5:84561DA5204FA3521F696380F242B69F
                  SHA1:804D70C3B9BA3EE44804E2980CA6CEC189138432
                  SHA-256:A54514EDE100DA74C68B8C1A104894EEBE0260A0A9DADF3F8BA66877E433C7B3
                  SHA-512:DA6217A0683D42256BCB97B8B7632D4AD75918BC95771E0AB31557E2E5452FBB02F178D990E85910FA88CE7A1D336025743724B8ED2D2CF1BF69DA69DD90FF0D
                  Malicious:false
                  Reputation:unknown
                  Preview:L..................F.@.. ...$+.,....@....&..N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.IXYCd....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VXYOd....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VXYOd....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VXYOd..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VXYPd...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i............OL......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

                  Download File
                  Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                  File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Thu Oct 24 11:34:30 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
                  Category:dropped
                  Size (bytes):2677
                  Entropy (8bit):3.980215703762547
                  Encrypted:false
                  SSDEEP:
                  MD5:84D931DC9E6D6E664C4625C73F5EBB9B
                  SHA1:83ACDC28CEEECA38A730A491FD9EE664EDA98CCE
                  SHA-256:E0923F419C9EC914D4400281326CF773A76CAA6B3B79FC407FFAFF48D095D181
                  SHA-512:FA71FA512AA964AC971C3CC69C668215EB7EA96B7C13997C6227BA42C2B7C7466246510DC6CFD055DACAEB24B1F118338B4E343396EE7005ED332961344F2D1C
                  Malicious:false
                  Reputation:unknown
                  Preview:L..................F.@.. ...$+.,.........&..N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.IXYCd....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VXYOd....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VXYOd....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VXYOd..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VXYPd...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i............OL......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

                  Download File
                  Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                  File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Thu Oct 24 11:34:30 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
                  Category:dropped
                  Size (bytes):2679
                  Entropy (8bit):3.988602950191592
                  Encrypted:false
                  SSDEEP:
                  MD5:EDDADF83FF20B08557CEC2F2BD4C8BF8
                  SHA1:34187695B90EA1659644D4DD45C2174FC7E77296
                  SHA-256:A43846E16667A6693AD7CC25D340024FDE463325362BF33E7E5D4701C3665E08
                  SHA-512:C551D759C300ED4E1F3EB4B4EE5F17D05E02796F584B212B737D1D02E7546F717EEDCD6FEBB78E483BA49D4239A05A623B67BA69C72847EE0C5F6CD75832384C
                  Malicious:false
                  Reputation:unknown
                  Preview:L..................F.@.. ...$+.,....-....&..N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.IXYCd....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VXYOd....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VXYOd....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VXYOd..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VXYPd...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i............OL......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

                  C:\Users\user\Downloads\289d11d1-8c6d-4ef4-abec-a2760236c5a4.tmp

                  Download File
                  Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                  File Type:Microsoft Excel 2007+
                  Category:dropped
                  Size (bytes):14125
                  Entropy (8bit):7.5872432590636825
                  Encrypted:false
                  SSDEEP:
                  MD5:B4A6E647E2DEF532D82A6B02D553CB14
                  SHA1:C824B5ECDBD9F888F1FE57A026B244829987CC9B
                  SHA-256:8285294B011A6F89411F4781D025393C1A7B0397B5496CE391346333807CA078
                  SHA-512:F0AB1506CBEFD782CD6BB36564A701656C0360284FEC4DAADBDB642E0985279E38F9915CA100C6D4BF5ED1BC09094ED7642F540DFD39D6F306472207C43861CA
                  Malicious:false
                  Reputation:unknown
                  Preview:PK..........!..TL.............[Content_Types].xml ...(....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................X.r.0..w......i.&. ..=..I....`.Y.H....l......N}..k..}Z...n2..A.&..M.1.@P.0....O.FW(2...p)`..`.......V..\.03.Z.n064...X*...B.Xw..X.."K....%.RX.vd..h>...y.6..q?.<3.....j..R.Qb.Q..I.d$..F!..%s.c.4...6...!.G...f.>..K.....tq.x..n*1.DK%b.Y.cR...'..V...J..[..5+...5yuz..~...,..h..dnC...W.W.R..z..h..U.[..&.05..b...I.D....g........i <>....@x|..........x(D....:+....N.H...7v...,..i.rJ4$...e......#.......^&:....3..Z...T.....33

                  C:\Users\user\Downloads\Mortgage Calculator and Comparator.xlsx (copy)

                  Download File
                  Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                  File Type:Microsoft Excel 2007+
                  Category:dropped
                  Size (bytes):0
                  Entropy (8bit):0.0
                  Encrypted:false
                  SSDEEP:
                  MD5:B4A6E647E2DEF532D82A6B02D553CB14
                  SHA1:C824B5ECDBD9F888F1FE57A026B244829987CC9B
                  SHA-256:8285294B011A6F89411F4781D025393C1A7B0397B5496CE391346333807CA078
                  SHA-512:F0AB1506CBEFD782CD6BB36564A701656C0360284FEC4DAADBDB642E0985279E38F9915CA100C6D4BF5ED1BC09094ED7642F540DFD39D6F306472207C43861CA
                  Malicious:false
                  Reputation:unknown
                  Preview:PK..........!..TL.............[Content_Types].xml ...(....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................X.r.0..w......i.&. ..=..I....`.Y.H....l......N}..k..}Z...n2..A.&..M.1.@P.0....O.FW(2...p)`..`.......V..\.03.Z.n064...X*...B.Xw..X.."K....%.RX.vd..h>...y.6..q?.<3.....j..R.Qb.Q..I.d$..F!..%s.c.4...6...!.G...f.>..K.....tq.x..n*1.DK%b.Y.cR...'..V...J..[..5+...5yuz..~...,..h..dnC...W.W.R..z..h..U.[..&.05..b...I.D....g........i <>....@x|..........x(D....:+....N.H...7v...,..i.rJ4$...e......#.......^&:....3..Z...T.....33

                  C:\Users\user\Downloads\Mortgage Calculator and Comparator.xlsx.crdownload (copy)

                  Download File
                  Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                  File Type:Microsoft Excel 2007+
                  Category:dropped
                  Size (bytes):0
                  Entropy (8bit):0.0
                  Encrypted:false
                  SSDEEP:
                  MD5:B4A6E647E2DEF532D82A6B02D553CB14
                  SHA1:C824B5ECDBD9F888F1FE57A026B244829987CC9B
                  SHA-256:8285294B011A6F89411F4781D025393C1A7B0397B5496CE391346333807CA078
                  SHA-512:F0AB1506CBEFD782CD6BB36564A701656C0360284FEC4DAADBDB642E0985279E38F9915CA100C6D4BF5ED1BC09094ED7642F540DFD39D6F306472207C43861CA
                  Malicious:false
                  Reputation:unknown
                  Preview:PK..........!..TL.............[Content_Types].xml ...(....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................X.r.0..w......i.&. ..=..I....`.Y.H....l......N}..k..}Z...n2..A.&..M.1.@P.0....O.FW(2...p)`..`.......V..\.03.Z.n064...X*...B.Xw..X.."K....%.RX.vd..h>...y.6..q?.<3.....j..R.Qb.Q..I.d$..F!..%s.c.4...6...!.G...f.>..K.....tq.x..n*1.DK%b.Y.cR...'..V...J..[..5+...5yuz..~...,..h..dnC...W.W.R..z..h..U.[..&.05..b...I.D....g........i <>....@x|..........x(D....:+....N.H...7v...,..i.rJ4$...e......#.......^&:....3..Z...T.....33

                  Static File Info

                  No static file info