Joe Sandbox Cloud Basic Analysis Report
Edit tour

Windows Analysis Report
Quotation.xls

Overview

General Information

Sample name:Quotation.xls
Analysis ID:1415005
MD5:0cd0b71b219419b688ecd6599223639a
SHA1:fde7e33898b73304755f1cff8578139f34246e23
SHA256:3a23b616a5944735ffa156ebfba3fcf8debec466c00687a52ecdbde03b2bd94a
Tags:Quotationxls
Infos:

Detection

Score:68
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Document exploit detected (process start blacklist hit)
Excel sheet contains many unusual embedded objects
Yara detected MalDoc
Document contains embedded VBA macros
Document embeds suspicious OLE2 link
Document misses a certain OLE stream usually present in this Microsoft Office document type
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Shows file infection / information gathering behavior (enumerates multiple directory for files)
Sigma detected: Excel Network Connections
Sigma detected: Suspicious Office Outbound Connections
Uses a known web browser user agent for HTTP communication

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

Process Tree

  • System is w7x64
  • EXCEL.EXE (PID: 3028 cmdline: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding MD5: D53B85E21886D2AF9815C377537BCAC3)
    • AcroRd32.exe (PID: 1872 cmdline: "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" -Embedding MD5: 2F8D93826B8CBF9290BC57535C7A6817)
      • RdrCEF.exe (PID: 3188 cmdline: "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043 MD5: 326A645391A97C760B60C558A35BB068)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
Quotation.xlsJoeSecurity_MalDoc_4Yara detected MalDocJoe Security

    Sigma Signatures

    System Summary

    barindex
    Source: Network ConnectionAuthor: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Florian Roth '@Neo23x0", Tim Shelton: Data: DestinationIp: 13.107.246.40, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, Initiated: true, ProcessId: 3028, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49163
    Source: Network ConnectionAuthor: X__Junior (Nextron Systems): Data: DestinationIp: 192.168.2.22, DestinationIsIpv6: false, DestinationPort: 49163, EventID: 3, Image: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, Initiated: true, ProcessId: 3028, Protocol: tcp, SourceIp: 13.107.246.40, SourceIsIpv6: false, SourcePort: 80
    Source: Registry Key setAuthor: frack113: Data: Details: 46 00 00 00 2A 00 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 00 00 00 C0 A8 02 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ProcessId: 3028, TargetObject: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings

    Snort Signatures

    No Snort rule has matched

    Joe Sandbox Signatures

    • AV Detection
    • Compliance
    • Spreading
    • Software Vulnerabilities
    • Networking
    • System Summary
    • Hooking and other Techniques for Hiding and Protection
    • Stealing of Sensitive Information

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Source: Quotation.xlsVirustotal: Detection: 20%Perma Link
    Source: Quotation.xlsReversingLabs: Detection: 13%
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
    Source: unknownHTTPS traffic detected: 13.107.246.40:443 -> 192.168.2.22:49164 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 13.107.246.40:443 -> 192.168.2.22:49165 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 192.168.2.22:49165 -> 13.107.246.40:443 version: TLS 1.2
    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeDirectory queried: number of queries: 1007

    Software Vulnerabilities

    barindex
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
    Source: global trafficDNS query: name: 2s.gg
    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 13.107.246.40:80
    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 13.107.246.40:80
    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 13.107.246.40:443
    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 13.107.246.40:443
    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 13.107.246.40:443
    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 13.107.246.40:443
    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 13.107.246.40:443
    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 13.107.246.40:443
    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 13.107.246.40:443
    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 13.107.246.40:443
    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 13.107.246.40:443
    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 13.107.246.40:443
    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 13.107.246.40:443
    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 13.107.246.40:443
    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 13.107.246.40:443
    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 13.107.246.40:443
    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 13.107.246.40:443
    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 13.107.246.40:443
    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 13.107.246.40:80
    Source: global trafficTCP traffic: 13.107.246.40:80 -> 192.168.2.22:49163
    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 13.107.246.40:80
    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 13.107.246.40:80
    Source: global trafficTCP traffic: 13.107.246.40:80 -> 192.168.2.22:49163
    Source: global trafficTCP traffic: 13.107.246.40:80 -> 192.168.2.22:49163
    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 13.107.246.40:80
    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 13.107.246.40:443
    Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.22:49164
    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 13.107.246.40:443
    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 13.107.246.40:443
    Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.22:49164
    Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.22:49164
    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 13.107.246.40:443
    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 13.107.246.40:443
    Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.22:49164
    Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.22:49164
    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 13.107.246.40:443
    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 13.107.246.40:443
    Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.22:49164
    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 13.107.246.40:443
    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 13.107.246.40:80
    Source: global trafficTCP traffic: 13.107.246.40:80 -> 192.168.2.22:49163
    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 13.107.246.40:80
    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 13.107.246.40:443
    Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.22:49165
    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 13.107.246.40:443
    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 13.107.246.40:443
    Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.22:49165
    Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.22:49165
    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 13.107.246.40:443
    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 13.107.246.40:443
    Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.22:49165
    Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.22:49165
    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 13.107.246.40:443
    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 13.107.246.40:443
    Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.22:49165
    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 13.107.246.40:443

    Networking

    barindex
    Source: Yara matchFile source: Quotation.xls, type: SAMPLE
    Source: Joe Sandbox ViewIP Address: 13.107.246.40 13.107.246.40
    Source: Joe Sandbox ViewJA3 fingerprint: 36f7277af969a6947a61ae0b815907a1
    Source: global trafficHTTP traffic detected: GET /3zM HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 2s.ggConnection: Keep-Alive
    Source: global trafficHTTP traffic detected: GET /3zM HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 2s.ggConnection: Keep-Alive
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D9D8387D.emfJump to behavior
    Source: global trafficHTTP traffic detected: GET /3zM HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 2s.ggConnection: Keep-Alive
    Source: global trafficHTTP traffic detected: GET /3zM HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 2s.ggConnection: Keep-Alive
    Source: unknownDNS traffic detected: queries for: 2s.gg
    Source: Quotation.xls, CA130000.0.drString found in binary or memory: http://2s.gg/3zM1F2
    Source: unknownNetwork traffic detected: HTTP traffic on port 49164 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49165 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49165
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49164
    Source: unknownHTTPS traffic detected: 13.107.246.40:443 -> 192.168.2.22:49164 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 13.107.246.40:443 -> 192.168.2.22:49165 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 192.168.2.22:49165 -> 13.107.246.40:443 version: TLS 1.2

    System Summary

    barindex
    Source: Screenshot number: 8Screenshot OCR: document is protected 1 Ta 2 V, CD Open :he dckumenc h Mkromit cc Previewunq dcm "e rS 2 not a
    Source: Quotation.xlsOLE: Microsoft Excel 2007+
    Source: CA130000.0.drOLE: Microsoft Excel 2007+
    Source: ~DF98F8EACBEB28D9F1.TMP.0.drOLE: Microsoft Excel 2007+
    Source: Quotation.xlsOLE indicator, VBA macros: true
    Source: Quotation.xlsStream path 'MBD000EE583/\x1Ole' : http://2s.gg/3zM1F2|Fmqa\>2DnD:)!5xs7C9yCm:~=>}Y#U{*5,W&L6z<#B@%RdonZ13#o&*^g/!&4tG<+xEEB3VG5aE0DU3EMOfBYmCQGIb1NxO6vDcLRY3i4I1dsTDn87JkVhZLDqd6o1c8TjSzTTlQWhSaWTiGlxGs6d8kDtjiEzsICrm3PH4I7JxGXtkjV0pXV9sqNK:&9,h+9GB6ao
    Source: CA130000.0.drStream path 'MBD000EE583/\x1Ole' : http://2s.gg/3zM1F2|Fmqa\>2DnD:)!5xs7C9yCm:~=>}Y#U{*5,W&L6z<#B@%RdonZ13#o&*^g/!&4tG<+xEEB3VG5aE0DU3EMOfBYmCQGIb1NxO6vDcLRY3i4I1dsTDn87JkVhZLDqd6o1c8TjSzTTlQWhSaWTiGlxGs6d8kDtjiEzsICrm3PH4I7JxGXtkjV0pXV9sqNK:&9,h+9GB6ao
    Source: ~DF98F8EACBEB28D9F1.TMP.0.drOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
    Source: classification engineClassification label: mal68.troj.expl.winXLS@11/29@1/2
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\GDIPFONTCACHEV1.DATJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVR6BAD.tmpJump to behavior
    Source: Quotation.xlsOLE indicator, Workbook stream: true
    Source: CA130000.0.drOLE indicator, Workbook stream: true
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
    Source: Quotation.xlsVirustotal: Detection: 20%
    Source: Quotation.xlsReversingLabs: Detection: 13%
    Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" -Embedding
    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043Jump to behavior
    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeProcess created: unknown unknownJump to behavior
    Source: Window RecorderWindow detected: More than 3 window changes detected
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItemsJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
    Source: CA130000.0.drInitial sample: OLE indicators vbamacros = False
    Source: Quotation.xlsInitial sample: OLE indicators encrypted = True
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: Quotation.xlsStream path 'MBD000EE580/CONTENTS' entropy: 7.9671168067 (max. 8.0)
    Source: Quotation.xlsStream path 'Workbook' entropy: 7.99593560374 (max. 8.0)
    Source: CA130000.0.drStream path 'MBD000EE580/CONTENTS' entropy: 7.9671168067 (max. 8.0)
    Source: CA130000.0.drStream path 'Workbook' entropy: 7.99791051376 (max. 8.0)
    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeDirectory queried: number of queries: 1007

    Mitre Att&ck Matrix

    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
    Gather Victim Identity Information1
    Scripting    		Valid Accounts13
    Exploitation for Client Execution    		1
    Scripting    		1
    Process Injection    		1
    Masquerading    		OS Credential Dumping11
    File and Directory Discovery    		Remote ServicesData from Local System2
    Encrypted Channel    		Exfiltration Over Other Network MediumAbuse Accessibility Features
    CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
    Disable or Modify Tools    		LSASS Memory2
    System Information Discovery    		Remote Desktop ProtocolData from Removable Media2
    Non-Application Layer Protocol    		Exfiltration Over BluetoothNetwork Denial of Service
    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
    Process Injection    		Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared Drive13
    Application Layer Protocol    		Automated ExfiltrationData Encrypted for Impact
    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
    Obfuscated Files or Information    		NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput Capture2
    Ingress Tool Transfer    		Traffic DuplicationData Destruction

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet
    behaviorgraph top1 signatures2 2 Behavior Graph ID: 1415005 Sample: Quotation.xls Startdate: 25/03/2024 Architecture: WINDOWS Score: 68 19 Multi AV Scanner detection for submitted file 2->19 21 Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros) 2->21 23 Excel sheet contains many unusual embedded objects 2->23 25 2 other signatures 2->25 7 EXCEL.EXE 58 47 2->7         started        process3 dnsIp4 15 2s.gg 13.107.246.40, 443, 49163, 49164 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 7->15 10 AcroRd32.exe 37 7->10         started        process5 process6 12 RdrCEF.exe 2 10->12         started        dnsIp7 17 192.168.2.255, 137, 138 unknown unknown 12->17

    Screenshots

    Download Video

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    Quotation.xls21%VirustotalBrowse
    Quotation.xls13%ReversingLabsDocument-Office.Trojan.Sonbokli

    Dropped Files

    No Antivirus matches

    Unpacked PE Files

    No Antivirus matches

    Domains

    SourceDetectionScannerLabelLink
    2s.gg0%VirustotalBrowse

    URLs

    SourceDetectionScannerLabelLink
    http://2s.gg/3zM0%Avira URL Cloudsafe
    http://2s.gg/3zM1F20%Avira URL Cloudsafe
    http://2s.gg/3zM0%VirustotalBrowse

    Domains and IPs

    Download Network PCAP: filteredfull

    Contacted Domains

    NameIPActiveMaliciousAntivirus DetectionReputation
    2s.gg
    		13.107.246.40
    		truefalseunknown

    Contacted URLs

    NameMaliciousAntivirus DetectionReputation
    http://2s.gg/3zMfalse
    • 0%, Virustotal, Browse
    • Avira URL Cloud: safe
    		unknown
    NameSourceMaliciousAntivirus DetectionReputation
    http://2s.gg/3zM1F2Quotation.xls, CA130000.0.drfalse
    • Avira URL Cloud: safe
    		unknown

    World Map of Contacted IPs

    • No. of IPs < 25%
    • 25% < No. of IPs < 50%
    • 50% < No. of IPs < 75%
    • 75% < No. of IPs

    Public IPs

    IPDomainCountryFlagASNASN NameMalicious
    13.107.246.40
    		2s.ggUnited States
    		8068MICROSOFT-CORP-MSN-AS-BLOCKUSfalse

    Private

    IP
    192.168.2.255

    General Information

    Joe Sandbox version:40.0.0 Tourmaline
    Analysis ID:1415005
    Start date and time:2024-03-25 12:52:18 +01:00
    Joe Sandbox product:CloudBasic
    Overall analysis duration:0h 4m 10s
    Hypervisor based Inspection enabled:false
    Report type:full
    Cookbook file name:defaultwindowsofficecookbook.jbs
    Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
    Run name:Without Instrumentation
    Number of analysed new started processes analysed:10
    Number of new started drivers analysed:0
    Number of existing processes analysed:0
    Number of existing drivers analysed:0
    Number of injected processes analysed:0
    Technologies:
    • HCA enabled
    • EGA enabled
    • AMSI enabled
    Analysis Mode:default
    Analysis stop reason:Timeout
    Sample name:Quotation.xls
    Detection:MAL
    Classification:mal68.troj.expl.winXLS@11/29@1/2
    EGA Information:Failed
    HCA Information:
    • Successful, ratio: 100%
    • Number of executed functions: 0
    • Number of non-executed functions: 0
    Cookbook Comments:
    • Found application associated with file extension: .xls
    • Found Word or Excel or PowerPoint or XPS Viewer
    • Attach to Office via COM
    • Active ActiveX Object
    • Active ActiveX Object
    • Active ActiveX Object
    • Active ActiveX Object
    • Scroll down
    • Close Viewer
    • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe
    • Excluded IPs from analysis (whitelisted): 23.50.124.134, 23.207.202.183, 23.207.202.187, 23.207.202.196
    • Excluded domains from analysis (whitelisted): ssl.adobe.com.edgekey.net, armmf.adobe.com, e4578.dscb.akamaiedge.net, acroipm2.adobe.com.edgesuite.net, a122.dscd.akamai.net, acroipm2.adobe.com
    • Report size getting too big, too many NtCreateFile calls found.
    • Report size getting too big, too many NtOpenFile calls found.
    • Report size getting too big, too many NtQueryDirectoryFile calls found.
    • Report size getting too big, too many NtQueryValueKey calls found.

    Simulations

    Behavior and APIs

    TimeTypeDescription
    11:53:34API Interceptor266x Sleep call for process: AcroRd32.exe modified
    11:53:40API Interceptor86x Sleep call for process: RdrCEF.exe modified

    Joe Sandbox View / Context

    IPs

    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
    13.107.246.40https://pub-499de9e22147499d8e2a230fa85af8eb.r2.dev/brux.htmlGet hashmaliciousHTMLPhisherBrowse
      https://pub-c220de8da8b04d34acb16070cfcd5baa.r2.dev/picture.htmlGet hashmaliciousHTMLPhisherBrowse
        https://team-popping.github.io/support-team/Get hashmaliciousTechSupportScamBrowse
          https://assets-usa.mkt.dynamics.com/404552f4-58e8-ee11-a1fa-00224832230e/digitalassets/standaloneforms/452d5cb4-60e8-ee11-a204-0022481c5f83Get hashmaliciousUnknownBrowse
            https://0e2y6ylvqdmtdq.azureedge.net/01096/Wi0nAbh0help0secure037/index.htmlGet hashmaliciousTechSupportScamBrowse
              http://8acs9yh98-frosty-disk-c127.emeraldfredia.workers.dev/#eduardo.olcesi@seaboardmarinepanama.comGet hashmaliciousHTMLPhisher, ReCaptcha PhishBrowse
                GracehealthmiSMKB478467348838.rtfGet hashmaliciousHTMLPhisherBrowse
                  https://www.followmyhealth.com/PatientAccess?Organization=//V7mYkE8.worleyenterprise.com%2Fam9uYXRoYW4uZ3JlZWxleUB5b2dpcHJvZHVjdHMuY29t??&Invite=9MnjZPjvSBkWo1AJg0Su4CMECM3Gy2EqMLythemnkfrUifOZKY6iVLesbc/wYCFYSg4z04xrxoVh+YBkzkGlbNg6ZfZpnz2Fxa8Lq5YeHuI=Get hashmaliciousHTMLPhisherBrowse
                    https://lookerstudio.google.com/s/tH1czB4mrIUGet hashmaliciousHTMLPhisherBrowse

                      Domains

                      No context

                      ASNs

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      MICROSOFT-CORP-MSN-AS-BLOCKUShttps://crayoncolorsinc.uk/gd.PDFGet hashmaliciousHTMLPhisherBrowse
                      • 52.96.19.82
                      BBRAUN VIETNAM - RFQ-QT240422703-01 - 3-29-2024-20-00.exeGet hashmaliciousDBatLoader, FormBookBrowse
                      • 13.107.137.11
                      SecuriteInfo.com.Win32.Evo-gen.9756.30202.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                      • 13.107.137.11
                      SecuriteInfo.com.Win32.Evo-gen.7105.24636.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                      • 13.107.139.11
                      https://pub-499de9e22147499d8e2a230fa85af8eb.r2.dev/brux.htmlGet hashmaliciousHTMLPhisherBrowse
                      • 13.107.213.40
                      https://pub-b81b5bf862c04fa5982daffd9ca70d80.r2.dev/cc23.htmlGet hashmaliciousHTMLPhisherBrowse
                      • 13.107.213.40
                      https://pub-c220de8da8b04d34acb16070cfcd5baa.r2.dev/picture.htmlGet hashmaliciousHTMLPhisherBrowse
                      • 13.107.213.40
                      https://team-popping.github.io/support-team/Get hashmaliciousTechSupportScamBrowse
                      • 13.107.246.71

                      JA3 Fingerprints

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      36f7277af969a6947a61ae0b815907a1qDhNH7gQYd.rtfGet hashmaliciousAgentTeslaBrowse
                      • 13.107.246.40
                      fs-windows-agent-3.4.0.msiGet hashmaliciousUnknownBrowse
                      • 13.107.246.40
                      U9zp8kE2Ih.rtfGet hashmaliciousAgentTeslaBrowse
                      • 13.107.246.40
                      S6uuXUf35G.rtfGet hashmaliciousAgentTeslaBrowse
                      • 13.107.246.40
                      GGeXCPkc7J.rtfGet hashmaliciousAgentTeslaBrowse
                      • 13.107.246.40
                      ioj7OUCNvF.rtfGet hashmaliciousAgentTeslaBrowse
                      • 13.107.246.40
                      PO-3073529-HPL.xlsGet hashmaliciousAgentTeslaBrowse
                      • 13.107.246.40
                      PO.xlsGet hashmaliciousAgentTeslaBrowse
                      • 13.107.246.40
                      SecuriteInfo.com.Exploit.ShellCode.69.7870.25770.rtfGet hashmaliciousAgentTeslaBrowse
                      • 13.107.246.40

                      Dropped Files

                      No context

                      Created / dropped Files

                      C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Cache\data_1

                      Download File
                      Process:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                      File Type:data
                      Category:modified
                      Size (bytes):270336
                      Entropy (8bit):0.0018811398465979306
                      Encrypted:false
                      SSDEEP:3:MsEllllkEthXllkl2zE4ltwCZq:/M/xT02z7Oz
                      MD5:E356C76ACF3317D02705149284017DF1
                      SHA1:7871F5D21209DD63E2228F369A9D5F153D70DE16
                      SHA-256:90FA1ADC9A3BB3EEB568406F7A4B2FA9E98EBBF58089853DD88745F3B4F9F3BD
                      SHA-512:2B9A0491A4096B02D3CC1C06A8BA28077A9F804E92DAB7F4526ED9E216D899C6B9461A51436678DDB86F82F509945F9679DF11D921CB7BDBE494B5D19E9D0388
                      Malicious:false
                      Reputation:low
                      Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG

                      Download File
                      Process:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                      File Type:ASCII text
                      Category:dropped
                      Size (bytes):292
                      Entropy (8bit):5.238155146872105
                      Encrypted:false
                      SSDEEP:6:FJX+q2PP2nKuAl9OmbnIFUt88JjZmw+8Jf2BVkwOP2nKuAl9OmbjLJ:uvWHAahFUt8w/+22P57HAaSJ
                      MD5:33906028D3DEA06F2BF237BAEBFDFA4B
                      SHA1:572289EAF5C62C2D1D77804B980F5F804E3C772B
                      SHA-256:AA60AC4568526BCD0E550A87BEC07481ABDE638CF1604B031876891F2ED9548F
                      SHA-512:A0BC9F6A1C1FE48E0AED091E1D32C9A9AE9F6888AA664836223B45C6D0B963B807CE7EBEEE205544C870C66F8C31F871EF191F8DFC01DEED7344E2E5B5FD34F3
                      Malicious:false
                      Reputation:low
                      Preview:2024/03/24-11:53:42.559 3268 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/MANIFEST-000001.2024/03/24-11:53:42.560 3268 Recovering log #3.2024/03/24-11:53:42.561 3268 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/000003.log .

                      C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old (copy)

                      Download File
                      Process:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                      File Type:ASCII text
                      Category:dropped
                      Size (bytes):292
                      Entropy (8bit):5.238155146872105
                      Encrypted:false
                      SSDEEP:6:FJX+q2PP2nKuAl9OmbnIFUt88JjZmw+8Jf2BVkwOP2nKuAl9OmbjLJ:uvWHAahFUt8w/+22P57HAaSJ
                      MD5:33906028D3DEA06F2BF237BAEBFDFA4B
                      SHA1:572289EAF5C62C2D1D77804B980F5F804E3C772B
                      SHA-256:AA60AC4568526BCD0E550A87BEC07481ABDE638CF1604B031876891F2ED9548F
                      SHA-512:A0BC9F6A1C1FE48E0AED091E1D32C9A9AE9F6888AA664836223B45C6D0B963B807CE7EBEEE205544C870C66F8C31F871EF191F8DFC01DEED7344E2E5B5FD34F3
                      Malicious:false
                      Reputation:low
                      Preview:2024/03/24-11:53:42.559 3268 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/MANIFEST-000001.2024/03/24-11:53:42.560 3268 Recovering log #3.2024/03/24-11:53:42.561 3268 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/000003.log .

                      C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old~RF635a70.TMP (copy)

                      Download File
                      Process:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                      File Type:ASCII text
                      Category:dropped
                      Size (bytes):292
                      Entropy (8bit):5.238155146872105
                      Encrypted:false
                      SSDEEP:6:FJX+q2PP2nKuAl9OmbnIFUt88JjZmw+8Jf2BVkwOP2nKuAl9OmbjLJ:uvWHAahFUt8w/+22P57HAaSJ
                      MD5:33906028D3DEA06F2BF237BAEBFDFA4B
                      SHA1:572289EAF5C62C2D1D77804B980F5F804E3C772B
                      SHA-256:AA60AC4568526BCD0E550A87BEC07481ABDE638CF1604B031876891F2ED9548F
                      SHA-512:A0BC9F6A1C1FE48E0AED091E1D32C9A9AE9F6888AA664836223B45C6D0B963B807CE7EBEEE205544C870C66F8C31F871EF191F8DFC01DEED7344E2E5B5FD34F3
                      Malicious:false
                      Reputation:low
                      Preview:2024/03/24-11:53:42.559 3268 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/MANIFEST-000001.2024/03/24-11:53:42.560 3268 Recovering log #3.2024/03/24-11:53:42.561 3268 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/000003.log .

                      C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Visited Links

                      Download File
                      Process:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):131072
                      Entropy (8bit):0.006738561099835664
                      Encrypted:false
                      SSDEEP:3:ImtVzzNXM1xVlt/XSxdlt4dV1gt/l:IiVzexlKxdX4m1l
                      MD5:D4CF1F3A7B99D7068973876B73A1F224
                      SHA1:415439B3A600BAA93C50CB1E29E75CCF22B24CD5
                      SHA-256:C1F5B396738C5E9346D2C9CDD39ECFB59CAB894EE387E9AD9629AB7F1B34AD06
                      SHA-512:5A0AA86402DBE099F487A805EF33AB3B644CA64CC83B1F47437FF24F57F3D2C6E5DBD5F35E4AF3640D2A9F493361A8F71751546620163DF278306FA5E7717D87
                      Malicious:false
                      Reputation:low
                      Preview:VLnk.....?......LhXJ ...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

                      Download File
                      Process:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
                      File Type:SQLite 3.x database, last written using SQLite version 3024000, file counter 15, database pages 15, cookie 0x5, schema 4, UTF-8, version-valid-for 15
                      Category:dropped
                      Size (bytes):61440
                      Entropy (8bit):3.5761552870725093
                      Encrypted:false
                      SSDEEP:384:neh9dThqtELJ8DAcLKuZsLRGlKhsvXh+vSc:/AeZsLQhUSc
                      MD5:E7B6E83EC58A38694A8FE87CC7831966
                      SHA1:855175FDA6DB814A4C95924A20F0097E5BC76BC4
                      SHA-256:1174274E82BC5064ECDFC78BCDC2CA91773DE0B33C68A3DEB06AA0DC9103F360
                      SHA-512:7D1225B1673BC7BA1C038E18997C65C878055B1D063078B5891678206835B4BBFBA601D66E5EEE4BCBF9C8DCB47944C3DA155E7980D1297775112DFDB2BCA502
                      Malicious:false
                      Reputation:low
                      Preview:SQLite format 3......@ ..........................................................................$.......1........T...U.1.D............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages-journal

                      Download File
                      Process:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
                      File Type:SQLite Rollback Journal
                      Category:dropped
                      Size (bytes):8720
                      Entropy (8bit):3.3126281281578103
                      Encrypted:false
                      SSDEEP:48:7MUL2iomVmBsmom1CAiomKom1Nom1Aiom1RROiom1Com1pom1viomVPiomg0qAlq:7vaCm6rAwhbCP0d49IVXEBodRBkH
                      MD5:D58A8C27BD4820D275592D9379390EB7
                      SHA1:CBF7C165D69ACBF747326EA467E079F40FF96C7B
                      SHA-256:9B25517D6C2A9EEC934F8E95F1D62194E1BB80064A197E6BCE7B9FEEE1D2251D
                      SHA-512:3FF5BA396732C6BF91FBE9607013506878D6F4DAB70E22E0037E464072ABB3A2658027C9B8C47A624D2580423A398258DCFBA24FC5E9B5252A8CAC0398CACACA
                      Malicious:false
                      Reputation:low
                      Preview:.... .c......b[V..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................W....X.W.L...y.......~........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeCMapFnt19.lst (copy)

                      Download File
                      Process:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
                      File Type:PostScript document text
                      Category:dropped
                      Size (bytes):536
                      Entropy (8bit):5.17576513886526
                      Encrypted:false
                      SSDEEP:12:T4RFQ8idRuMgxg6dxs3yBFTtDcSTAzidRuOPgxg601s3yBFDHpcSa:kNid8HxPs3yTTtPmid8OPgx4s3yTDHBa
                      MD5:4D5E3CD969F14362210F0473720C5528
                      SHA1:AFD90E9888759B809F78E87D5550B601A288A0A3
                      SHA-256:79D95D01FDE7FC7C890CD62734A7F203B12A5D44A56D6009D0E43E40D99682AE
                      SHA-512:B10C157945432CC8944E63A28CA3420CAD0C6B87BABC77BB5437DA5E3DF0CDEB657D410F28FA61D314E86269B8D1AC5972B0792D3E78787DFCE496EEE979DF64
                      Malicious:false
                      Reputation:moderate, very likely benign file
                      Preview:%!Adobe-FontList 1.16.%Locale:0x409..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-H.Registry:Adobe.Ordering:Identity.OutlineFileName:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\CMap\Identity-H.FileLength:8228.FileModTime:1426577652.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-V.Registry:Adobe.Ordering:Identity.UseCMap:Identity-H.OutlineFileName:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\CMap\Identity-V.FileLength:2761.FileModTime:1426577652.%EndFont..

                      C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeFnt16.lst.2600

                      Download File
                      Process:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
                      File Type:PostScript document text
                      Category:dropped
                      Size (bytes):536
                      Entropy (8bit):5.17576513886526
                      Encrypted:false
                      SSDEEP:12:T4RFQ8idRuMgxg6dxs3yBFTtDcSTAzidRuOPgxg601s3yBFDHpcSa:kNid8HxPs3yTTtPmid8OPgx4s3yTDHBa
                      MD5:4D5E3CD969F14362210F0473720C5528
                      SHA1:AFD90E9888759B809F78E87D5550B601A288A0A3
                      SHA-256:79D95D01FDE7FC7C890CD62734A7F203B12A5D44A56D6009D0E43E40D99682AE
                      SHA-512:B10C157945432CC8944E63A28CA3420CAD0C6B87BABC77BB5437DA5E3DF0CDEB657D410F28FA61D314E86269B8D1AC5972B0792D3E78787DFCE496EEE979DF64
                      Malicious:false
                      Reputation:moderate, very likely benign file
                      Preview:%!Adobe-FontList 1.16.%Locale:0x409..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-H.Registry:Adobe.Ordering:Identity.OutlineFileName:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\CMap\Identity-H.FileLength:8228.FileModTime:1426577652.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-V.Registry:Adobe.Ordering:Identity.UseCMap:Identity-H.OutlineFileName:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\CMap\Identity-V.FileLength:2761.FileModTime:1426577652.%EndFont..

                      C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeSysFnt19.lst (copy)

                      Download File
                      Process:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
                      File Type:PostScript document text
                      Category:dropped
                      Size (bytes):536
                      Entropy (8bit):5.17576513886526
                      Encrypted:false
                      SSDEEP:12:T4RFQ8idRuMgxg6dxs3yBFTtDcSTAzidRuOPgxg601s3yBFDHpcSa:kNid8HxPs3yTTtPmid8OPgx4s3yTDHBa
                      MD5:4D5E3CD969F14362210F0473720C5528
                      SHA1:AFD90E9888759B809F78E87D5550B601A288A0A3
                      SHA-256:79D95D01FDE7FC7C890CD62734A7F203B12A5D44A56D6009D0E43E40D99682AE
                      SHA-512:B10C157945432CC8944E63A28CA3420CAD0C6B87BABC77BB5437DA5E3DF0CDEB657D410F28FA61D314E86269B8D1AC5972B0792D3E78787DFCE496EEE979DF64
                      Malicious:false
                      Preview:%!Adobe-FontList 1.16.%Locale:0x409..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-H.Registry:Adobe.Ordering:Identity.OutlineFileName:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\CMap\Identity-H.FileLength:8228.FileModTime:1426577652.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-V.Registry:Adobe.Ordering:Identity.UseCMap:Identity-H.OutlineFileName:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\CMap\Identity-V.FileLength:2761.FileModTime:1426577652.%EndFont..

                      C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache\AcroFnt19.lst (copy)

                      Download File
                      Process:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
                      File Type:PostScript document text
                      Category:dropped
                      Size (bytes):9566
                      Entropy (8bit):5.226610011802065
                      Encrypted:false
                      SSDEEP:192:eTA2j6Q6T766x626Oz6r606+6bfs6JtRZ65tsu6rtG16lMXY5B5Cfk:es4p0vTLcdfIfsmtRZEtsuatG1gMIzV
                      MD5:63B24EA3A13EAC476D6309BB202EF459
                      SHA1:89502C393549C20C933E4553F51F74F3DBE085EF
                      SHA-256:2B4BE0BED267BBD4E4FFFC912A6C7ED6A8D4735DCF9B69FF90F37CDDEF4110EA
                      SHA-512:2CB315DD00867DEE3A2CBC4017B59C53B41E817216FE0111A60947E1F0D81FF6767D8F7B5C406AAF9E6516BE716A086642AFFABBEFBE4C5B260437C89E3535EC
                      Malicious:false
                      Preview:%!Adobe-FontList 1.16.%Locale:0x409..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-H.Registry:Adobe.Ordering:Identity.OutlineFileName:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\CMap\Identity-H.FileLength:8228.FileModTime:1426577652.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-V.Registry:Adobe.Ordering:Identity.UseCMap:Identity-H.OutlineFileName:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\CMap\Identity-V.FileLength:2761.FileModTime:1426577652.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:Type1.FontName:AdobePiStd.FamilyName:Adobe Pi Std.StyleName:Regular.FullName:Adobe Pi Std.MenuName:Adobe Pi Std.StyleBits:0.WritingScript:Roman.OutlineFileName:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\AdobePiStd.otf.DataFormat:sfntData.UsesStandardEncoding:yes.isCFF:yes.FileLength:92588.FileModTime:1426577650.WeightClass:400.WidthClass:5.AngleClass:0.DesignSize:240.NameArray:0,Mac,4,Adobe Pi Std.

                      C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache\AdobeFnt16.lst.2600

                      Download File
                      Process:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
                      File Type:PostScript document text
                      Category:dropped
                      Size (bytes):9566
                      Entropy (8bit):5.226610011802065
                      Encrypted:false
                      SSDEEP:192:eTA2j6Q6T766x626Oz6r606+6bfs6JtRZ65tsu6rtG16lMXY5B5Cfk:es4p0vTLcdfIfsmtRZEtsuatG1gMIzV
                      MD5:63B24EA3A13EAC476D6309BB202EF459
                      SHA1:89502C393549C20C933E4553F51F74F3DBE085EF
                      SHA-256:2B4BE0BED267BBD4E4FFFC912A6C7ED6A8D4735DCF9B69FF90F37CDDEF4110EA
                      SHA-512:2CB315DD00867DEE3A2CBC4017B59C53B41E817216FE0111A60947E1F0D81FF6767D8F7B5C406AAF9E6516BE716A086642AFFABBEFBE4C5B260437C89E3535EC
                      Malicious:false
                      Preview:%!Adobe-FontList 1.16.%Locale:0x409..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-H.Registry:Adobe.Ordering:Identity.OutlineFileName:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\CMap\Identity-H.FileLength:8228.FileModTime:1426577652.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-V.Registry:Adobe.Ordering:Identity.UseCMap:Identity-H.OutlineFileName:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\CMap\Identity-V.FileLength:2761.FileModTime:1426577652.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:Type1.FontName:AdobePiStd.FamilyName:Adobe Pi Std.StyleName:Regular.FullName:Adobe Pi Std.MenuName:Adobe Pi Std.StyleBits:0.WritingScript:Roman.OutlineFileName:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\AdobePiStd.otf.DataFormat:sfntData.UsesStandardEncoding:yes.isCFF:yes.FileLength:92588.FileModTime:1426577650.WeightClass:400.WidthClass:5.AngleClass:0.DesignSize:240.NameArray:0,Mac,4,Adobe Pi Std.

                      C:\Users\user\AppData\Local\Adobe\Acrobat\DC\IconCacheRdr65536.dat

                      Download File
                      Process:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):176406
                      Entropy (8bit):2.484446607797001
                      Encrypted:false
                      SSDEEP:1536:ANTBeJFFFFFFp7LDyWC+voagpPOrtpyxxxxxxVzS:RDyt+voagpP
                      MD5:949FACFA2A9AF0437E9E0DC9B47519D0
                      SHA1:4BD793C2FD9C71D49874338C7C118631531FD032
                      SHA-256:5748FB2871CE9D51A2DBDB5A69BC89A02B74EFC6C64EE1EE164E4B7D8F01E0F5
                      SHA-512:2829763A349E8FFEF0777C9FBDB5C59BA28CE2AC778B2232FEEAED07F0E11A58B0F38CB5FD36A5AEB875C7732C985029F99A18A2E87BCF3BC1E7B87D1A9CABFF
                      Malicious:false
                      Preview:Adobe Acrobat Reader DC 19.0....?A12_RightArrow........................................................................................................................................................................0.................................0.............................................................0.........................0......................................................................................................................................A12_SelectObject.................................................................................................................................................~~~@~~~ ........................................................................................~~~.~~~.~~~.....................................................................................~~~.~~~.~~~.~~~`................................................................................~~~.~~~.~~~.~~~.~~~`...............................................

                      C:\Users\user\AppData\Local\Adobe\Acrobat\DC\UserCache.bin

                      Download File
                      Process:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):72643
                      Entropy (8bit):5.393779678652009
                      Encrypted:false
                      SSDEEP:768:PCbTjMYOpdyVFWqnPvBRSiRkTIVzY3Z2XqpWHDKXUHYyu:AlOpdyVFWcPvBBRkTIdY3w6UHK
                      MD5:C765890C72D1098C86BB149551F04F5B
                      SHA1:A170915B44BB6625069E25726E071E6E552D7C3E
                      SHA-256:C1F668F57FE219F028EE8DE7A81EFA842ED9D3AEA7464A979494C7B6DBC98BA7
                      SHA-512:F8E6FE00A7EC0376EB472DF7EE49F8A718427C0EFE5D26482127AAA9F4FEB0B90ED94F08B1A06BC99FEDE09B1D8AAC60F1292A81338CC211492F19A501535B14
                      Malicious:false
                      Preview:4.458.88.FID.2:o:........:F:AgencyFB-Reg.P:Agency FB.L:$.........................."F:Agency FB.#.94.FID.2:o:........:F:AgencyFB-Bold.P:Agency FB Bold.L:%.........................."F:Agency FB.#.82.FID.2:o:........:F:Algerian.P:Algerian.L:$..........................RF:Algerian.#.85.FID.2:o:........:F:Aparajita.P:Aparajita.L:&.........................."F:Aparajita.#.99.FID.2:o:........:F:Aparajita-Italic.P:Aparajita Italic.L:&.........................."F:Aparajita.#.95.FID.2:o:........:F:Aparajita-Bold.P:Aparajita Bold.L:&.........................."F:Aparajita.#.108.FID.2:o:........:F:Aparajita-BoldItalic.P:Aparajita Bold Italic.L:&.........................."F:Aparajita.#.93.FID.2:o:........:F:ArialNarrow.P:Arial Narrow.L:$.........................."F:Arial Narrow.#.75.FID.2:o:........:F:ArialMT.P:Arial.L:$.........................."F:Arial.#.89.FID.2:o:........:F:Arial-ItalicMT.P:Arial Italic.L:$.........................."F:Arial.#.85.FID.2:o:........:F:Arial-BoldMT.P:Arial Bold.L:$....

                      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\1A7B9C93.emf

                      Download File
                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                      File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                      Category:dropped
                      Size (bytes):884312
                      Entropy (8bit):1.2944965349348616
                      Encrypted:false
                      SSDEEP:1536:W3dki8JungPuzcn6F1Tny9Cie/koPs9h9RHJFUrnT15vWP5cPpmJ2dvRaQq3vMog:Hux/ZiOE85e+8J2dvRcvMyw
                      MD5:9ABE7EB352E0DB96B52C99AC2FDEA85F
                      SHA1:8DC45D02308275BA32B7FFB320A3042256D40C8B
                      SHA-256:EC022DFF1CC8251BA9D849C16431914635473FC5457AE73AA277651B47948869
                      SHA-512:E43325B927F5365F16118B67E1830B2A0E8CC051D9AEAB144DA6A75751CA39CC1831158270A50ED31BCCBA29C98A56769E516F36C45CB5FAA1BB6ED92CC0A5EB
                      Malicious:false
                      Preview:....l............................2...... EMF....X~..........................8...X....................?...........................................2......................Q....}..........................................P...(...x...$}...... ....2......(...................$}..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\5368C96D.emf

                      Download File
                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                      File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                      Category:dropped
                      Size (bytes):433328
                      Entropy (8bit):5.820372794819892
                      Encrypted:false
                      SSDEEP:6144:5ifm7kwvqU4iyCbPUV7gdaI6z0R/sjBx2:5l7kwvqULUVS
                      MD5:80FFFCB0396B7B7239A1C487BC4ED268
                      SHA1:10C60440CAA34570EECCBA82ECFD190AD62BABF9
                      SHA-256:9EF35080E86224DB2E177FD5476252DC848E82A635F92B04A6E3C35ED79E34B6
                      SHA-512:30A23B18E5ACEC847F6C76F3B1F1828EFBCF5308B09C933B96AF4D6D881621B30D3D9EE3DAC4CD42FAAD34578667E37E7EF5D08F8BE87FBDEAA21967A735CDE4
                      Malicious:false
                      Preview:....l...........[................S..%;.. EMF........t...........................@...........................F...,... ...EMF+.@..................`...`...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........................................................!......."...........!......."...........................!..............................."...........!...............................................\......."...........!...............................................\......."...........!...............................................\......."...........!...............................................\......."...........!...............................................\.......'.......................%...........................................................L...d.......D...[...........D...\...D...!..............?...........?................................R...p...................................T.i.m.e.s. .N.e.w. .R.o.m.a.n...........................

                      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\9B60201C.emf

                      Download File
                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                      File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                      Category:dropped
                      Size (bytes):884312
                      Entropy (8bit):1.2944875740888722
                      Encrypted:false
                      SSDEEP:1536:k3dki8JungPuzcn6F1Tny9Cie/koPs9h9RHJFUrnT15vWP5cPpmJ2dvRaQq3vMog:5ux/ZiOE85e+8J2dvRcvMyw
                      MD5:B6DFB3AA7AC4A1A52336C30FA821857B
                      SHA1:66ECB808A516AC5B07A01CDFCAD65FD7B9907619
                      SHA-256:E22202331F689D7568E674B0DCD895DF66FAC5980498F05A846DE244AB3394C4
                      SHA-512:A13562F976BCBEEF7D4B4926C37E39BFD4C588EF6E746792B806E6737C91604175395021D4884493D764CE7F0EE2ACC6C7D03A6045A5B4ED6616E5D7E4C9FE94
                      Malicious:false
                      Preview:....l............................F..C%.. EMF....X~..............................@................................................................F..C%..................Q....}..........................................P...(...x...$}...... ....F..C%..(...................$}..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A838A88A.emf

                      Download File
                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                      File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                      Category:dropped
                      Size (bytes):4056
                      Entropy (8bit):1.9017483361098562
                      Encrypted:false
                      SSDEEP:24:YOu6PJqRixxBBBQAAJnHbG/KD3ql/mfzG/S6ATn9eDIb6eD/qLvae:9u6IRixxBBBQlJatF6n8g/wae
                      MD5:8F636083CE616F8EB610556C57CC3CAA
                      SHA1:4291DA8874EF4A60300F4BAAEC84F5A4A425E31E
                      SHA-256:62E41677B9A6F9B0139BB4D5EAA890F1423F707383A960FFA261A7C4A677F3EB
                      SHA-512:78FF54528C73E9E52C67FC8536BDA2628F4177ACDC9E749F4EAF69639F82E468B3766AEACD4F24BABCB30227572B2F522FDDF2FBD8B790C474ACF313BD32C84A
                      Malicious:false
                      Preview:....l............................+..g... EMF....................................@...........................F...,... ...EMF+.@..................`...`...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........................................................!......."...........!......."...........................!..............................."...........!......................................................."...........!......................................................."...........!......................................................."...........!......................................................."...........!......................................................."...........!.......................................................'.......................%...........................................................&...........................%...........................6...............%...........L...d...................................!...

                      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\BAB1AC5A.emf

                      Download File
                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                      File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                      Category:dropped
                      Size (bytes):4056
                      Entropy (8bit):1.929653848333741
                      Encrypted:false
                      SSDEEP:12:YB1uOUvJqRENEtEtEdEdEdEO6Mcs/vs9/09v89fE9vM9/U9Lzlm97z9m9Lz1m9bO:Y7uTvJqRiGGWWWRKqurbkdBvae
                      MD5:4A103FC1809C8EA381D2ACB5380EF4F6
                      SHA1:6C81D37798C4D78C64E7D3EF7EB2ACB317C9FF67
                      SHA-256:1AB8F5ABD845FFD0C61A61BB09BFCF20569B80B4496BCCB58C623753CF40485C
                      SHA-512:77DA8AB022505D77F89749E97628CAF4DD8414251CB673598ACBA8F7D30D1889037FAB30094A6CE7DC47293697A6BEF28B92364D00129B59D2FC3711C82650F5
                      Malicious:false
                      Preview:....l...........0...............C'...... EMF................................8...X....................?......F...,... ...EMF+.@..................x...x...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........................................................!......."...........!......."...........................!..............................."...........!...............................................1......."...........!...............................................1......."...........!...............................................1......."...........!...............................................1......."...........!...............................................1......."...........!...............................................1.......'.......................%...........................................................&...........................%...........................6.......0.......%...........L...d.........../...............0.......!...

                      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D9D8387D.emf

                      Download File
                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                      File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                      Category:dropped
                      Size (bytes):330948
                      Entropy (8bit):4.97410497936274
                      Encrypted:false
                      SSDEEP:3072:H0Bd8yCKdQW2222222Igccz3/qSmV1XITSuaZgOTARfMDc1ji:H0Bd8yCKdQRzw4muaZ9TARfMDcFi
                      MD5:91E42C95A20C0DA7401F5D2FE56963B5
                      SHA1:5E7247DB014DABC98E6A6334E01A123111F999A6
                      SHA-256:16C7596240D87E8C68DA3B103C151665626023CAB52BC8667558D927B5353F27
                      SHA-512:64E2B7E0A3B016A1C25E43F10F8F536451A8FEE2345F3CB0DC913F18FB1C71726C95E7702220AECDDC9C15B8AC1C5F909AFF703C11102FE10CCE3140850DDC5C
                      Malicious:false
                      Preview:....l...........0...%............K...8.. EMF........l.......................8...X....................?......F...,... ...EMF+.@..................x...x...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........................................................!......."...........!......."...........................!..............................."...........!...............................................1...&..."...........!...............................................1...&..."...........!...............................................1...&..."...........!...............................................1...&..."...........!...............................................1...&...'.......................%...........................................................L...d.......W...0...........W...1...T...!..............?...........?................................R...p...................................T.i.m.e.s. .N.e.w. .R.o.m.a.n...........................

                      C:\Users\user\AppData\Local\Temp\~DF226F2E135FB0135F.TMP

                      Download File
                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                      File Type:data
                      Category:dropped
                      Size (bytes):172032
                      Entropy (8bit):6.203825072432931
                      Encrypted:false
                      SSDEEP:3072:BZkJAg15FTKWIHSApIYYFxEtjPOtioVjDGUU1qfDlaGGx+cugLX0d6RwE/zDiamj:BZunFTqynxEtjPOtioVjDGUU1qfDlavK
                      MD5:B0B039C9D556965D0D5748A4666FE1DE
                      SHA1:5549D605D38B29D0BAEFB557DAA7A530957C4FAC
                      SHA-256:C084C8C4CE9857D5691C11BF2D49F265A2BBBE660425E6CFDA14C2B29F4D89A4
                      SHA-512:3F21F457A60CD2694C45B8EAA4A723A7907F41B3C47914AEEB84E55D09008767084C7DC276AF6BD03D115A2443D3AEF060FB463B05317A612E0BBA81EDD8569F
                      Malicious:false
                      Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Local\Temp\~DF75041B55012CC114.TMP

                      Download File
                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                      File Type:data
                      Category:dropped
                      Size (bytes):512
                      Entropy (8bit):0.0
                      Encrypted:false
                      SSDEEP:3::
                      MD5:BF619EAC0CDF3F68D496EA9344137E8B
                      SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                      SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                      SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                      Malicious:false
                      Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Local\Temp\~DF8E5FABF99440F259.TMP

                      Download File
                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                      File Type:data
                      Category:dropped
                      Size (bytes):512
                      Entropy (8bit):0.0
                      Encrypted:false
                      SSDEEP:3::
                      MD5:BF619EAC0CDF3F68D496EA9344137E8B
                      SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                      SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                      SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                      Malicious:false
                      Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Local\Temp\~DF98F8EACBEB28D9F1.TMP

                      Download File
                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                      File Type:Composite Document File V2 Document, Cannot read section info
                      Category:dropped
                      Size (bytes):11776
                      Entropy (8bit):5.8539726837564245
                      Encrypted:false
                      SSDEEP:192:KoruQTYZwtFEBP6pIMkrlzDDgoAlKl0CkDNpJ:ZBTYOIBP+kBHnAclSDF
                      MD5:5CC24B2C64A3E891AC20A84EBCB285A0
                      SHA1:63D685400D0EC628051188F5A621C76B64AFFE4B
                      SHA-256:1ED7D2517E0116192B12605739CBFAC7E644BDCA430763D6D02FBA63951AE780
                      SHA-512:778917037AD06BADDC8A197D30BB60EFE3B36EAD0040CD4BF2DE4CE56F9925D24D4E503AB9CBD812464060BF42CEFA9C5EE406B1CE1BF952386778960802BA54
                      Malicious:false
                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\Security\ES_session_store

                      Download File
                      Process:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):10240
                      Entropy (8bit):0.6739662216458647
                      Encrypted:false
                      SSDEEP:12:Ppb0slZp69PO9tauZ7nH2AaYSQ81v0t4TreIBUxFj87+k/R:RbG4WuZfKZ1c+reIAon/R
                      MD5:C61F99FE7BEE945FC31B62121BE075CD
                      SHA1:083BBD0568633FECB8984002EB4FE8FA08E17DD9
                      SHA-256:1E0973F4EDEF345D1EA8E90E447B9801FABDE63A2A1751E63B91A8467E130732
                      SHA-512:46D743C564A290EDFF307F8D0EF012BB01ED4AA6D9667E87A53976B8F3E87D78BEBE763121A91BA8FB5B0CF5A8C9FDE313D7FBD144FB929D98D7D39F4C9602C9
                      Malicious:false
                      Preview: ....+..F..N..F).~]............\.">.. .......p.J..} /o...rLj-...FS..'x.o..%^ .....zr/..3.y.e4...MM.4..x9.f.D..{..(....'p......9...Qn..d..+.....H..M.)..........].....n-.]........n&.*.H`.sz...r.....1B.....e.."...A.....,-....n..$.<....CO..VO..P..'.......<......n....&5s....z..$.{'IM-.o..(#N.-..(H...a&...y.S..`8.(./...1.P.. .....K.3.......I!]G....@N........F.l.T=.0...`"..L....B...B`nI.<.....&F..2J2....1..Rs....h.Zq.`...t..CJ....@.....I.G.e..k..H.....F..G:..6.G.l=.Y......:...C.........?[.ts...=....;.|...q...@....s................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\Security\ES_session_storei

                      Download File
                      Process:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):24152
                      Entropy (8bit):0.7532185028349225
                      Encrypted:false
                      SSDEEP:48:CMnfnO4FGtsFqN6t8nlztZKR6axR6uiozVb:ZnfO4kWKpZKdxR35
                      MD5:520FE964934AF1AB0CEBA2366830D0FA
                      SHA1:B90310ACA870261CB619FDFD1E54E1B1A25074FF
                      SHA-256:DBD45EEA386D364B30BA189E079BFA05C2C40D9E5E83722C39A171998ED079C1
                      SHA-512:A4839A6AB8DB522D9121A590B8C711E8C4F172D9CB71C918860F8048472920F3341B7BA624DFF514BE397809149E4471B2DF981DC81FE77C26B2DDF342A42F8C
                      Malicious:false
                      Preview: ...W....K.h.E..g..0...!1sm.[t\......A......5_...N{Yf?.w..[.Y..A...a^..(._.=.......:.v.$*.....e...F....f.qo.]...B1{.8.%%..,...;.|..<....g ....l.7.`ny.h.n.y...~Y.../.. .WZ.'......AI.|.._K}-$.i..<(.7Y...U....T.i.N.'Pt..c.[........<zni.::. 8W.<S...8!.Wh..;T.?.^yf...E?...pQ....i.;>/..^...r.YsncP..@.. .[".^..A.|.0..$<bC.G........~];..D.|.v.B.).g.E5.?... .N...}....i.,5..a.Fk.%.u.`..F...;xlw.}.5.Jt..c.5.....v...~)..8b|.*.B.]-]jk....PQZ..T}..M.S...88......?.*$..]..%V..D.<.5.d...[..Z.....2........%.$E..+sb.......*...g...>Q[l.}......@=..5L..._....Pi..HY.<[..l...H....9.\=u.v.....S8-&...,5..}t......m...*..R.W.G.NZ....w.....{.iA......G.f.TN.zk..(....q).....n....3..C...d./..........................................................................................................................................................................................................................................................................................................

                      C:\Users\user\Desktop\CA130000

                      Download File
                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                      File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Sun Mar 24 10:53:49 2024, Security: 1
                      Category:dropped
                      Size (bytes):364544
                      Entropy (8bit):7.806741893911411
                      Encrypted:false
                      SSDEEP:6144:ulunhTqypxEtjPOtioVjDGUU1qfDlavx+fgLX0d6NivPbVWre6EAKnXgt1W/hdyG:uIhTz+CbVWHKXgt1sdR/vmsw872W
                      MD5:266ACEF87A0366FDACDDA4E381195D72
                      SHA1:229E8EBD3A16BDA6A05373A30EA16ADAF0E6358D
                      SHA-256:ABF9C2F24423AD52E8501DAD92EA8CA5AADA461EF024DA5CD3A0E88CD8CDDDD1
                      SHA-512:0F854B5F3BE22A46F1243664F29965D664D2DAE8DAA545F7589CEB69400D4AB5845AA61D41818D6E945B0F1559BB9E9553EF519F5E60A2C002640BB142BA3B30
                      Malicious:false
                      Preview:......................>.......................................................B...C...h.......j...................................................................................................................................................................................................................................................................................................................................................................................................................................................A....................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-...........0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...................E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

                      C:\Users\user\Desktop\CA130000:Zone.Identifier

                      Download File
                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                      File Type:ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):26
                      Entropy (8bit):3.95006375643621
                      Encrypted:false
                      SSDEEP:3:ggPYV:rPYV
                      MD5:187F488E27DB4AF347237FE461A079AD
                      SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                      SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                      SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                      Malicious:false
                      Preview:[ZoneTransfer]....ZoneId=0

                      C:\Users\user\Desktop\Quotation.xls (copy)

                      Download File
                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                      File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Sun Mar 24 10:53:49 2024, Security: 1
                      Category:dropped
                      Size (bytes):364544
                      Entropy (8bit):7.806741893911411
                      Encrypted:false
                      SSDEEP:6144:ulunhTqypxEtjPOtioVjDGUU1qfDlavx+fgLX0d6NivPbVWre6EAKnXgt1W/hdyG:uIhTz+CbVWHKXgt1sdR/vmsw872W
                      MD5:266ACEF87A0366FDACDDA4E381195D72
                      SHA1:229E8EBD3A16BDA6A05373A30EA16ADAF0E6358D
                      SHA-256:ABF9C2F24423AD52E8501DAD92EA8CA5AADA461EF024DA5CD3A0E88CD8CDDDD1
                      SHA-512:0F854B5F3BE22A46F1243664F29965D664D2DAE8DAA545F7589CEB69400D4AB5845AA61D41818D6E945B0F1559BB9E9553EF519F5E60A2C002640BB142BA3B30
                      Malicious:false
                      Preview:......................>.......................................................B...C...h.......j...................................................................................................................................................................................................................................................................................................................................................................................................................................................A....................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-...........0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...................E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

                      Static File Info

                      General

                      File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Sun Mar 24 17:45:21 2024, Security: 1
                      Entropy (8bit):7.444659639727352
                      TrID:
                      • Microsoft Excel sheet (30009/1) 47.99%
                      • Microsoft Excel sheet (alternate) (24509/1) 39.20%
                      • Generic OLE2 / Multistream Compound File (8008/1) 12.81%
                      File name:Quotation.xls
                      File size:325'120 bytes
                      MD5:0cd0b71b219419b688ecd6599223639a
                      SHA1:fde7e33898b73304755f1cff8578139f34246e23
                      SHA256:3a23b616a5944735ffa156ebfba3fcf8debec466c00687a52ecdbde03b2bd94a
                      SHA512:4f100911dd165722b710438510ca61b7541d22c9c25a2df59f2c5f49ad40ed789b6754f143930dee88bf45f063d0ed2548e97713f29ccd13db24f9b03493308a
                      SSDEEP:6144:ZyunhXx+oY35qAOJl/YrLYz+WrNhZF+E+fgL+0dD8ivSbVqIMIlSD3Sclx/nTOtB:ZzhXx+l3bVqIMIlSDicj6Is
                      TLSH:EF64E151BE91874AE85607754DFB4A9A6325FC41AF524F0F324CF71D3EB03A44E2BA22
                      File Content Preview:........................>.......................................................G...H...{......................................................................................................................................................................

                      File Icon

                      Icon Hash:276ea3a6a6b7bfbf

                      Static OLE Info

                      General

                      Document Type:OLE
                      Number of OLE Files:1

                      OLE File "Quotation.xls"

                      Indicators
                      Has Summary Info:
                      Application Name:Microsoft Excel
                      Encrypted Document:True
                      Contains Word Document Stream:False
                      Contains Workbook/Book Stream:True
                      Contains PowerPoint Document Stream:False
                      Contains Visio Document Stream:False
                      Contains ObjectPool Stream:False
                      Flash Objects Count:0
                      Contains VBA Macros:True
                      Summary
                      Code Page:1252
                      Author:
                      Last Saved By:
                      Create Time:2006-09-16 00:00:00
                      Last Saved Time:2024-03-24 17:45:21
                      Creating Application:Microsoft Excel
                      Security:1
                      Document Summary
                      Document Code Page:1252
                      Thumbnail Scaling Desired:False
                      Contains Dirty Links:False
                      Shared Document:False
                      Changed Hyperlinks:False
                      Application Version:786432
                      General
                      Stream Path:_VBA_PROJECT_CUR/VBA/Sheet1
                      VBA File Name:Sheet1.cls
                      Stream Size:977
                      Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 . - . 0 .
                      Data Raw:01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 83 ee 8e c0 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                      VBA Code
                      Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

                      General
                      Stream Path:_VBA_PROJECT_CUR/VBA/Sheet2
                      VBA File Name:Sheet2.cls
                      Stream Size:977
                      Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 . - . 0
                      Data Raw:01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 83 ee 0b e3 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                      VBA Code
                      Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

                      General
                      Stream Path:_VBA_PROJECT_CUR/VBA/Sheet3
                      VBA File Name:Sheet3.cls
                      Stream Size:977
                      Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 . - . 0
                      Data Raw:01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 83 ee 8f 13 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                      VBA Code
                      Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

                      General
                      Stream Path:_VBA_PROJECT_CUR/VBA/ThisWorkbook
                      VBA File Name:ThisWorkbook.cls
                      Stream Size:985
                      Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 1 . 9 . - . 0
                      Data Raw:01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 83 ee 81 99 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                      VBA Code
                      Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

                      General
                      Stream Path:\x1CompObj
                      CLSID:
                      File Type:data
                      Stream Size:114
                      Entropy:4.25248375192737
                      Base64 Encoded:True
                      Data ASCII:. . . . . . . . . . . . . . . . . . . F & . . . M i c r o s o f t O f f i c e E x c e l 2 0 0 3 W o r k s h e e t . . . . . B i f f 8 . . . . . E x c e l . S h e e t . 8 . 9 q . . . . . . . . . . . .
                      Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 26 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 32 30 30 33 20 57 6f 72 6b 73 68 65 65 74 00 06 00 00 00 42 69 66 66 38 00 0e 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                      General
                      Stream Path:\x5DocumentSummaryInformation
                      CLSID:
                      File Type:data
                      Stream Size:244
                      Entropy:2.889430592781307
                      Base64 Encoded:False
                      Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , 0 . . . . . . . . . . . . . . H . . . . . . . P . . . . . . . X . . . . . . . ` . . . . . . . h . . . . . . . p . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . S h e e t 1 . . . . . S h e e t 2 . . . . . S h e e t 3 . . . . . . . . . . . . . . . . . W o r k s h e e t s . . . . . . . . .
                      Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 c4 00 00 00 08 00 00 00 01 00 00 00 48 00 00 00 17 00 00 00 50 00 00 00 0b 00 00 00 58 00 00 00 10 00 00 00 60 00 00 00 13 00 00 00 68 00 00 00 16 00 00 00 70 00 00 00 0d 00 00 00 78 00 00 00 0c 00 00 00 a1 00 00 00 02 00 00 00 e4 04 00 00
                      General
                      Stream Path:\x5SummaryInformation
                      CLSID:
                      File Type:data
                      Stream Size:200
                      Entropy:3.2920681057018664
                      Base64 Encoded:False
                      Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . + ' 0 . . . . . . . . . . . . . . @ . . . . . . . H . . . . . . . T . . . . . . . ` . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . | . # . @ . . . . . ~ . . . . . . . . .
                      Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 98 00 00 00 07 00 00 00 01 00 00 00 40 00 00 00 04 00 00 00 48 00 00 00 08 00 00 00 54 00 00 00 12 00 00 00 60 00 00 00 0c 00 00 00 78 00 00 00 0d 00 00 00 84 00 00 00 13 00 00 00 90 00 00 00 02 00 00 00 e4 04 00 00 1e 00 00 00 04 00 00 00
                      General
                      Stream Path:MBD000EE580/\x1CompObj
                      CLSID:
                      File Type:data
                      Stream Size:94
                      Entropy:4.345966460061678
                      Base64 Encoded:False
                      Data ASCII:. . . . . . e . . D E S T . . . . . . A c r o b a t D o c u m e n t . . . . . . . . . A c r o E x c h . D o c u m e n t . D C . 9 q . . . . . . . . . . . .
                      Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 65 ca 01 b8 fc a1 d0 11 85 ad 44 45 53 54 00 00 11 00 00 00 41 63 72 6f 62 61 74 20 44 6f 63 75 6d 65 6e 74 00 00 00 00 00 15 00 00 00 41 63 72 6f 45 78 63 68 2e 44 6f 63 75 6d 65 6e 74 2e 44 43 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                      General
                      Stream Path:MBD000EE580/\x1Ole
                      CLSID:
                      File Type:data
                      Stream Size:62
                      Entropy:2.7788384466112834
                      Base64 Encoded:False
                      Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . F . . . . ! . . . . . S h e e t 2 ! O b j e c t 3 .
                      Data Raw:01 00 00 02 08 00 00 00 00 00 00 00 00 00 00 00 2e 00 00 00 04 03 00 00 00 00 00 00 c0 00 00 00 00 00 00 46 02 00 00 00 21 00 10 00 00 00 53 68 65 65 74 32 21 4f 62 6a 65 63 74 20 33 00
                      General
                      Stream Path:MBD000EE580/CONTENTS
                      CLSID:
                      File Type:PDF document, version 1.7, 1 pages
                      Stream Size:20909
                      Entropy:7.967116806702583
                      Base64 Encoded:True
                      Data ASCII:% P D F - 1 . 7 . % . 1 0 o b j . < < . / T y p e / C a t a l o g . / P a g e s 2 0 R . / A c r o F o r m 3 0 R . > > . e n d o b j . 4 0 o b j . < < . / P r o d u c e r ( 3 . 0 . 4 \\ ( 5 . 0 . 8 \\ ) ) . / M o d D a t e ( D : 2 0 2 3 0 9 2 2 0 3 2 2 4 8 + 0 2 ' 0 0 ' ) . > > . e n d o b j . 2 0 o b j . < < . / T y p e / P a g e s . / K i d s [ 5 0 R ] . / C o u n t 1 . > > . e n d o b j . 3 0 o b j . < < . / F i e l d s [ ] . / D R 6 0 R . > > . e n d
                      Data Raw:25 50 44 46 2d 31 2e 37 0a 25 f6 e4 fc df 0a 31 20 30 20 6f 62 6a 0a 3c 3c 0a 2f 54 79 70 65 20 2f 43 61 74 61 6c 6f 67 0a 2f 50 61 67 65 73 20 32 20 30 20 52 0a 2f 41 63 72 6f 46 6f 72 6d 20 33 20 30 20 52 0a 3e 3e 0a 65 6e 64 6f 62 6a 0a 34 20 30 20 6f 62 6a 0a 3c 3c 0a 2f 50 72 6f 64 75 63 65 72 20 28 33 2e 30 2e 34 20 5c 28 35 2e 30 2e 38 5c 29 20 29 0a 2f 4d 6f 64 44 61 74 65
                      General
                      Stream Path:MBD000EE581/\x1CompObj
                      CLSID:
                      File Type:data
                      Stream Size:113
                      Entropy:3.9544012817407785
                      Base64 Encoded:False
                      Data ASCII:. . . . . . . . . . . . . . . . . . . . . . / . . . M i c r o s o f t O f f i c e E x c e l M a c r o - E n a b l e d W o r k s h e e t . . . . . E x c e l M L 1 2 . . . . . 9 q . . . . . . . . . . . .
                      Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2f 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 4d 61 63 72 6f 2d 45 6e 61 62 6c 65 64 20 57 6f 72 6b 73 68 65 65 74 00 0a 00 00 00 45 78 63 65 6c 4d 4c 31 32 00 00 00 00 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                      General
                      Stream Path:MBD000EE581/Package
                      CLSID:
                      File Type:Microsoft Excel 2007+
                      Stream Size:11603
                      Entropy:7.129143775443908
                      Base64 Encoded:True
                      Data ASCII:P K . . . . . . . . . . ! . h f . . . 6 . . . . . . [ C o n t e n t _ T y p e s ] . x m l . ( . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                      Data Raw:50 4b 03 04 14 00 06 00 08 00 00 00 21 00 68 cf de 66 81 01 00 00 36 05 00 00 13 00 cc 01 5b 43 6f 6e 74 65 6e 74 5f 54 79 70 65 73 5d 2e 78 6d 6c 20 a2 c8 01 28 a0 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                      General
                      Stream Path:MBD000EE582/\x1CompObj
                      CLSID:
                      File Type:data
                      Stream Size:114
                      Entropy:4.25248375192737
                      Base64 Encoded:True
                      Data ASCII:. . . . . . . . . . . . . . . . . . . F & . . . M i c r o s o f t O f f i c e E x c e l 2 0 0 3 W o r k s h e e t . . . . . B i f f 8 . . . . . E x c e l . S h e e t . 8 . 9 q . . . . . . . . . . . .
                      Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 26 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 32 30 30 33 20 57 6f 72 6b 73 68 65 65 74 00 06 00 00 00 42 69 66 66 38 00 0e 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                      General
                      Stream Path:MBD000EE582/\x5DocumentSummaryInformation
                      CLSID:
                      File Type:data
                      Stream Size:708
                      Entropy:3.6235698530352805
                      Base64 Encoded:True
                      Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , D . . . . . . . . . . + , . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . . . 0 . . . . . . . 8 . . . . . . . @ . . . . . . . H . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                      Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 44 00 00 00 05 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 20 02 00 00 dc 01 00 00 14 00 00 00 01 00 00 00 a8 00 00 00 02 00 00 00 b0 00 00 00 03 00 00 00 bc 00 00 00 0e 00 00 00 c8 00 00 00 0f 00 00 00 d4 00 00 00 04 00 00 00 e0 00 00 00 05 00 00 00
                      General
                      Stream Path:MBD000EE582/\x5SummaryInformation
                      CLSID:
                      File Type:data
                      Stream Size:23248
                      Entropy:3.023529376533741
                      Base64 Encoded:True
                      Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . + ' 0 . . . Z . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . , . . . . . . . 4 . . . . . . . < . . . . . . . D . . . . . . . L . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . v i v i e n . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                      Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 a0 5a 00 00 11 00 00 00 01 00 00 00 90 00 00 00 02 00 00 00 98 00 00 00 03 00 00 00 a4 00 00 00 04 00 00 00 b0 00 00 00 05 00 00 00 c0 00 00 00 06 00 00 00 cc 00 00 00 07 00 00 00 d8 00 00 00 08 00 00 00 e4 00 00 00 09 00 00 00 f4 00 00 00
                      General
                      Stream Path:MBD000EE582/Workbook
                      CLSID:
                      File Type:Applesoft BASIC program data, first line number 16
                      Stream Size:97808
                      Entropy:7.365164212626042
                      Base64 Encoded:True
                      Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . \\ . p . . . . 9 1 9 7 4 B . . . . a . . . . . . . . = . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . = . . . . . . . . P . 9 . . . . . . . X . @ . . . . . . . . . . " . . . . . . . . . . . . . . .
                      Data Raw:09 08 10 00 00 06 05 00 ab 1f cd 07 c9 00 02 00 06 04 00 00 e1 00 02 00 b0 04 c1 00 02 00 00 00 e2 00 00 00 5c 00 70 00 05 00 00 39 31 39 37 34 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                      General
                      Stream Path:MBD000EE583/\x1Ole
                      CLSID:
                      File Type:data
                      Stream Size:578
                      Entropy:5.890730367113106
                      Base64 Encoded:False
                      Data ASCII:. . . . h . ] ~ . . . . . . . . . . . . . . . . y . . . K . . . . h . t . t . p . : . / . / . 2 . s . . . g . g . / . 3 . z . M . . . 1 F 2 . | F m q . a \\ > 2 D n D : ) ! 5 x . s 7 . . . C . . 9 y C m . : ~ = > . } . Y # U { * 5 . , W & L . 6 z < . . # B @ . % R d o n . . Z 1 3 . . . . # o & * . . . . P . . g / ! & . 4 t G < + . . . . . . . . . . . . . . . . . . . x . E . E . B . 3 . V . G . 5 . a . E . 0 . D . U . 3 . E . M . O . f . B . Y . m . C . Q . G . I . b . 1 . N . x . O . 6 . v . D . c . L . R .
                      Data Raw:01 00 00 02 83 68 0f 5d 88 7e dc 17 00 00 00 00 00 00 00 00 00 00 00 00 ee 00 00 00 e0 c9 ea 79 f9 ba ce 11 8c 82 00 aa 00 4b a9 0b ea 00 00 00 68 00 74 00 74 00 70 00 3a 00 2f 00 2f 00 32 00 73 00 2e 00 67 00 67 00 2f 00 33 00 7a 00 4d 00 00 00 31 46 32 fc aa cd ee d8 96 7c 46 d4 6d f1 a1 71 0a dc 61 5c f0 3e 32 be 81 af 44 6e 44 9d 85 3a 29 83 ef 21 be 35 bc 9d 78 1c a9 d2 ee 73
                      General
                      Stream Path:Workbook
                      CLSID:
                      File Type:Applesoft BASIC program data, first line number 16
                      Stream Size:151279
                      Entropy:7.995935603742815
                      Base64 Encoded:True
                      Data ASCII:. . . . . . . . . . . . . . . . . / . 6 . . . . . . . j l E q m J . 2 D = z . d . < m h 1 z A ^ Y G . P . . . . . . . . . . . . \\ . p . v = . U Z v . & " . D > J f o l - } p f . . . . 0 k F a . . . ? w ^ O ] 8 [ . N C % * . n . ; { o m 4 . 5 _ D i h B . . . $ a . . . . . . . = . . . . ^ v 9 . . . . . ~ M E T m . . . . . . . . i . . . . v . . . . . . . D . . . . l = . . . Q d N K . ~ B 5 @ . . . . . . m " . . . { . . . . } [ . . . . ) . . . 4 1 . . . ; t 7 . D . t . 8 _ . . . U d @ ~ o 1 . . . l { . A { . =
                      Data Raw:09 08 10 00 00 06 05 00 ab 1f cd 07 c1 00 01 00 06 04 00 00 2f 00 36 00 01 00 01 00 01 00 af fa 6a a9 95 e7 6c fe 45 b9 71 6d 4a 07 32 89 f2 ca 44 3d 7a 81 04 64 14 3c bc 8a 6d 68 c6 31 b4 7a 41 5e 8f 59 47 1e 85 50 94 af 90 a1 c2 9b e1 00 02 00 b0 04 c1 00 02 00 9d 16 e2 00 00 00 5c 00 70 00 76 dd 3d f3 1c c3 55 5a a5 76 db c4 8a f7 af 26 22 9b 04 a1 e5 a7 44 3e 4a 9b a3 66 6f 6c
                      General
                      Stream Path:_VBA_PROJECT_CUR/PROJECT
                      CLSID:
                      File Type:ASCII text, with CRLF line terminators
                      Stream Size:523
                      Entropy:5.281635851471027
                      Base64 Encoded:True
                      Data ASCII:I D = " { 7 B 2 E 2 6 F 5 - 3 2 E 2 - 4 7 A 9 - 9 6 6 0 - A E 8 9 E 9 7 7 2 4 B C } " . . D o c u m e n t = T h i s W o r k b o o k / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 1 / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 2 / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 3 / & H 0 0 0 0 0 0 0 0 . . N a m e = " V B A P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " 6 5 6 7 8 6 5 4 B A 7 6 B E 7 6 B
                      Data Raw:49 44 3d 22 7b 37 42 32 45 32 36 46 35 2d 33 32 45 32 2d 34 37 41 39 2d 39 36 36 30 2d 41 45 38 39 45 39 37 37 32 34 42 43 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 57 6f 72 6b 62 6f 6f 6b 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 53 68 65 65 74 31 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 53 68 65 65 74 32 2f 26 48 30 30 30
                      General
                      Stream Path:_VBA_PROJECT_CUR/PROJECTwm
                      CLSID:
                      File Type:data
                      Stream Size:104
                      Entropy:3.0488640812019017
                      Base64 Encoded:False
                      Data ASCII:T h i s W o r k b o o k . T . h . i . s . W . o . r . k . b . o . o . k . . . S h e e t 1 . S . h . e . e . t . 1 . . . S h e e t 2 . S . h . e . e . t . 2 . . . S h e e t 3 . S . h . e . e . t . 3 . . . . .
                      Data Raw:54 68 69 73 57 6f 72 6b 62 6f 6f 6b 00 54 00 68 00 69 00 73 00 57 00 6f 00 72 00 6b 00 62 00 6f 00 6f 00 6b 00 00 00 53 68 65 65 74 31 00 53 00 68 00 65 00 65 00 74 00 31 00 00 00 53 68 65 65 74 32 00 53 00 68 00 65 00 65 00 74 00 32 00 00 00 53 68 65 65 74 33 00 53 00 68 00 65 00 65 00 74 00 33 00 00 00 00 00
                      General
                      Stream Path:_VBA_PROJECT_CUR/VBA/_VBA_PROJECT
                      CLSID:
                      File Type:data
                      Stream Size:2644
                      Entropy:3.9874635293076497
                      Base64 Encoded:False
                      Data ASCII:a . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 0 . # . 9 . # . C . : . \\ . P . R . O . G . R . A . ~ . 2 . \\ . C . O . M . M . O . N . ~ . 1 . \\ . M . I . C . R . O . S . ~ . 1 . \\ . V . B . A . \\ . V . B . A . 6 . \\ . V . B . E . 6 . . . D . L . L . # . V . i . s . u . a . l . . B . a . s . i . c . . F . o . r .
                      Data Raw:cc 61 88 00 00 01 00 ff 09 40 00 00 09 04 00 00 e4 04 01 00 00 00 00 00 00 00 00 00 01 00 04 00 02 00 fa 00 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 30 00 23 00
                      General
                      Stream Path:_VBA_PROJECT_CUR/VBA/dir
                      CLSID:
                      File Type:data
                      Stream Size:553
                      Entropy:6.364380970389258
                      Base64 Encoded:True
                      Data ASCII:. % . . . . . . . . 0 * . . . . p . . H . . . . d . . . . . . . V B A P r o j e c t . . 4 . . @ . . j . . . = . . . . r . . . . . . . . . 4 . h . . . . J < . . . . . r s t d o l e > . . . s . t . d . o . l . e . . . h . % . ^ . . * \\ G { 0 0 0 2 0 4 3 0 - . . . . . C . . . . . . 0 0 4 . 6 } # 2 . 0 # 0 . # C : \\ W i n d . o w s \\ S y s W O W 6 4 \\ . e 2 . . t l b # O L E . A u t o m a t i . o n . ` . . E O f f D i c E O . f . i . c E . . E . 2 D F 8 D 0 4 C . - 5 B F A - 1 0 1 B - B D E 5 E A A C 4 . 2
                      Data Raw:01 25 b2 80 01 00 04 00 00 00 01 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 e4 04 04 00 0a 00 1c 00 56 42 41 50 72 6f 6a 65 88 63 74 05 00 34 00 00 40 02 14 6a 06 02 0a 3d 02 0a 07 02 72 01 14 08 05 06 12 09 02 12 34 ba 0e 68 08 94 00 0c 02 4a 3c 02 0a 16 00 01 72 80 73 74 64 6f 6c 65 3e 02 19 00 73 00 74 00 64 00 6f 00 80 6c 00 65 00 0d 00 68 00 25 02 5e 00 03 2a 5c 47

                      Network Behavior

                      Download Network PCAP: filteredfull

                      Network Port Distribution

                      • Total Packets: 23
                      • 443 (HTTPS)
                      • 80 (HTTP)
                      • 53 (DNS)
                      TimestampSource PortDest PortSource IPDest IP
                      Mar 25, 2024 12:53:27.265935898 CET4916380192.168.2.2213.107.246.40
                      Mar 25, 2024 12:53:27.366673946 CET804916313.107.246.40192.168.2.22
                      Mar 25, 2024 12:53:27.366753101 CET4916380192.168.2.2213.107.246.40
                      Mar 25, 2024 12:53:27.367100954 CET4916380192.168.2.2213.107.246.40
                      Mar 25, 2024 12:53:27.466829062 CET804916313.107.246.40192.168.2.22
                      Mar 25, 2024 12:53:27.467048883 CET804916313.107.246.40192.168.2.22
                      Mar 25, 2024 12:53:27.471324921 CET4916380192.168.2.2213.107.246.40
                      Mar 25, 2024 12:53:27.477732897 CET49164443192.168.2.2213.107.246.40
                      Mar 25, 2024 12:53:27.477799892 CET4434916413.107.246.40192.168.2.22
                      Mar 25, 2024 12:53:27.477880001 CET49164443192.168.2.2213.107.246.40
                      Mar 25, 2024 12:53:27.484338999 CET49164443192.168.2.2213.107.246.40
                      Mar 25, 2024 12:53:27.484373093 CET4434916413.107.246.40192.168.2.22
                      Mar 25, 2024 12:53:27.795260906 CET4434916413.107.246.40192.168.2.22
                      Mar 25, 2024 12:53:27.795351028 CET49164443192.168.2.2213.107.246.40
                      Mar 25, 2024 12:53:27.800404072 CET49164443192.168.2.2213.107.246.40
                      Mar 25, 2024 12:53:27.800416946 CET4434916413.107.246.40192.168.2.22
                      Mar 25, 2024 12:53:27.800777912 CET4434916413.107.246.40192.168.2.22
                      Mar 25, 2024 12:53:27.803292036 CET49164443192.168.2.2213.107.246.40
                      Mar 25, 2024 12:53:27.928618908 CET49164443192.168.2.2213.107.246.40
                      Mar 25, 2024 12:53:27.928736925 CET4434916413.107.246.40192.168.2.22
                      Mar 25, 2024 12:53:27.928791046 CET49164443192.168.2.2213.107.246.40
                      Mar 25, 2024 12:53:51.913686037 CET4916380192.168.2.2213.107.246.40
                      Mar 25, 2024 12:53:52.014431000 CET804916313.107.246.40192.168.2.22
                      Mar 25, 2024 12:53:52.014487982 CET4916380192.168.2.2213.107.246.40
                      Mar 25, 2024 12:53:52.015697956 CET49165443192.168.2.2213.107.246.40
                      Mar 25, 2024 12:53:52.015716076 CET4434916513.107.246.40192.168.2.22
                      Mar 25, 2024 12:53:52.015765905 CET49165443192.168.2.2213.107.246.40
                      Mar 25, 2024 12:53:52.018040895 CET49165443192.168.2.2213.107.246.40
                      Mar 25, 2024 12:53:52.018059015 CET4434916513.107.246.40192.168.2.22
                      Mar 25, 2024 12:53:52.334033012 CET4434916513.107.246.40192.168.2.22
                      Mar 25, 2024 12:53:52.334109068 CET49165443192.168.2.2213.107.246.40
                      Mar 25, 2024 12:53:52.339633942 CET49165443192.168.2.2213.107.246.40
                      Mar 25, 2024 12:53:52.339648962 CET4434916513.107.246.40192.168.2.22
                      Mar 25, 2024 12:53:52.339968920 CET4434916513.107.246.40192.168.2.22
                      Mar 25, 2024 12:53:52.340019941 CET49165443192.168.2.2213.107.246.40
                      Mar 25, 2024 12:53:52.344600916 CET49165443192.168.2.2213.107.246.40
                      Mar 25, 2024 12:53:52.344671011 CET4434916513.107.246.40192.168.2.22
                      Mar 25, 2024 12:53:52.344723940 CET49165443192.168.2.2213.107.246.40
                      TimestampSource PortDest PortSource IPDest IP
                      Mar 25, 2024 12:53:04.084023952 CET138138192.168.2.22192.168.2.255
                      Mar 25, 2024 12:53:27.150363922 CET5456253192.168.2.228.8.8.8
                      Mar 25, 2024 12:53:27.256373882 CET53545628.8.8.8192.168.2.22
                      Mar 25, 2024 12:53:52.128031015 CET137137192.168.2.22192.168.2.255
                      Mar 25, 2024 12:53:52.877669096 CET137137192.168.2.22192.168.2.255
                      Mar 25, 2024 12:53:53.627680063 CET137137192.168.2.22192.168.2.255
                      Mar 25, 2024 12:54:01.120549917 CET137137192.168.2.22192.168.2.255
                      Mar 25, 2024 12:54:01.870158911 CET137137192.168.2.22192.168.2.255
                      Mar 25, 2024 12:54:02.620223045 CET137137192.168.2.22192.168.2.255
                      Mar 25, 2024 12:54:03.835768938 CET137137192.168.2.22192.168.2.255
                      Mar 25, 2024 12:54:04.585303068 CET137137192.168.2.22192.168.2.255
                      Mar 25, 2024 12:54:05.335411072 CET137137192.168.2.22192.168.2.255
                      Mar 25, 2024 12:55:03.768484116 CET138138192.168.2.22192.168.2.255

                      DNS Queries

                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                      Mar 25, 2024 12:53:27.150363922 CET192.168.2.228.8.8.80xdddcStandard query (0)2s.ggA (IP address)IN (0x0001)false

                      DNS Answers

                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                      Mar 25, 2024 12:53:27.256373882 CET8.8.8.8192.168.2.220xdddcNo error (0)2s.gg13.107.246.40A (IP address)IN (0x0001)false
                      Mar 25, 2024 12:53:27.256373882 CET8.8.8.8192.168.2.220xdddcNo error (0)2s.gg13.107.213.40A (IP address)IN (0x0001)false

                      HTTP Request Dependency Graph

                      • 2s.gg

                      HTTP Packets

                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      0192.168.2.224916313.107.246.40803028C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                      TimestampBytes transferredDirectionData
                      Mar 25, 2024 12:53:27.367100954 CET315OUTGET /3zM HTTP/1.1
                      Accept: */*
                      UA-CPU: AMD64
                      Accept-Encoding: gzip, deflate
                      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                      Host: 2s.gg
                      Connection: Keep-Alive
                      Mar 25, 2024 12:53:27.467048883 CET274INHTTP/1.1 307 Temporary Redirect
                      Date: Mon, 25 Mar 2024 11:53:27 GMT
                      Content-Type: text/html
                      Content-Length: 0
                      Connection: keep-alive
                      Location: https://2s.gg/3zM
                      x-azure-ref: 20240325T115327Z-ybudv4vsrp4sv0hhd7uf0yttks00000003yg00000001c9gz
                      X-Cache: CONFIG_NOCACHE
                      Mar 25, 2024 12:53:51.913686037 CET315OUTGET /3zM HTTP/1.1
                      Accept: */*
                      UA-CPU: AMD64
                      Accept-Encoding: gzip, deflate
                      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                      Host: 2s.gg
                      Connection: Keep-Alive
                      Mar 25, 2024 12:53:52.014431000 CET274INHTTP/1.1 307 Temporary Redirect
                      Date: Mon, 25 Mar 2024 11:53:51 GMT
                      Content-Type: text/html
                      Content-Length: 0
                      Connection: keep-alive
                      Location: https://2s.gg/3zM
                      x-azure-ref: 20240325T115351Z-ybudv4vsrp4sv0hhd7uf0yttks00000003yg00000001cc2u
                      X-Cache: CONFIG_NOCACHE


                      Statistics

                      CPU Usage

                      050100s020406080100

                      Click to jump to process

                      Memory Usage

                      050100s0.0020406080MB

                      Click to jump to process

                      High Level Behavior Distribution

                      • File
                      • Registry

                      Click to dive into process behavior distribution

                      Behavior

                      Click to jump to process

                      System Behavior

                      General

                      Target ID:0
                      Start time:11:53:04
                      Start date:24/03/2024
                      Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                      Wow64 process (32bit):false
                      Commandline:"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
                      Imagebase:0x13ffc0000
                      File size:28'253'536 bytes
                      MD5 hash:D53B85E21886D2AF9815C377537BCAC3
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:false
                      Show Windows behavior

                      File Activities

                      Show Windows behavior

                      Section Activities

                      Show Windows behavior

                      Registry Activities

                      COM Activities

                      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                      Show Windows behavior

                      Process Activities

                      Show Windows behavior

                      Thread Activities

                      Show Windows behavior

                      Memory Activities

                      Show Windows behavior

                      System Activities

                      Show Windows behavior

                      Timing Activities

                      Show Windows behavior

                      Windows UI Activities

                      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                      General

                      Target ID:4
                      Start time:11:53:33
                      Start date:24/03/2024
                      Path:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
                      Wow64 process (32bit):true
                      Commandline:"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" -Embedding
                      Imagebase:0xf0000
                      File size:2'525'680 bytes
                      MD5 hash:2F8D93826B8CBF9290BC57535C7A6817
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:true
                      Show Windows behavior

                      File Activities

                      Show Windows behavior

                      Section Activities

                      Show Windows behavior

                      Registry Activities

                      Show Windows behavior

                      Mutex Activities

                      Show Windows behavior

                      Process Activities

                      Show Windows behavior

                      Thread Activities

                      Show Windows behavior

                      Memory Activities

                      Show Windows behavior

                      System Activities

                      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                      Show Windows behavior

                      Windows UI Activities

                      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                      General

                      Target ID:5
                      Start time:11:53:40
                      Start date:24/03/2024
                      Path:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                      Wow64 process (32bit):true
                      Commandline:"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
                      Imagebase:0x3d0000
                      File size:9'805'808 bytes
                      MD5 hash:326A645391A97C760B60C558A35BB068
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:true
                      Show Windows behavior

                      File Activities

                      Show Windows behavior

                      Section Activities

                      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                      Show Windows behavior

                      Mutex Activities

                      Show Windows behavior

                      Process Activities

                      Show Windows behavior

                      Thread Activities

                      Show Windows behavior

                      Memory Activities

                      Show Windows behavior

                      System Activities

                      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                      Disassembly

                      No disassembly