Edit tour

Windows Analysis Report
Salary_Increase_Approval_Open_Enrollment_2024.zip

Overview

General Information

Sample name:	Salary_Increase_Approval_Open_Enrollment_2024.zip
Analysis ID:	1542133
MD5:	f46f6a6d3f24f11850cd405e361cf495
SHA1:	9425aabe014c80ea79fcbb68af4fd7b553a792b7
SHA256:	c239e74bce525ab693ca25768d9c95409bfad4fac5cfc3d7a4b114f8749e053e
Infos:

Detection

Score:	1
Range:	0 - 100
Whitelisted:	false
Confidence:	80%

Signatures

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

Stores files to the Windows start menu directory

Classification

Process Tree

System is w10x64_ra

rundll32.exe (PID: 7144 cmdline: C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding MD5: EF3179D498793BF4234F708D3BE28633)

Acrobat.exe (PID: 6412 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Local\Temp\Temp1_Salary_Increase_Approval_Open_Enrollment_2024.zip\Salary_Increase_Approval_Open_Enrollment_202440943.pdf" MD5: 24EAD1C46A47022347DC0F05F6EFBB8C)

AcroCEF.exe (PID: 6684 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)

AcroCEF.exe (PID: 4436 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2288 --field-trial-handle=1588,i,4446440725060870792,4375099241188172724,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)

chrome.exe (PID: 6844 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://authrcni.rcn.org.uk/simplesaml/module.php/authrcnssoapi/redirect_login_state.php?spentityid=https%3A//journals.rcni.com/saml/metadata.action&RelayState=https://grandmaraissegwaytours.com/wp-services/404#jun_miyazawa+Iamgold.com MD5: 83395EAB5B03DEA9720F8D7AC0D15CAA)

chrome.exe (PID: 7156 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2396 --field-trial-handle=2208,i,2063558197444806222,13888880926085695664,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 83395EAB5B03DEA9720F8D7AC0D15CAA)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: https://grandmaraissegwaytours.com/wp-services/404#jun_miyazawa+Iamgold.com

HTTP Parser: No favicon

Source: unknown	HTTPS traffic detected: 4.245.163.56:443 -> 192.168.2.17:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.17:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.17:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 4.245.163.56:443 -> 192.168.2.17:49746 version: TLS 1.2

Source: Joe Sandbox View	IP Address: 239.255.255.250 239.255.255.250
Source: Joe Sandbox View	IP Address: 96.7.168.138 96.7.168.138

Source: Joe Sandbox View

JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4

Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.159.64
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.159.64
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.159.64
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.159.64
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.159.64
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.159.64
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.159.64
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.159.64
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.159.64
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.159.64
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.159.64
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.159.64
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.159.64
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.159.64
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.159.64
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.159.64
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.159.64
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.159.64
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.159.64
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.159.64
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.159.64
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.159.64
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.159.64
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.159.64
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.159.64
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.159.64
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.159.64
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.159.64
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.159.64
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.159.64
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.159.64
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknown	TCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknown	TCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknown	TCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknown	TCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknown	TCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknown	TCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknown	TCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknown	TCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknown	TCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknown	TCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200

Source: global traffic	HTTP traffic detected: GET /simplesaml/module.php/authrcnssoapi/redirect_login_state.php?spentityid=https%3A//journals.rcni.com/saml/metadata.action&RelayState=https://grandmaraissegwaytours.com/wp-services/404 HTTP/1.1Host: authrcni.rcn.org.ukConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=LyrU3n3WnlMFWuu&MD=VyAL+vyU HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /wp-services/404 HTTP/1.1Host: grandmaraissegwaytours.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentsec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /cgi-sys/js/simple-expand.min.js HTTP/1.1Host: grandmaraissegwaytours.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://grandmaraissegwaytours.com/wp-services/404Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /cgi-sys/images/w.png HTTP/1.1Host: grandmaraissegwaytours.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://grandmaraissegwaytours.com/wp-services/404Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /cgi-sys/images/404top_w.jpg HTTP/1.1Host: grandmaraissegwaytours.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://grandmaraissegwaytours.com/wp-services/404Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /cgi-sys/images/404mid.gif HTTP/1.1Host: grandmaraissegwaytours.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://grandmaraissegwaytours.com/wp-services/404Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /cgi-sys/images/404bottom.gif HTTP/1.1Host: grandmaraissegwaytours.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://grandmaraissegwaytours.com/wp-services/404Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /cgi-sys/js/simple-expand.min.js HTTP/1.1Host: grandmaraissegwaytours.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /cgi-sys/images/w.png HTTP/1.1Host: grandmaraissegwaytours.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: grandmaraissegwaytours.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://grandmaraissegwaytours.com/wp-services/404Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /cgi-sys/images/404mid.gif HTTP/1.1Host: grandmaraissegwaytours.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /cgi-sys/images/404bottom.gif HTTP/1.1Host: grandmaraissegwaytours.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /cgi-sys/images/404top_w.jpg HTTP/1.1Host: grandmaraissegwaytours.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: /Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic	HTTP traffic detected: GET /onboarding/smskillreader.txt HTTP/1.1Host: armmf.adobe.comConnection: keep-aliveAccept-Language: en-US,en;q=0.9User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) ReaderServices/23.6.20320 Chrome/105.0.0.0 Safari/537.36Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brIf-None-Match: "78-5faa31cce96da"If-Modified-Since: Mon, 01 May 2023 15:02:33 GMT
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: grandmaraissegwaytours.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://grandmaraissegwaytours.com/wp-services/404Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=LyrU3n3WnlMFWuu&MD=VyAL+vyU HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com

Source: global traffic	DNS traffic detected: DNS query: authrcni.rcn.org.uk
Source: global traffic	DNS traffic detected: DNS query: grandmaraissegwaytours.com
Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: x1.i.lencr.org

Source: global traffic	HTTP traffic detected: HTTP/1.1 503 Service UnavailableDate: Fri, 25 Oct 2024 13:30:32 GMTServer: ApacheUpgrade: h2,h2cConnection: Upgrade, closeLast-Modified: Sun, 02 Oct 2022 13:07:59 GMTAccept-Ranges: bytesContent-Length: 5463Vary: Accept-EncodingContent-Type: text/html
Source: global traffic	HTTP traffic detected: HTTP/1.1 503 Service UnavailableDate: Fri, 25 Oct 2024 13:30:36 GMTServer: ApacheUpgrade: h2,h2cConnection: Upgrade, closeLast-Modified: Sun, 02 Oct 2022 13:07:59 GMTAccept-Ranges: bytesContent-Length: 5463Vary: Accept-EncodingContent-Type: text/html
Source: global traffic	HTTP traffic detected: HTTP/1.1 503 Service UnavailableDate: Fri, 25 Oct 2024 13:30:43 GMTServer: ApacheUpgrade: h2,h2cConnection: Upgrade, closeLast-Modified: Sun, 02 Oct 2022 13:07:59 GMTAccept-Ranges: bytesContent-Length: 5463Vary: Accept-EncodingContent-Type: text/html

Source: chromecache_162.6.dr, chromecache_158.6.dr	String found in binary or memory: http://code.jquery.com/jquery-3.3.1.min.js
Source: 77EC63BDA74BD0D0E0426DC8F80085060.3.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: chromecache_162.6.dr, chromecache_158.6.dr	String found in binary or memory: http://gmpg.org/xfn/11
Source: 2D85F72862B55C4EADD9E66E06947F3D0.3.dr	String found in binary or memory: http://x1.i.lencr.org/
Source: chromecache_151.6.dr, chromecache_160.6.dr	String found in binary or memory: https://github.com/redhotsly/simple-expand
Source: chromecache_151.6.dr, chromecache_160.6.dr	String found in binary or memory: https://raw.github.com/redhotsly/simple-expand/master/licence-mit.txt

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49676 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49698
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49697
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49690
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49678 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49697 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49690 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 49680 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49698 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49677 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: unknown	HTTPS traffic detected: 4.245.163.56:443 -> 192.168.2.17:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.17:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.17:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 4.245.163.56:443 -> 192.168.2.17:49746 version: TLS 1.2

Source: classification engine

Classification label: clean1.winZIP@31/55@14/7

Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe

File created: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeFnt23.lst.6176

Jump to behavior

Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe

File created: C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6 2024-10-25 09-30-29-345.log

Jump to behavior

Source: C:\Windows\System32\rundll32.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

Source: Google Drive.lnk.4.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: YouTube.lnk.4.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Sheets.lnk.4.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Gmail.lnk.4.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Slides.lnk.4.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Docs.lnk.4.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk	Jump to behavior

Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 Registry Run Keys / Startup Folder	1 Process Injection	1 Masquerading	OS Credential Dumping	1 Process Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Registry Run Keys / Startup Folder	1 Rundll32	LSASS Memory	1 System Information Discovery	Remote Desktop Protocol	Data from Removable Media	3 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Process Injection	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	4 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	3 Ingress Tool Transfer	Traffic Duplication	Data Destruction

Source	Detection	Scanner	Label	Link
http://x1.i.lencr.org/	0%	URL Reputation	safe
http://gmpg.org/xfn/11	0%	URL Reputation	safe

Name	IP	Active	Malicious	Reputation
grandmaraissegwaytours.com	192.185.113.79	true	false	unknown
www.google.com	142.250.185.196	true	false	unknown
agw-dl-gateway-01.rcn.org.uk	51.11.42.226	true	false	unknown
x1.i.lencr.org	unknown	unknown	false	unknown
authrcni.rcn.org.uk	unknown	unknown	false	unknown

Name	Malicious	Reputation
https://grandmaraissegwaytours.com/cgi-sys/images/w.png	false	unknown
https://grandmaraissegwaytours.com/favicon.ico	false	unknown
https://grandmaraissegwaytours.com/cgi-sys/images/404bottom.gif	false	unknown
https://grandmaraissegwaytours.com/cgi-sys/images/404top_w.jpg	false	unknown
https://grandmaraissegwaytours.com/wp-services/404#	false	unknown
https://grandmaraissegwaytours.com/wp-services/404#jun_miyazawa+Iamgold.com	false	unknown
https://authrcni.rcn.org.uk/simplesaml/module.php/authrcnssoapi/redirect_login_state.php?spentityid=https%3A//journals.rcni.com/saml/metadata.action&RelayState=https://grandmaraissegwaytours.com/wp-services/404	false	unknown
https://grandmaraissegwaytours.com/cgi-sys/images/404mid.gif	false	unknown
https://grandmaraissegwaytours.com/wp-services/404	false	unknown

Name	Source	Malicious	Antivirus Detection	Reputation
http://x1.i.lencr.org/	2D85F72862B55C4EADD9E66E06947F3D0.3.dr	false	URL Reputation: safe	unknown
http://code.jquery.com/jquery-3.3.1.min.js	chromecache_162.6.dr, chromecache_158.6.dr	false		unknown
http://gmpg.org/xfn/11	chromecache_162.6.dr, chromecache_158.6.dr	false	URL Reputation: safe	unknown

IP	Domain	Country	ASN	ASN Name	Malicious
51.11.42.226	agw-dl-gateway-01.rcn.org.uk	United Kingdom	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
142.250.185.196	www.google.com	United States	15169	GOOGLEUS	false
192.185.113.79	grandmaraissegwaytours.com	United States	46606	UNIFIEDLAYER-AS-1US	false
96.7.168.138	unknown	United States	262589	INTERNEXABRASILOPERADORADETELECOMUNICACOESSABR	false

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1542133
Start date and time:	2024-10-25 15:29:12 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 5s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsinteractivecookbook.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	20
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Salary_Increase_Approval_Open_Enrollment_2024.zip
Detection:	CLEAN
Classification:	clean1.winZIP@31/55@14/7
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .zip

IP
192.168.2.17
192.168.2.15

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
239.255.255.250	https://mailengine.co/click_tracking?&redirectLink=http://embeds.beehiiv.com/d23df48a-754a-480b-9a5d-db66c2c46b92&source=email&ref=aa65ba1ae9f26d91fc495f31741706695402983&workflowInstance=65ba1aea0488580fac6abe1f&responseTemplate=630f7d144c49ff20dfe2b3c2&version=2	Get hash	malicious	Unknown	Browse
	https://realestatemania.ca/kxyNao-7Ms6e-WBJnj-uMnVb-7gZJL-v8aOp.php	Get hash	malicious	Unknown	Browse
	https://www.shareholds.com/eur/9fb868a2-97de-4fa6-bb9a-6e2bdc7c734d/99db7d04-72ba-41ea-a52e-2744d29c7f66/e845cf48-2115-4cda-904c-fc80c835df32/login?id=RDhIaE52RURnRGJHRWUzZ21seVc3R2xwMm5BK0k2NjNKbnlRYisvT3JURnNTa0p4Skp6OTRIVjNPa3VFclFOeEFTY2Jub0tIblFrbGo5SUhWb01RRCt4Q3FtaVlNeno4MU8zN2I3bmlveTF0Tm8yM0FOb1J4THRhM1RqNnhyazNHaDFNV3Zoc1RLN2VpV0ZZbUF2MDlWWGZ2Tk5STVpzUDVKaStnT0l0S1BVTlRzZ2lmcXI1Wkh6M1FheGd3Tjh2NVdaTzVOOTRQaVZrTmZrSjRIK3IvU1p4U2doYSsrYmtUOGl1RytpeGthUGFHT1g4UE4rbngvYnhpRXlJRG9oRVRWbUczdEc1ei9ESFJsT2lpZ2JyOFBLNTNoUXdzdVB0QjhVbmRBN1NSSUJYMTkrRnoxbENHSW5lYnJHczBnQytHaDlQSkRib1NTOFNJeTI2WVhCUkg5NGxNNzNMdzBmWktZenhCR2FnaFFaem5zU3FmbUV6WXowVFdOTEFjU3pGVnRjVlNFOHRtVlkvdk9WQjdibXBTNGZFcjUyb1BYTXRhQTRNNnJjbkJtcz0	Get hash	malicious	HTMLPhisher, Microsoft Phishing	Browse
	https://developmentltd.online/	Get hash	malicious	Captcha Phish	Browse
	https://developmentltd.online/	Get hash	malicious	Captcha Phish	Browse
	https://developmentltd.online/	Get hash	malicious	Captcha Phish	Browse
	https://u47839971.ct.sendgrid.net/ls/click?upn=u001.SS8YqfWjf1b3UNFf2g8-2BbyepSJ9NnVqTjg5p4PlqyZLDG-2F-2FRHUWKB7tpHO-2BD9IAzfDK69NBor6n5GDDWuKOaXjILtpHrb-2FuqosweWIwJauCFjFOIVaIDje-2BTbWeqpid-2Fe0IpJIrTIznxRC8RuWTXkcZZXZKUxIgeeMWOFH96Tjh3a3uDeIXRyoiB6ZRGKZhHD63OuPdyktyTbMDbA-2FurGQ-3D-3DGlRK_1fgoI9z-2BmeHj6kFR5jmXJyN8Vyo9ja5rNrkl1rR8UXAlmAe6PSc2-2FD85CLOIF98tpCjfsSquWpaRYnYzjD-2B-2FDF-2F8BwiwRSEwmTXwwlDUaQI3bDBZTUv-2Ffbse4A61ed6hVc-2BhhTqdpCqzpir5GY49O-2BVdqG9mHEhTR8OvRsDhxES9QAdY7ZiH-2BurXMNUWGL6VuIIVYma05ZXZK6zhQMDhjNBnJShmRWPp7Ow2IJgH96F8uRyUdyMUZ9au5PfRhmvWMnTj3B1KVxYBpNo7XRlBSlYjK74Z4HptPWz0XAvVILLp4Z5Qq7I-2BYF76YXE5ZsE-2F9hOEdmxnqZwZIEaC1BNDg2XB-2BluEEvEXRuR9ohEPc6VObquUxTQmba8bObSY0wG3oOeb2xD8hV6IKwMnr9d-2B5HbQscEqkWH5k7qnk6bAGBIHHNt95VH4uagG-2Bh74PJCdwHqpitEnC4IeAHXNdNtMkKw34-2BF8TeV7q4SmkRwe9osbefOHPWGyls7sZdEjodVX7wlBDRV2BLQlTlDkK-2FzuZ2EsHCtWTv7yrVJT-2B6p3fl4O5qZGyWAuATjn7386SmbgYFZYAIaRjabXb6J3Z9IYhB-2BBiP3zxZSMd-2BGGNtSLCQw7FqwKOUhYoEZSgG-2FLraJhb7xOSF-2FZGKBw-2FWGPQ5W16K6ZnP31akPWN-2FRy3A1tFL9-2FQXaviWuNn8VOeqLfBR9isxQ-2BqB-2Fm-2BPFRMhM4zyM42FPD-2FRIJxCXHHfAnucSqTKeA1iykI89pw6joYB-2B9v-2FXzQpkgszpTxbxZcZ7mH0xUY6S3QZDaIWpt-2F-2B0FpvTn8cArsTTKjQo1QO476bdWvqqoz32vBNn214xuFkN0blGHeazkhMWwmEzZM6r-2BTFrW2-2Fha62dTAc7eNUguY6HOm3gtrj2-2FYlAidnBTp5Y8fj3jmA-3D-3D	Get hash	malicious	Unknown	Browse
	Quarantined Messages (1).zip	Get hash	malicious	HTMLPhisher	Browse
	Play____Now_AUD__Neil.novembre.htm	Get hash	malicious	Unknown	Browse
	Fax_Message_04 September, 202411_21_58 AM_564308269612697.htm	Get hash	malicious	HTMLPhisher	Browse
192.185.113.79	Project_Proposal_Review_and_Approval13617.pdf	Get hash	malicious	Unknown	Browse
96.7.168.138	https://dl.dropboxusercontent.com/scl/fi/kzw07ghqs05mfyhu8o3ey/BestellungVRG020002.zip?rlkey=27cmmjv86s5ygdnss2oa80i1o&st=86cnbbyp&dl=0	Get hash	malicious	Unknown	Browse
	bc3c228ad2c13f96cb14375c3860e802.pdf	Get hash	malicious	HTMLPhisher	Browse
	Demande de proposition du CPE Les Coquins.pdf	Get hash	malicious	Unknown	Browse
	Airbornemx Benefits Enrollment.pdf	Get hash	malicious	HTMLPhisher	Browse
	Scan_8346203.pdf	Get hash	malicious	Unknown	Browse
	Jwhite Pay Increase EFile997843.pdf	Get hash	malicious	Unknown	Browse
	roba.txt	Get hash	malicious	Meterpreter, ReflectiveLoader	Browse
	Inv No.248730.xls	Get hash	malicious	Unknown	Browse
	ddsfsfsa.pdf	Get hash	malicious	Unknown	Browse
	v2.0.pdf	Get hash	malicious	Unknown	Browse

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
28a2c9bd18a11de089ef85a160da29e4	ubBnwUNUUr.exe	Get hash	malicious	AsyncRAT	Browse	4.245.163.56 184.28.90.27
	https://mailengine.co/click_tracking?&redirectLink=http://embeds.beehiiv.com/d23df48a-754a-480b-9a5d-db66c2c46b92&source=email&ref=aa65ba1ae9f26d91fc495f31741706695402983&workflowInstance=65ba1aea0488580fac6abe1f&responseTemplate=630f7d144c49ff20dfe2b3c2&version=2	Get hash	malicious	Unknown	Browse	4.245.163.56 184.28.90.27
	snBEoi6Tf4.exe	Get hash	malicious	AsyncRAT	Browse	4.245.163.56 184.28.90.27
	https://realestatemania.ca/kxyNao-7Ms6e-WBJnj-uMnVb-7gZJL-v8aOp.php	Get hash	malicious	Unknown	Browse	4.245.163.56 184.28.90.27
	https://www.shareholds.com/eur/9fb868a2-97de-4fa6-bb9a-6e2bdc7c734d/99db7d04-72ba-41ea-a52e-2744d29c7f66/e845cf48-2115-4cda-904c-fc80c835df32/login?id=RDhIaE52RURnRGJHRWUzZ21seVc3R2xwMm5BK0k2NjNKbnlRYisvT3JURnNTa0p4Skp6OTRIVjNPa3VFclFOeEFTY2Jub0tIblFrbGo5SUhWb01RRCt4Q3FtaVlNeno4MU8zN2I3bmlveTF0Tm8yM0FOb1J4THRhM1RqNnhyazNHaDFNV3Zoc1RLN2VpV0ZZbUF2MDlWWGZ2Tk5STVpzUDVKaStnT0l0S1BVTlRzZ2lmcXI1Wkh6M1FheGd3Tjh2NVdaTzVOOTRQaVZrTmZrSjRIK3IvU1p4U2doYSsrYmtUOGl1RytpeGthUGFHT1g4UE4rbngvYnhpRXlJRG9oRVRWbUczdEc1ei9ESFJsT2lpZ2JyOFBLNTNoUXdzdVB0QjhVbmRBN1NSSUJYMTkrRnoxbENHSW5lYnJHczBnQytHaDlQSkRib1NTOFNJeTI2WVhCUkg5NGxNNzNMdzBmWktZenhCR2FnaFFaem5zU3FmbUV6WXowVFdOTEFjU3pGVnRjVlNFOHRtVlkvdk9WQjdibXBTNGZFcjUyb1BYTXRhQTRNNnJjbkJtcz0	Get hash	malicious	HTMLPhisher, Microsoft Phishing	Browse	4.245.163.56 184.28.90.27
	Quarantined Messages (1).zip	Get hash	malicious	HTMLPhisher	Browse	4.245.163.56 184.28.90.27
	Fax_Message_04 September, 202411_21_58 AM_564308269612697.htm	Get hash	malicious	HTMLPhisher	Browse	4.245.163.56 184.28.90.27
	https://gf5q.sqpbij.shop/?c2V0aC5wZW1iZXJAYXV0b3BhcnRpbnRsLmNvbTp3NThyNg	Get hash	malicious	HTMLPhisher	Browse	4.245.163.56 184.28.90.27
	https://onedrive.live.com/redir?resid=A2C259BD24DEB977%211517&authkey=%21AMV6sdjMIZf95vs&page=View&wd=target%28Quick%20Notes.one%7C8266a05f-045a-4cc0-bddc-4debc90069bb%2FNotera%20H6TYD9J4rDFDFECZC-HUYW%7Ca949d04d-b4e2-4509-b99f-d04546199b7b%2F%29&wdorigin=NavigationUrl	Get hash	malicious	Unknown	Browse	4.245.163.56 184.28.90.27
	ES Ny kontraktsrunda.msg	Get hash	malicious	Unknown	Browse	4.245.163.56 184.28.90.27

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	291
Entropy (8bit):	5.197283903234972
Encrypted:	false
SSDEEP:	6:RwYQyq2PsHO2nKuAl9OmbnIFUt86ywG1Zmw+6ywQRkwOsHO2nKuAl9OmbjLJ:fvkHVHAahFUt86yz1/+6yz51HVHAaSJ
MD5:	1866987676852F7513D919AA44C2CAC2
SHA1:	F626806A0965BCC127C81A9CBBDE890E81B2FFD4
SHA-256:	3E55A32BC99A28B97861D78FBFCAEB662977394F0F6DA50A6AFCEBF3A30AB62F
SHA-512:	C14858EFD6B9F7EE3EE89D346EDC522D8A6FBFAD1D6A85686B8BC34F26D1280CB4779B41E1564823DB114C463A801DC3E5A69E56D2FA0EC9BB149D95A9641917
Malicious:	false
Preview:	2024/10/25-09:30:28.296 b70 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/MANIFEST-000001.2024/10/25-09:30:28.313 b70 Recovering log #3.2024/10/25-09:30:28.313 b70 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/000003.log .

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Oct 25 12:30:31 2024, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2677
Entropy (8bit):	3.9906889316927954
Encrypted:	false
SSDEEP:	48:8tk+dKRTtb7WpEHEidAKZdA1JehwiZUklqehNy+3:8tCYVKy
MD5:	3D6E1AC19933EF7E8D0744F976F91DA8
SHA1:	E59FC7CA5F207495DAC57EF93F19E863B5905324
SHA-256:	BB9BBCD042EAFE0C49FB44DEB2437025FCD1A0FEDD468CCE212B009A6E6E647F
SHA-512:	C5EA7CE88D968641E9866A5716055178A69ED4A27AA075C972616CA66DE05D1F2760D2DB504FC0E4AC6FABBB297C98218B0577AFEA80A52E76C17C2287FAFB3A
Malicious:	false
Preview:	L..................F.@.. ...$+.,.....?...&......y... w......................1....P.O. .:i.....+00.../C:\.....................1.....FWoN..PROGRA~1..t......O.IYY.k....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VYY.k....L.....................p+j.G.o.o.g.l.e.....T.1.....FW.N..Chrome..>......CW.VYY.k....M......................W..C.h.r.o.m.e.....`.1.....FW.N..APPLIC~1..H......CW.VYY.k...........................W..A.p.p.l.i.c.a.t.i.o.n.....n.2. w..BW. .CHROME~1.EXE..R......CW.VYY.k...........................3.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........~..G.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

File type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Entropy (8bit):	7.992572531917182
TrID:	ZIP compressed archive (8000/1) 100.00%
File name:	Salary_Increase_Approval_Open_Enrollment_2024.zip
File size:	40'215 bytes
MD5:	f46f6a6d3f24f11850cd405e361cf495
SHA1:	9425aabe014c80ea79fcbb68af4fd7b553a792b7
SHA256:	c239e74bce525ab693ca25768d9c95409bfad4fac5cfc3d7a4b114f8749e053e
SHA512:	521c4066f42ec67380ab26d130ce5ddcf01e9ebaac4e1e27fef8dedddf669f4a1c0ae85e0989462be4fd34c0af61205d36caef9bd31906985f0cbfa2720febd0
SSDEEP:	768:/44hrQWoi+PIgIuY9Qk9u84JLoOw0CkpfdaFO2bSU+YKKE13:/44hEWEFY9n9cw8pfgFOlU+Y2x
TLSH:	8203F144656AEE21EBD2A0ED86D1784EE8DE744F09F036844BF875F60B79D0F29D2113
File Content Preview:	PK.........QRY..o.I.......6...Salary_Increase_Approval_Open_Enrollment_202440943.pdf..eT\_.7......HH.@.........Cp..\....w....n.*....9..c......{..H......9.2..E(./HAC..G.G.g.c....G%.l..G..m.mfi.G%eogfl.o.G.......6...A.........\|.....?.G.gioa.>._G........J.X.

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 25, 2024 15:30:29.929749966 CEST	52892	53	192.168.2.17	1.1.1.1
Oct 25, 2024 15:30:29.930244923 CEST	57389	53	192.168.2.17	1.1.1.1
Oct 25, 2024 15:30:29.936259985 CEST	53	51703	1.1.1.1	192.168.2.17
Oct 25, 2024 15:30:29.941055059 CEST	53	57389	1.1.1.1	192.168.2.17
Oct 25, 2024 15:30:29.952065945 CEST	53	52892	1.1.1.1	192.168.2.17
Oct 25, 2024 15:30:29.981800079 CEST	53	55939	1.1.1.1	192.168.2.17
Oct 25, 2024 15:30:31.421900988 CEST	53	59375	1.1.1.1	192.168.2.17
Oct 25, 2024 15:30:31.610088110 CEST	50391	53	192.168.2.17	1.1.1.1
Oct 25, 2024 15:30:31.610302925 CEST	51544	53	192.168.2.17	1.1.1.1
Oct 25, 2024 15:30:31.825048923 CEST	53	51544	1.1.1.1	192.168.2.17
Oct 25, 2024 15:30:31.895546913 CEST	53	50391	1.1.1.1	192.168.2.17
Oct 25, 2024 15:30:34.532968998 CEST	59193	53	192.168.2.17	1.1.1.1
Oct 25, 2024 15:30:34.533165932 CEST	54586	53	192.168.2.17	1.1.1.1
Oct 25, 2024 15:30:34.540798903 CEST	53	59193	1.1.1.1	192.168.2.17
Oct 25, 2024 15:30:34.540885925 CEST	53	54586	1.1.1.1	192.168.2.17
Oct 25, 2024 15:30:34.632498026 CEST	59092	53	192.168.2.17	1.1.1.1
Oct 25, 2024 15:30:34.632674932 CEST	53957	53	192.168.2.17	1.1.1.1
Oct 25, 2024 15:30:34.844697952 CEST	53	53957	1.1.1.1	192.168.2.17
Oct 25, 2024 15:30:34.846558094 CEST	53	59092	1.1.1.1	192.168.2.17
Oct 25, 2024 15:30:40.562346935 CEST	59398	53	192.168.2.17	1.1.1.1
Oct 25, 2024 15:30:48.442872047 CEST	53	52717	1.1.1.1	192.168.2.17
Oct 25, 2024 15:31:03.522092104 CEST	49746	53	192.168.2.17	1.1.1.1
Oct 25, 2024 15:31:07.392813921 CEST	53	55309	1.1.1.1	192.168.2.17
Oct 25, 2024 15:31:16.257694006 CEST	59118	53	192.168.2.17	1.1.1.1
Oct 25, 2024 15:31:29.735107899 CEST	53	56473	1.1.1.1	192.168.2.17
Oct 25, 2024 15:31:30.368156910 CEST	53	60786	1.1.1.1	192.168.2.17
Oct 25, 2024 15:31:38.118223906 CEST	138	138	192.168.2.17	192.168.2.255
Oct 25, 2024 15:31:40.339812994 CEST	57305	53	192.168.2.17	1.1.1.1
Oct 25, 2024 15:31:58.942717075 CEST	53	49671	1.1.1.1	192.168.2.17
Oct 25, 2024 15:32:04.438960075 CEST	60056	53	192.168.2.17	1.1.1.1
Oct 25, 2024 15:32:28.531935930 CEST	65446	53	192.168.2.17	1.1.1.1

Timestamp	Bytes transferred	Direction	Data
2024-10-25 13:30:31 UTC	844	OUT	GET /simplesaml/module.php/authrcnssoapi/redirect_login_state.php?spentityid=https%3A//journals.rcni.com/saml/metadata.action&RelayState=https://grandmaraissegwaytours.com/wp-services/404 HTTP/1.1 Host: authrcni.rcn.org.uk Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-10-25 13:30:31 UTC	728	IN	HTTP/1.1 303 See Other Date: Fri, 25 Oct 2024 13:30:31 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: close Location: https://grandmaraissegwaytours.com/wp-services/404 Set-Cookie: ARRAffinity=557b2b4e8ec52952609bbd646f50f6ddaf10fd81f783bbe69c10c32d3e23183a;Path=/;HttpOnly;Secure;Domain=authrcni.rcn.org.uk Set-Cookie: ARRAffinitySameSite=557b2b4e8ec52952609bbd646f50f6ddaf10fd81f783bbe69c10c32d3e23183a;Path=/;HttpOnly;SameSite=None;Secure;Domain=authrcni.rcn.org.uk Strict-Transport-Security: max-age=63072000; includeSubDomains X-Powered-By: PHP/7.4.30 X-Content-Type-Options: nosniff X-Frame-Options: SAMEORIGIN Referrer-Policy: same-origin X-Permitted-Cross-Domain-Policies: none

Timestamp	Bytes transferred	Direction	Data
2024-10-25 13:30:31 UTC	306	OUT	GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=LyrU3n3WnlMFWuu&MD=VyAL+vyU HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-10-25 13:30:32 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "XAopazV00XDWnJCwkmEWRv6JkbjRA9QSSZ2+e/3MzEk=_2880" MS-CorrelationId: 5f7de92e-aa90-4a32-8fd5-afce70cce5f2 MS-RequestId: 68475162-b8e7-42a8-9e71-c3526f9aeb7e MS-CV: GcDQstFxD0yg/SwW.0 X-Microsoft-SLSClientCache: 2880 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Fri, 25 Oct 2024 13:30:31 GMT Connection: close Content-Length: 24490
2024-10-25 13:30:32 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 92 1e 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 23 d0 00 00 14 00 00 00 00 00 10 00 92 1e 00 00 18 41 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 e6 42 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 78 cf 8d 5c 26 1e e6 42 43 4b ed 5c 07 54 13 db d6 4e a3 f7 2e d5 d0 3b 4c 42 af 4a 57 10 e9 20 bd 77 21 94 80 88 08 24 2a 02 02 d2 55 10 a4 a8 88 97 22 8a 0a d2 11 04 95 ae d2 8b 20 28 0a 88 20 45 05 f4 9f 80 05 bd ed dd f7 ff 77 dd f7 bf 65 d6 4a 66 ce 99 33 67 4e d9 7b 7f fb db 7b 56 f4 4d 34 b4 21 e0 a7 03 0a d9 fc 68 6e 1d 20 70 28 14 02 85 20 20 ad 61 10 08 e3 66 0d ed 66 9b 1d 6a 90 af 1f 17 f0 4b 68 35 01 83 6c fb 44 42 5c 7d 83 3d 03 30 be 3e ae be 58 Data Ascii: MSCFD#AdBenvironment.cabx\&BCK\TN.;LBJW w!$*U" ( EweJf3gN{{VM4!hn p( affjKh5lDB\}=0>X
2024-10-25 13:30:32 UTC	8666	IN	Data Raw: 04 01 31 2f 30 2d 30 0a 02 05 00 e1 2b 8a 50 02 01 00 30 0a 02 01 00 02 02 12 fe 02 01 ff 30 07 02 01 00 02 02 11 e6 30 0a 02 05 00 e1 2c db d0 02 01 00 30 36 06 0a 2b 06 01 04 01 84 59 0a 04 02 31 28 30 26 30 0c 06 0a 2b 06 01 04 01 84 59 0a 03 02 a0 0a 30 08 02 01 00 02 03 07 a1 20 a1 0a 30 08 02 01 00 02 03 01 86 a0 30 0d 06 09 2a 86 48 86 f7 0d 01 01 05 05 00 03 81 81 00 0c d9 08 df 48 94 57 65 3e ad e7 f2 17 9c 1f ca 3d 4d 6c cd 51 e1 ed 9c 17 a5 52 35 0f fd de 4b bd 22 92 c5 69 e5 d7 9f 29 23 72 40 7a ca 55 9d 8d 11 ad d5 54 00 bb 53 b4 87 7b 72 84 da 2d f6 e3 2c 4f 7e ba 1a 58 88 6e d6 b9 6d 16 ae 85 5b b5 c2 81 a8 e0 ee 0a 9c 60 51 3a 7b e4 61 f8 c3 e4 38 bd 7d 28 17 d6 79 f0 c8 58 c6 ef 1f f7 88 65 b1 ea 0a c0 df f7 ee 5c 23 c2 27 fd 98 63 08 31 Data Ascii: 1/0-0+P000,06+Y1(0&0+Y0 00*HHWe>=MlQR5K"i)#r@zUTS{r-,O~Xnm[`Q:{a8}(yXe\#'c1

Timestamp	Bytes transferred	Direction	Data
2024-10-25 13:30:32 UTC	684	OUT	GET /wp-services/404 HTTP/1.1 Host: grandmaraissegwaytours.com Connection: keep-alive Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-10-25 13:30:32 UTC	272	IN	HTTP/1.1 503 Service Unavailable Date: Fri, 25 Oct 2024 13:30:32 GMT Server: Apache Upgrade: h2,h2c Connection: Upgrade, close Last-Modified: Sun, 02 Oct 2022 13:07:59 GMT Accept-Ranges: bytes Content-Length: 5463 Vary: Accept-Encoding Content-Type: text/html
2024-10-25 13:30:32 UTC	5463	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 20 70 72 6f 66 69 6c 65 3d 22 68 74 74 70 3a 2f 2f 67 6d 70 67 2e 6f 72 67 2f 78 66 6e 2f 31 31 22 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head profile="http://gmpg.org/xfn/11"> <meta http-equiv="Content-Typ

Timestamp	Bytes transferred	Direction	Data
2024-10-25 13:30:34 UTC	583	OUT	GET /cgi-sys/js/simple-expand.min.js HTTP/1.1 Host: grandmaraissegwaytours.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Accept: / Sec-Fetch-Site: same-origin Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: script Referer: https://grandmaraissegwaytours.com/wp-services/404 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-10-25 13:30:34 UTC	268	IN	HTTP/1.1 200 OK Date: Fri, 25 Oct 2024 13:30:34 GMT Server: Apache Upgrade: h2,h2c Connection: Upgrade, close Last-Modified: Sun, 02 Oct 2022 13:05:34 GMT Accept-Ranges: bytes Content-Length: 2782 Vary: Accept-Encoding Content-Type: application/javascript
2024-10-25 13:30:34 UTC	2782	IN	Data Raw: 2f 2a 20 43 6f 70 79 72 69 67 68 74 20 28 43 29 20 32 30 31 32 20 53 79 6c 76 61 69 6e 20 48 61 6d 65 6c 0a 50 72 6f 6a 65 63 74 3a 20 68 74 74 70 73 3a 2f 2f 67 69 74 68 75 62 2e 63 6f 6d 2f 72 65 64 68 6f 74 73 6c 79 2f 73 69 6d 70 6c 65 2d 65 78 70 61 6e 64 0a 4d 49 54 20 4c 69 63 65 6e 63 65 3a 20 68 74 74 70 73 3a 2f 2f 72 61 77 2e 67 69 74 68 75 62 2e 63 6f 6d 2f 72 65 64 68 6f 74 73 6c 79 2f 73 69 6d 70 6c 65 2d 65 78 70 61 6e 64 2f 6d 61 73 74 65 72 2f 6c 69 63 65 6e 63 65 2d 6d 69 74 2e 74 78 74 20 2a 2f 0a 28 66 75 6e 63 74 69 6f 6e 28 24 29 7b 22 75 73 65 20 73 74 72 69 63 74 22 3b 66 75 6e 63 74 69 6f 6e 20 65 28 29 7b 76 61 72 20 65 3d 74 68 69 73 3b 65 2e 64 65 66 61 75 6c 74 73 3d 7b 68 69 64 65 4d 6f 64 65 3a 22 66 61 64 65 54 6f 67 67 6c Data Ascii: /* Copyright (C) 2012 Sylvain HamelProject: https://github.com/redhotsly/simple-expandMIT Licence: https://raw.github.com/redhotsly/simple-expand/master/licence-mit.txt */(function($){"use strict";function e(){var e=this;e.defaults={hideMode:"fadeToggl

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Salary_Increase_Approval_Open_Enrollment_2024.zip

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

Phishing

Compliance

Networking

System Summary

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

QR Codes

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old (copy)

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG.old (copy)

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\91b13d97-01e4-4603-9b00-727b0850ec36.tmp

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\Network Persistent State (copy)

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\000003.log

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG.old (copy)

C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages-journal

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2D85F72862B55C4EADD9E66E06947F3D

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\2D85F72862B55C4EADD9E66E06947F3D

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeFnt23.lst.6176

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeSysFnt23.lst (copy)

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\TESTING

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\SOPHIA.json

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents-journal

C:\Users\user\AppData\Local\Temp\MSI33a65.LOG

C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6 2024-10-25 09-30-29-345.log

C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6.log

Windows Analysis Report
Salary_Increase_Approval_Open_Enrollment_2024.zip

Timestamp	Bytes transferred	Direction	Data
2024-10-25 13:30:34 UTC	632	OUT	GET /cgi-sys/images/w.png HTTP/1.1 Host: grandmaraissegwaytours.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: image Referer: https://grandmaraissegwaytours.com/wp-services/404 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-10-25 13:30:34 UTC	233	IN	HTTP/1.1 200 OK Date: Fri, 25 Oct 2024 13:30:34 GMT Server: Apache Upgrade: h2,h2c Connection: Upgrade, close Last-Modified: Sun, 02 Oct 2022 13:06:32 GMT Accept-Ranges: bytes Content-Length: 15531 Content-Type: image/png
2024-10-25 13:30:34 UTC	7959	IN	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 00 96 00 00 00 96 08 06 00 00 00 3c 01 71 e2 00 00 00 01 73 52 47 42 00 ae ce 1c e9 00 00 00 06 62 4b 47 44 00 ff 00 ff 00 ff a0 bd a7 93 00 00 00 09 70 48 59 73 00 00 0b 13 00 00 0b 13 01 00 9a 9c 18 00 00 00 07 74 49 4d 45 07 dd 08 1b 0d 13 25 f7 2f 38 88 00 00 20 00 49 44 41 54 78 da ed bd 79 74 1c d7 79 25 7e bf 57 d5 2b 1a 68 ec fb 4a 12 24 08 10 20 41 62 07 08 ee 22 68 ee a4 28 4a d4 62 c5 76 c6 fe 39 67 32 3e 99 39 b1 9d d8 27 56 e2 d8 e3 49 66 26 b1 47 72 12 4b b6 6c c7 b6 62 cb 8e 2c 59 8b b5 51 a2 24 52 12 f7 4d dc f7 05 04 01 62 5f bb bb ea fd fe a8 ed 75 a1 bb 01 4a 94 c4 a5 df 39 75 ba ba aa bb d1 a8 ba 7d bf ef dd 6f 79 40 7c c4 47 7c c4 47 7c c4 47 7c c4 47 7c c4 47 7c c4 47 7c c4 47 7c Data Ascii: PNGIHDR<qsRGBbKGDpHYstIME%/8 IDATxyty%~W+hJ$ Ab"h(Jbv9g2>9'VIf&GrKlb,YQ$RMb_uJ9u}oy@\|G\|G\|G\|G\|G\|G\|G\|
2024-10-25 13:30:34 UTC	7572	IN	Data Raw: a5 ef 24 c0 47 00 59 06 c8 ea 3e ac 4d dd c5 6c 50 41 4a 10 fc 26 26 f8 4e 86 29 34 d8 8a 31 6e 26 16 84 9b 3f 60 60 60 c0 8c fb 45 db 44 50 d9 59 4b 96 65 0c 8f 8c c0 93 18 05 54 b1 9e 47 63 2a fb 79 d8 98 99 80 b2 99 7d a8 9b fd 2a 7e f8 c3 7f 47 79 f9 34 28 8a 0a 22 a2 b2 b2 4a cc 9f bf 70 33 c2 db 21 b9 3f 29 45 fe 13 03 56 46 46 06 db b8 71 63 5b 55 55 75 8b d3 e9 e0 00 90 90 e0 c1 ae 5d 07 d0 d9 3d 88 a9 83 3f 85 c2 c9 2c e8 b4 00 61 74 85 21 ab 10 02 dc 6a 6c 46 d0 18 cb c8 b3 32 34 2f 33 bf 1d 56 1e 3c 0f 8f 0d 8b 4b 14 8a 52 43 b4 d9 a1 c8 5e 06 b8 64 59 73 53 bd 5e 6f f8 8d 17 59 06 13 f8 58 2c 8a 2f 16 cd 14 8a e7 15 e0 c1 bb f7 e3 cc 99 13 d8 b7 ef 03 54 56 ce 00 91 e6 72 d4 d4 34 f8 57 af 5e fd df 60 15 ba 7e 62 71 c4 4f 0a 58 d4 d9 d9 a9 16 Data Ascii: $GY>MlPAJ&&N)41n&?```EDPYKeTGcy}~Gy4("Jp3!?)EVFFqc[UUu]=?,at!jlF24/3V<KRC^dYsS^oYX,/TVr4W^`~bqOX

Timestamp	Bytes transferred	Direction	Data
2024-10-25 13:30:35 UTC	639	OUT	GET /cgi-sys/images/404top_w.jpg HTTP/1.1 Host: grandmaraissegwaytours.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: image Referer: https://grandmaraissegwaytours.com/wp-services/404 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-10-25 13:30:35 UTC	233	IN	HTTP/1.1 200 OK Date: Fri, 25 Oct 2024 13:30:35 GMT Server: Apache Upgrade: h2,h2c Connection: Upgrade, close Last-Modified: Mon, 03 Oct 2022 09:35:12 GMT Accept-Ranges: bytes Content-Length: 4335 Content-Type: image/jpeg
2024-10-25 13:30:35 UTC	4335	IN	Data Raw: ff d8 ff e0 00 10 4a 46 49 46 00 01 01 01 00 48 00 48 00 00 ff db 00 43 00 05 03 04 04 04 03 05 04 04 04 05 05 05 06 07 0c 08 07 07 07 07 0f 0b 0b 09 0c 11 0f 12 12 11 0f 11 11 13 16 1c 17 13 14 1a 15 11 11 18 21 18 1a 1d 1d 1f 1f 1f 13 17 22 24 22 1e 24 1c 1e 1f 1e ff db 00 43 01 05 05 05 07 06 07 0e 08 08 0e 1e 14 11 14 1e 1e 1e 1e 1e 1e 1e 1e 1e 1e 1e 1e 1e 1e 1e 1e 1e 1e 1e 1e 1e 1e 1e 1e 1e 1e 1e 1e 1e 1e 1e 1e 1e 1e 1e 1e 1e 1e 1e 1e 1e 1e 1e 1e 1e 1e 1e 1e 1e 1e ff c0 00 11 08 00 a9 03 64 03 01 11 00 02 11 01 03 11 01 ff c4 00 1b 00 01 01 00 02 03 01 00 00 00 00 00 00 00 00 00 00 00 01 02 04 03 07 08 05 ff c4 00 3a 10 01 00 01 03 00 07 04 07 07 04 02 03 00 00 00 00 00 01 03 07 11 02 04 06 16 17 81 c2 12 21 94 d2 31 36 46 51 74 84 91 05 13 14 61 71 Data Ascii: JFIFHHC!"$"$Cd:!16FQtaq

Timestamp	Bytes transferred	Direction	Data
2024-10-25 13:30:35 UTC	637	OUT	GET /cgi-sys/images/404mid.gif HTTP/1.1 Host: grandmaraissegwaytours.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: image Referer: https://grandmaraissegwaytours.com/wp-services/404 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-10-25 13:30:35 UTC	231	IN	HTTP/1.1 200 OK Date: Fri, 25 Oct 2024 13:30:35 GMT Server: Apache Upgrade: h2,h2c Connection: Upgrade, close Last-Modified: Sun, 02 Oct 2022 13:07:58 GMT Accept-Ranges: bytes Content-Length: 120 Content-Type: image/gif
2024-10-25 13:30:35 UTC	120	IN	Data Raw: 47 49 46 38 39 61 64 03 04 00 91 00 00 9a b2 c9 ff ff ff a0 b6 cc a1 b7 cd 21 f9 04 00 07 00 ff 00 2c 00 00 00 00 64 03 04 00 00 02 49 dc 82 a9 cb ed 0f a3 9c b4 da 8b b3 de bc fb 0f 86 e2 48 96 e6 89 a6 ea ca b6 ee 9b 00 80 01 d7 f6 8d e7 fa ce f7 fe 0f 0c 0a 87 44 8a 8c 56 4c 2a 97 cc a6 f3 09 8d 4a a7 54 cc f1 50 cd 6a b7 dc ae f7 0b 0e 8b 2d b2 02 00 3b Data Ascii: GIF89ad!,dIHDVL*JTPj-;

Timestamp	Bytes transferred	Direction	Data
2024-10-25 13:30:35 UTC	640	OUT	GET /cgi-sys/images/404bottom.gif HTTP/1.1 Host: grandmaraissegwaytours.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: image Referer: https://grandmaraissegwaytours.com/wp-services/404 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-10-25 13:30:35 UTC	231	IN	HTTP/1.1 200 OK Date: Fri, 25 Oct 2024 13:30:35 GMT Server: Apache Upgrade: h2,h2c Connection: Upgrade, close Last-Modified: Sun, 02 Oct 2022 13:06:27 GMT Accept-Ranges: bytes Content-Length: 537 Content-Type: image/gif
2024-10-25 13:30:35 UTC	537	IN	Data Raw: 47 49 46 38 39 61 64 03 0e 00 d5 00 00 36 65 94 f7 f9 fb ad c0 d4 9d b4 cb cd d9 e4 7c 9b b9 a2 b8 ce 6d 8f b1 e6 ec f2 5c 82 a9 8c a7 c2 bd cd dc 4e 77 a1 f2 f5 f8 b0 c3 d5 85 a2 be dc e4 ec 93 ad c6 ff ff ff 58 7f a6 73 94 b5 a7 bc d0 c5 d2 e0 64 89 ad 81 9e bc d1 dc e7 ea ef f4 f6 f8 fa b3 c5 d7 7b 94 b5 7e 9d bb 8c ad c5 6b 94 b5 8c a5 bd 63 87 ac 59 80 a7 d4 de e8 ed f1 f5 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 21 f9 04 00 07 00 ff 00 2c 00 00 00 00 64 03 0e 00 00 06 ff 40 83 41 42 2c 1a 8f c8 a4 72 c9 6c 3a 9f d0 a8 74 4a ad 5a af d8 ac 76 cb ed 7a bf e0 b0 Data Ascii: GIF89ad6e\|m\NwXsd{~kcY!,d@AB,rl:tJZvz

Timestamp	Bytes transferred	Direction	Data
2024-10-25 13:30:35 UTC	623	OUT	GET /favicon.ico HTTP/1.1 Host: grandmaraissegwaytours.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: image Referer: https://grandmaraissegwaytours.com/wp-services/404 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-10-25 13:30:36 UTC	272	IN	HTTP/1.1 503 Service Unavailable Date: Fri, 25 Oct 2024 13:30:36 GMT Server: Apache Upgrade: h2,h2c Connection: Upgrade, close Last-Modified: Sun, 02 Oct 2022 13:07:59 GMT Accept-Ranges: bytes Content-Length: 5463 Vary: Accept-Encoding Content-Type: text/html
2024-10-25 13:30:36 UTC	5463	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 20 70 72 6f 66 69 6c 65 3d 22 68 74 74 70 3a 2f 2f 67 6d 70 67 2e 6f 72 67 2f 78 66 6e 2f 31 31 22 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head profile="http://gmpg.org/xfn/11"> <meta http-equiv="Content-Typ

Timestamp	Bytes transferred	Direction	Data
2024-10-25 13:30:40 UTC	161	OUT	HEAD /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-10-25 13:30:40 UTC	467	IN	HTTP/1.1 200 OK Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json Content-Type: application/octet-stream ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" Last-Modified: Tue, 16 May 2017 22:58:00 GMT Server: ECAcc (lpl/EF70) X-CID: 11 X-Ms-ApiVersion: Distribute 1.2 X-Ms-Region: prod-weu-z1 Cache-Control: public, max-age=184462 Date: Fri, 25 Oct 2024 13:30:40 GMT Connection: close X-CID: 2

Timestamp	Bytes transferred	Direction	Data
2024-10-25 13:30:41 UTC	239	OUT	GET /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity If-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMT Range: bytes=0-2147483646 User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-10-25 13:30:41 UTC	515	IN	HTTP/1.1 200 OK ApiVersion: Distribute 1.1 Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json Content-Type: application/octet-stream ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" Last-Modified: Tue, 16 May 2017 22:58:00 GMT Server: ECAcc (lpl/EF06) X-CID: 11 X-Ms-ApiVersion: Distribute 1.2 X-Ms-Region: prod-weu-z1 Cache-Control: public, max-age=184461 Date: Fri, 25 Oct 2024 13:30:41 GMT Content-Length: 55 Connection: close X-CID: 2
2024-10-25 13:30:41 UTC	55	IN	Data Raw: 7b 22 66 6f 6e 74 53 65 74 55 72 69 22 3a 22 66 6f 6e 74 73 65 74 2d 32 30 31 37 2d 30 34 2e 6a 73 6f 6e 22 2c 22 62 61 73 65 55 72 69 22 3a 22 66 6f 6e 74 73 22 7d Data Ascii: {"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

Timestamp	Bytes transferred	Direction	Data
2024-10-25 13:30:41 UTC	475	OUT	GET /onboarding/smskillreader.txt HTTP/1.1 Host: armmf.adobe.com Connection: keep-alive Accept-Language: en-US,en;q=0.9 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) ReaderServices/23.6.20320 Chrome/105.0.0.0 Safari/537.36 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty Accept-Encoding: gzip, deflate, br If-None-Match: "78-5faa31cce96da" If-Modified-Since: Mon, 01 May 2023 15:02:33 GMT
2024-10-25 13:30:41 UTC	198	IN	HTTP/1.1 304 Not Modified Content-Type: text/plain; charset=UTF-8 Last-Modified: Mon, 01 May 2023 15:02:33 GMT ETag: "78-5faa31cce96da" Date: Fri, 25 Oct 2024 13:30:41 GMT Connection: close

Timestamp	Bytes transferred	Direction	Data
2024-10-25 13:30:43 UTC	623	OUT	GET /favicon.ico HTTP/1.1 Host: grandmaraissegwaytours.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: image Referer: https://grandmaraissegwaytours.com/wp-services/404 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-10-25 13:30:43 UTC	272	IN	HTTP/1.1 503 Service Unavailable Date: Fri, 25 Oct 2024 13:30:43 GMT Server: Apache Upgrade: h2,h2c Connection: Upgrade, close Last-Modified: Sun, 02 Oct 2022 13:07:59 GMT Accept-Ranges: bytes Content-Length: 5463 Vary: Accept-Encoding Content-Type: text/html
2024-10-25 13:30:43 UTC	5463	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 20 70 72 6f 66 69 6c 65 3d 22 68 74 74 70 3a 2f 2f 67 6d 70 67 2e 6f 72 67 2f 78 66 6e 2f 31 31 22 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head profile="http://gmpg.org/xfn/11"> <meta http-equiv="Content-Typ

Timestamp	Bytes transferred	Direction	Data
2024-10-25 13:31:10 UTC	306	OUT	GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=LyrU3n3WnlMFWuu&MD=VyAL+vyU HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-10-25 13:31:11 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "vic+p1MiJJ+/WMnK08jaWnCBGDfvkGRzPk9f8ZadQHg=_1440" MS-CorrelationId: caaa4486-d206-467c-b92e-119698f2ed7d MS-RequestId: f9a3897f-676a-4996-b57c-b7df12ca6d91 MS-CV: z0BGxhdaFESblEJQ.0 X-Microsoft-SLSClientCache: 1440 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Fri, 25 Oct 2024 13:31:10 GMT Connection: close Content-Length: 30005
2024-10-25 13:31:11 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 8d 2b 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 5b 49 00 00 14 00 00 00 00 00 10 00 8d 2b 00 00 a8 49 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 72 4d 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 fe f6 51 be 21 2b 72 4d 43 4b ed 7c 05 58 54 eb da f6 14 43 49 37 0a 02 d2 b9 86 0e 41 52 a4 1b 24 a5 bb 43 24 44 18 94 90 92 52 41 3a 05 09 95 ee 54 b0 00 91 2e e9 12 10 04 11 c9 6f 10 b7 a2 67 9f bd cf 3e ff b7 ff b3 bf 73 ed e1 9a 99 f5 c6 7a d7 bb de f5 3e cf fd 3c f7 dc 17 4a 1a 52 e7 41 a8 97 1e 14 f4 e5 25 7d f4 05 82 82 c1 20 30 08 06 ba c3 05 02 11 7f a9 c1 ff d2 87 5c 1e f4 ed 65 8e 7a 1f f6 0a 40 03 1d 7b f9 83 2c 1c 2f db b8 3a 39 3a 58 38 ba 73 5e Data Ascii: MSCF+D[I+IdrMenvironment.cabQ!+rMCK\|XTCI7AR$C$DRA:T.og>sz><JRA%} 0\ez@{,/:9:X8s^
2024-10-25 13:31:11 UTC	14181	IN	Data Raw: 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 13 0a 57 61 73 68 69 6e 67 74 6f 6e 31 10 30 0e 06 03 55 04 07 13 07 52 65 64 6d 6f 6e 64 31 1e 30 1c 06 03 55 04 0a 13 15 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 6f 72 61 74 69 6f 6e 31 26 30 24 06 03 55 04 03 13 1d 4d 69 63 72 6f 73 6f 66 74 20 54 69 6d 65 2d 53 74 61 6d 70 20 50 43 41 20 32 30 31 30 30 1e 17 0d 32 33 31 30 31 32 31 39 30 37 32 35 5a 17 0d 32 35 30 31 31 30 31 39 30 37 32 35 5a 30 81 d2 31 0b 30 09 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 13 0a 57 61 73 68 69 6e 67 74 6f 6e 31 10 30 0e 06 03 55 04 07 13 07 52 65 64 6d 6f 6e 64 31 1e 30 1c 06 03 55 04 0a 13 15 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 6f 72 61 74 69 6f 6e 31 2d 30 2b 06 03 55 04 0b 13 24 4d 69 63 72 6f Data Ascii: UUS10UWashington10URedmond10UMicrosoft Corporation1&0$UMicrosoft Time-Stamp PCA 20100231012190725Z250110190725Z010UUS10UWashington10URedmond10UMicrosoft Corporation1-0+U$Micro