Edit tour

Windows Analysis Report
PO_OCF 408.xls

Overview

General Information

Sample name:PO_OCF 408.xls
Analysis ID:1416056
MD5:b1b6a921c32d375e2bc145aabc5590ed
SHA1:df721ea78886ba9fa47e0b4ff172cff71d3eac65
SHA256:6d0082a6aaeb5d47a2083d5b416c7b7e906c9e25e0f1f1c92a9ae44ae6f38b9f
Tags:HUNxls
Infos:

Detection

Score:68
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Document exploit detected (process start blacklist hit)
Excel sheet contains many unusual embedded objects
Yara detected MalDoc
Document contains embedded VBA macros
Document misses a certain OLE stream usually present in this Microsoft Office document type
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Sigma detected: Excel Network Connections
Sigma detected: Suspicious Office Outbound Connections
Uses a known web browser user agent for HTTP communication

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
  • System is w7x64
  • EXCEL.EXE (PID: 1884 cmdline: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding MD5: D53B85E21886D2AF9815C377537BCAC3)
    • AcroRd32.exe (PID: 2212 cmdline: "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" -Embedding MD5: 2F8D93826B8CBF9290BC57535C7A6817)
      • RdrCEF.exe (PID: 2164 cmdline: "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043 MD5: 326A645391A97C760B60C558A35BB068)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
PO_OCF 408.xlsJoeSecurity_MalDoc_4Yara detected MalDocJoe Security

    System Summary

    barindex
    Source: Network ConnectionAuthor: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Florian Roth '@Neo23x0", Tim Shelton: Data: DestinationIp: 13.107.246.40, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, Initiated: true, ProcessId: 1884, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49163
    Source: Network ConnectionAuthor: X__Junior (Nextron Systems): Data: DestinationIp: 192.168.2.22, DestinationIsIpv6: false, DestinationPort: 49163, EventID: 3, Image: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, Initiated: true, ProcessId: 1884, Protocol: tcp, SourceIp: 13.107.246.40, SourceIsIpv6: false, SourcePort: 80
    Source: Registry Key setAuthor: frack113: Data: Details: 46 00 00 00 2A 00 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 00 00 00 C0 A8 02 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ProcessId: 1884, TargetObject: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings
    No Snort rule has matched

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Source: PO_OCF 408.xlsReversingLabs: Detection: 23%
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
    Source: unknownHTTPS traffic detected: 13.107.246.40:443 -> 192.168.2.22:49164 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 13.107.246.40:443 -> 192.168.2.22:49165 version: TLS 1.2

    Software Vulnerabilities

    barindex
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
    Source: global trafficDNS query: name: 2s.gg
    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 13.107.246.40:80
    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 13.107.246.40:80
    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 13.107.246.40:443
    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 13.107.246.40:443
    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 13.107.246.40:443
    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 13.107.246.40:443
    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 13.107.246.40:443
    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 13.107.246.40:443
    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 13.107.246.40:443
    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 13.107.246.40:443
    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 13.107.246.40:443
    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 13.107.246.40:443
    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 13.107.246.40:443
    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 13.107.246.40:443
    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 13.107.246.40:443
    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 13.107.246.40:443
    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 13.107.246.40:443
    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 13.107.246.40:443
    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 13.107.246.40:443
    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 13.107.246.40:80
    Source: global trafficTCP traffic: 13.107.246.40:80 -> 192.168.2.22:49163
    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 13.107.246.40:80
    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 13.107.246.40:80
    Source: global trafficTCP traffic: 13.107.246.40:80 -> 192.168.2.22:49163
    Source: global trafficTCP traffic: 13.107.246.40:80 -> 192.168.2.22:49163
    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 13.107.246.40:80
    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 13.107.246.40:443
    Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.22:49164
    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 13.107.246.40:443
    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 13.107.246.40:443
    Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.22:49164
    Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.22:49164
    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 13.107.246.40:443
    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 13.107.246.40:443
    Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.22:49164
    Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.22:49164
    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 13.107.246.40:443
    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 13.107.246.40:443
    Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.22:49164
    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 13.107.246.40:443
    Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.22:49164
    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 13.107.246.40:443
    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 13.107.246.40:80
    Source: global trafficTCP traffic: 13.107.246.40:80 -> 192.168.2.22:49163
    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 13.107.246.40:80
    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 13.107.246.40:443
    Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.22:49165
    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 13.107.246.40:443
    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 13.107.246.40:443
    Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.22:49165
    Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.22:49165
    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 13.107.246.40:443
    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 13.107.246.40:443
    Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.22:49165
    Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.22:49165
    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 13.107.246.40:443
    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 13.107.246.40:443
    Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.22:49165
    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 13.107.246.40:443

    Networking

    barindex
    Source: Yara matchFile source: PO_OCF 408.xls, type: SAMPLE
    Source: Joe Sandbox ViewIP Address: 13.107.246.40 13.107.246.40
    Source: Joe Sandbox ViewJA3 fingerprint: 36f7277af969a6947a61ae0b815907a1
    Source: global trafficHTTP traffic detected: GET /42Q HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 2s.ggConnection: Keep-Alive
    Source: global trafficHTTP traffic detected: GET /42Q HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 2s.ggConnection: Keep-Alive
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\CB0A7E0F.emfJump to behavior
    Source: global trafficHTTP traffic detected: GET /42Q HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 2s.ggConnection: Keep-Alive
    Source: global trafficHTTP traffic detected: GET /42Q HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 2s.ggConnection: Keep-Alive
    Source: unknownDNS traffic detected: queries for: 2s.gg
    Source: PO_OCF 408.xls, E9030000.0.drString found in binary or memory: http://2s.gg/42Q
    Source: unknownNetwork traffic detected: HTTP traffic on port 49164 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49165 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49165
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49164
    Source: unknownHTTPS traffic detected: 13.107.246.40:443 -> 192.168.2.22:49164 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 13.107.246.40:443 -> 192.168.2.22:49165 version: TLS 1.2

    System Summary

    barindex
    Source: Screenshot number: 4Screenshot OCR: document is protected 10 11 12 1 Tat 13 14 15 16 (g Open thedocumem in If 1Nsdoament Once yw
    Source: PO_OCF 408.xlsOLE: Microsoft Excel 2007+
    Source: ~DFD8A665F485A8F140.TMP.0.drOLE: Microsoft Excel 2007+
    Source: E9030000.0.drOLE: Microsoft Excel 2007+
    Source: PO_OCF 408.xlsOLE indicator, VBA macros: true
    Source: ~DFD8A665F485A8F140.TMP.0.drOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
    Source: classification engineClassification label: mal68.troj.expl.winXLS@10/21@1/1
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\GDIPFONTCACHEV1.DATJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVR6BEB.tmpJump to behavior
    Source: PO_OCF 408.xlsOLE indicator, Workbook stream: true
    Source: E9030000.0.drOLE indicator, Workbook stream: true
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
    Source: PO_OCF 408.xlsReversingLabs: Detection: 23%
    Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" -Embedding
    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043Jump to behavior
    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeProcess created: unknown unknownJump to behavior
    Source: Window RecorderWindow detected: More than 3 window changes detected
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItemsJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
    Source: ~DFD8A665F485A8F140.TMP.0.drInitial sample: OLE indicators vbamacros = False
    Source: PO_OCF 408.xlsInitial sample: OLE indicators encrypted = True
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: PO_OCF 408.xlsStream path 'MBD000A282D/CONTENTS' entropy: 7.9671168067 (max. 8.0)
    Source: PO_OCF 408.xlsStream path 'Workbook' entropy: 7.99543645219 (max. 8.0)
    Source: E9030000.0.drStream path 'MBD000A282D/CONTENTS' entropy: 7.9671168067 (max. 8.0)
    Source: E9030000.0.drStream path 'Workbook' entropy: 7.99738089536 (max. 8.0)
    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
    Gather Victim Identity Information1
    Scripting
    Valid Accounts13
    Exploitation for Client Execution
    1
    Scripting
    1
    Process Injection
    1
    Masquerading
    OS Credential Dumping1
    File and Directory Discovery
    Remote ServicesData from Local System2
    Encrypted Channel
    Exfiltration Over Other Network MediumAbuse Accessibility Features
    CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
    Disable or Modify Tools
    LSASS Memory2
    System Information Discovery
    Remote Desktop ProtocolData from Removable Media2
    Non-Application Layer Protocol
    Exfiltration Over BluetoothNetwork Denial of Service
    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
    Process Injection
    Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared Drive13
    Application Layer Protocol
    Automated ExfiltrationData Encrypted for Impact
    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
    Obfuscated Files or Information
    NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput Capture2
    Ingress Tool Transfer
    Traffic DuplicationData Destruction
    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet
    behaviorgraph top1 signatures2 2 Behavior Graph ID: 1416056 Sample: PO_OCF 408.xls Startdate: 26/03/2024 Architecture: WINDOWS Score: 68 16 Multi AV Scanner detection for submitted file 2->16 18 Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros) 2->18 20 Excel sheet contains many unusual embedded objects 2->20 22 2 other signatures 2->22 7 EXCEL.EXE 58 47 2->7         started        process3 dnsIp4 14 2s.gg 13.107.246.40, 443, 49163, 49164 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 7->14 10 AcroRd32.exe 22 7->10         started        process5 process6 12 RdrCEF.exe 2 10->12         started       

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


    windows-stand
    SourceDetectionScannerLabelLink
    PO_OCF 408.xls24%ReversingLabsWin32.Trojan.Generic
    No Antivirus matches
    No Antivirus matches
    No Antivirus matches
    SourceDetectionScannerLabelLink
    http://2s.gg/42Q0%Avira URL Cloudsafe

    Download Network PCAP: filteredfull

    NameIPActiveMaliciousAntivirus DetectionReputation
    2s.gg
    13.107.246.40
    truefalse
      unknown
      NameMaliciousAntivirus DetectionReputation
      http://2s.gg/42Qfalse
      • Avira URL Cloud: safe
      unknown
      • No. of IPs < 25%
      • 25% < No. of IPs < 50%
      • 50% < No. of IPs < 75%
      • 75% < No. of IPs
      IPDomainCountryFlagASNASN NameMalicious
      13.107.246.40
      2s.ggUnited States
      8068MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
      Joe Sandbox version:40.0.0 Tourmaline
      Analysis ID:1416056
      Start date and time:2024-03-26 19:41:07 +01:00
      Joe Sandbox product:CloudBasic
      Overall analysis duration:0h 4m 5s
      Hypervisor based Inspection enabled:false
      Report type:full
      Cookbook file name:defaultwindowsofficecookbook.jbs
      Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
      Number of analysed new started processes analysed:9
      Number of new started drivers analysed:0
      Number of existing processes analysed:0
      Number of existing drivers analysed:0
      Number of injected processes analysed:0
      Technologies:
      • HCA enabled
      • EGA enabled
      • GSI enabled (VBA)
      • AMSI enabled
      Analysis Mode:default
      Analysis stop reason:Timeout
      Sample name:PO_OCF 408.xls
      Detection:MAL
      Classification:mal68.troj.expl.winXLS@10/21@1/1
      EGA Information:Failed
      HCA Information:
      • Successful, ratio: 100%
      • Number of executed functions: 0
      • Number of non-executed functions: 0
      Cookbook Comments:
      • Found application associated with file extension: .xls
      • Found Word or Excel or PowerPoint or XPS Viewer
      • Attach to Office via COM
      • Active ActiveX Object
      • Active ActiveX Object
      • Active ActiveX Object
      • Active ActiveX Object
      • Scroll down
      • Close Viewer
      • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, svchost.exe
      • Report size getting too big, too many NtCreateFile calls found.
      • Report size getting too big, too many NtQueryValueKey calls found.
      • VT rate limit hit for: PO_OCF 408.xls
      TimeTypeDescription
      18:42:20API Interceptor182x Sleep call for process: AcroRd32.exe modified
      18:42:36API Interceptor35x Sleep call for process: RdrCEF.exe modified
      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
      13.107.246.4006836722_218 Aluplast.docx.docGet hashmaliciousUnknownBrowse
      • 2s.gg/3zk
      Quotation.xlsGet hashmaliciousUnknownBrowse
      • 2s.gg/3zM
      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
      2s.gg06836722_218 Aluplast.docx.docGet hashmaliciousUnknownBrowse
      • 13.107.246.40
      Quotation.xlsGet hashmaliciousUnknownBrowse
      • 13.105.221.39
      06836722_218 Aluplast.docx.docGet hashmaliciousUnknownBrowse
      • 13.105.221.20
      Quotation.xlsGet hashmaliciousUnknownBrowse
      • 13.105.221.2
      Quotation.xlsGet hashmaliciousUnknownBrowse
      • 13.105.221.21
      po3495954.xlsGet hashmaliciousUnknownBrowse
      • 13.105.221.2
      po3495954.xlsGet hashmaliciousUnknownBrowse
      • 13.105.221.21
      po3495954.xlsGet hashmaliciousUnknownBrowse
      • 13.105.221.2
      Quotation.xlsGet hashmaliciousUnknownBrowse
      • 13.107.246.40
      Quotation.xlsGet hashmaliciousUnknownBrowse
      • 13.107.213.41
      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
      MICROSOFT-CORP-MSN-AS-BLOCKUSbUrQ.exeGet hashmaliciousNjratBrowse
      • 20.206.240.63
      bUrQ.exeGet hashmaliciousNjratBrowse
      • 20.206.240.63
      bUrP.exeGet hashmaliciousXWormBrowse
      • 191.233.27.50
      https://url.us.m.mimecastprotect.com/s/kyINCpYnk3FnPVPtPeQKH?domain=gcv.microsoft.usGet hashmaliciousHTMLPhisherBrowse
      • 52.127.240.65
      re-march-26-2024-6488.xlsxGet hashmaliciousMAC StealerBrowse
      • 13.107.213.40
      https://38374993729929473939lk-us.de/202444/fresh2024link/schwab.com-fresh-RD588-user-ph-em(detail)/index.htmlGet hashmaliciousUnknownBrowse
      • 13.107.42.14
      https://new.express.adobe.com/webpage/sAiKE1YBfM7xeGet hashmaliciousHTMLPhisherBrowse
      • 52.96.88.2
      https://escwatersealuae-my.sharepoint.com/:b:/g/personal/coordinatorauh_watersealuae_com/EUgMEq3xHjpEtricc4GzY_gBScerXYXlOg6GhA2k7ick4g?e=1LFXqhGet hashmaliciousUnknownBrowse
      • 13.107.136.10
      https://usg02.safelinks.protection.office365.us/?url=https%3A%2F%2Frossdalecleprograms.bmailroute.net%2Fx%2Fd%3Fc%3D39280181%26l%3D2f3213c2-4b78-4245-ab7bec24c74da0c0%26r%3D6593b189-4eca-4deb-8017-9f09300903c0&data=05%7C02%7CMark.Shepherd%40dor.sc.gov%7C4d280c12a17e423dc1b008dc4da56570%7C304cb6fa07ed486cb7cb51ca42640e73%7C0%7C0%7C638470619979088564%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=iMmAqOqmUMgTXGPrjGJOgVW0iSy5fYzL5znUj%2FmTu2o%3D&reserved=0Get hashmaliciousHTMLPhisherBrowse
      • 23.103.209.28
      Quarantined Messages.zipGet hashmaliciousHTMLPhisherBrowse
      • 52.109.6.63
      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
      36f7277af969a6947a61ae0b815907a1Quotation.xlsGet hashmaliciousUnknownBrowse
      • 13.107.246.40
      Quotation.xlsGet hashmaliciousUnknownBrowse
      • 13.107.246.40
      po3495954.xlsGet hashmaliciousUnknownBrowse
      • 13.107.246.40
      po3495954.xlsGet hashmaliciousUnknownBrowse
      • 13.107.246.40
      https://download.adaware.com/nano_download.php?partner=IN221105&nonadmin&tych&campaign=20540828322Get hashmaliciousUnknownBrowse
      • 13.107.246.40
      Definitive Itinerary.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
      • 13.107.246.40
      Resqust for Quote.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
      • 13.107.246.40
      Quotation.xlsGet hashmaliciousUnknownBrowse
      • 13.107.246.40
      Quotation.xlsGet hashmaliciousUnknownBrowse
      • 13.107.246.40
      qDhNH7gQYd.rtfGet hashmaliciousAgentTeslaBrowse
      • 13.107.246.40
      No context
      Process:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      File Type:data
      Category:modified
      Size (bytes):270336
      Entropy (8bit):0.0018885380473555064
      Encrypted:false
      SSDEEP:3:MsEllllkEthXllkl2zE+/j//:/M/xT02zb
      MD5:9DF1593FEE4FCD00F72EBE0DD8F6D812
      SHA1:E83178164F1FA2E076E6A561ADFED2C058DBECDE
      SHA-256:15B9FC33A98427BEB4F7D666440AB2638B7237BDEFAD573F69262FAFC0DCC3E3
      SHA-512:ADDE1CF4C2B7015F446D0E44C991B9B83746904FC70A4602C571B87A02B726609CB138C2DC707AF629A6C844157081057A34F25FE59D9A5F2F62CD8EDA9CFEBA
      Malicious:false
      Reputation:low
      Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
      Process:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      File Type:ASCII text
      Category:dropped
      Size (bytes):292
      Entropy (8bit):5.251652192067681
      Encrypted:false
      SSDEEP:6:FuUb5zN+q2PP2nKuAl9OmbnIFUt88uUb5tZZmw+8uUb5tNVkwOP2nKuAl9OmbjLJ:B5zIvWHAahFUt8W5tZ/+W5tz57HAaSJ
      MD5:BC2CE77F1C94189E3C739E651F39D3A6
      SHA1:3216796BA896AE002624EE3441F1D09ED40170FA
      SHA-256:1B6F50E670D3C45FF57098F94E8346BBDC5F0735E0B08C013686CD0FC5614119
      SHA-512:04E35D6115BF9FC839769B31063D74905C6204029EED36EA89D90E6F5E51BA1A8F24BAED95084FEFCDAD35CB1AFCF890FFB9F002D9A341A079567AB920090E08
      Malicious:false
      Reputation:low
      Preview:2024/03/25-18:42:37.651 3128 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/MANIFEST-000001.2024/03/25-18:42:37.653 3128 Recovering log #3.2024/03/25-18:42:37.653 3128 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/000003.log .
      Process:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      File Type:ASCII text
      Category:dropped
      Size (bytes):292
      Entropy (8bit):5.251652192067681
      Encrypted:false
      SSDEEP:6:FuUb5zN+q2PP2nKuAl9OmbnIFUt88uUb5tZZmw+8uUb5tNVkwOP2nKuAl9OmbjLJ:B5zIvWHAahFUt8W5tZ/+W5tz57HAaSJ
      MD5:BC2CE77F1C94189E3C739E651F39D3A6
      SHA1:3216796BA896AE002624EE3441F1D09ED40170FA
      SHA-256:1B6F50E670D3C45FF57098F94E8346BBDC5F0735E0B08C013686CD0FC5614119
      SHA-512:04E35D6115BF9FC839769B31063D74905C6204029EED36EA89D90E6F5E51BA1A8F24BAED95084FEFCDAD35CB1AFCF890FFB9F002D9A341A079567AB920090E08
      Malicious:false
      Reputation:low
      Preview:2024/03/25-18:42:37.651 3128 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/MANIFEST-000001.2024/03/25-18:42:37.653 3128 Recovering log #3.2024/03/25-18:42:37.653 3128 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/000003.log .
      Process:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      File Type:ASCII text
      Category:dropped
      Size (bytes):292
      Entropy (8bit):5.251652192067681
      Encrypted:false
      SSDEEP:6:FuUb5zN+q2PP2nKuAl9OmbnIFUt88uUb5tZZmw+8uUb5tNVkwOP2nKuAl9OmbjLJ:B5zIvWHAahFUt8W5tZ/+W5tz57HAaSJ
      MD5:BC2CE77F1C94189E3C739E651F39D3A6
      SHA1:3216796BA896AE002624EE3441F1D09ED40170FA
      SHA-256:1B6F50E670D3C45FF57098F94E8346BBDC5F0735E0B08C013686CD0FC5614119
      SHA-512:04E35D6115BF9FC839769B31063D74905C6204029EED36EA89D90E6F5E51BA1A8F24BAED95084FEFCDAD35CB1AFCF890FFB9F002D9A341A079567AB920090E08
      Malicious:false
      Reputation:low
      Preview:2024/03/25-18:42:37.651 3128 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/MANIFEST-000001.2024/03/25-18:42:37.653 3128 Recovering log #3.2024/03/25-18:42:37.653 3128 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/000003.log .
      Process:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      File Type:data
      Category:dropped
      Size (bytes):131072
      Entropy (8bit):0.005597679101775777
      Encrypted:false
      SSDEEP:3:ImtVOM1xVlt/XSxdltIt/l:IiVfxlKxdXI1l
      MD5:FD55D575475A6BD81B055F46FA34BA8B
      SHA1:289A6344929F221E19D2F9097A5907FE42C03855
      SHA-256:261CE45767DBF1E61AAF67C5EC1D75C2FF5C02681DF96897D5B0EC56A0F8C2AB
      SHA-512:F2247D89C3268E838AE6F4BCDC1C4BB9C60E4F2E05B1763CD152811661A00B8BFC467F71009894676E38CE31229DF35F6FC9F2F19C2911698012D0594697F098
      Malicious:false
      Reputation:moderate, very likely benign file
      Preview:VLnk.....?......LhXJ ...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
      Process:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
      File Type:data
      Category:dropped
      Size (bytes):126040
      Entropy (8bit):1.985251446829603
      Encrypted:false
      SSDEEP:384:hNzyk+spBXiosQUYuoB7OdnGbLq+AtKzZQ9w/fQ1D+v+W2gnHwvAgIEyXG1oJ/+e:ntwvgnHwvAP
      MD5:330C5CD92C1A1BA53D223D90D4D391F2
      SHA1:C00EBD56BD6F9AE08DA567BA1ACC03C019310D4C
      SHA-256:3A63E107719ACD1588F7743E7BDC5990394C6D84134BD8093FAB20B16BB5B07F
      SHA-512:0C3EEFF95351BB418799345ACEBC72046C82BF9E5DC8480CCFDFB7E1CE3A2A208439C4F4EB1BFCA4B401BC4F6E1269645B41DD6F0DF622B968DF3CA2CE39222B
      Malicious:false
      Reputation:moderate, very likely benign file
      Preview:Adobe Acrobat Reader DC 19.0....?A12_SelectObject.................................................................................................................................................~~~@~~~ ........................................................................................~~~.~~~.~~~.....................................................................................~~~.~~~.~~~.~~~`................................................................................~~~.~~~.~~~.~~~.~~~`............................................................................~~~.~~~.~~~.~~~.~~~.~~~@........................................................................~~~.~~~.~~~.~~~.~~~.~~~.~~~0....................................................................~~~.~~~.~~~.~~~.~~~.~~~.~~~.~~~0................................................................~~~.~~~.~~~.~~~.~~~.~~~.~~~.~~~.~~~.............................................................~~~.~~~.~~~.~~~.~~~.~~~.~~~.~~~.~~~.~~
      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
      File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
      Category:dropped
      Size (bytes):433328
      Entropy (8bit):5.820528508142912
      Encrypted:false
      SSDEEP:6144:Bifm7kwvqU4iyCbPUV7gdaI6z0R/sjBx2:Bl7kwvqULUVS
      MD5:0A58C97C0448845A9EAA51E02C066A87
      SHA1:9242A149FE6330D035CDD62D32512E3270DF7587
      SHA-256:E6E9E16C76C7D33BCE7E91BE7C683C7A94D85E6C7BC408E9D769423312C6D7CA
      SHA-512:DE0380FAD1E7822AE2C5A0CBBA3B2CE0D721E058F6EFE8DB6EA95E5BFF8825ACEE634E9FE73E77926FFF9F6EDD9AB6744238B5BBEABF2F51B0A9FA7D93E2E8B1
      Malicious:false
      Reputation:low
      Preview:....l...........[................S..%;.. EMF........t...........................@...........................F...,... ...EMF+.@..................`...`...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........................................................!......."...........!......."...........................!..............................."...........!...............................................\......."...........!...............................................\......."...........!...............................................\......."...........!...............................................\......."...........!...............................................\.......'.......................%...........................................................L...d.......D...[...........D...\...D...!..............?...........?................................R...p...................................T.i.m.e.s. .N.e.w. .R.o.m.a.n...........................
      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
      File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
      Category:dropped
      Size (bytes):4056
      Entropy (8bit):1.9017483361098562
      Encrypted:false
      SSDEEP:24:YOu6PJqRixxBBBQAAJnHbG/KD3ql/mfzG/S6ATn9eDIb6eD/qLvae:9u6IRixxBBBQlJatF6n8g/wae
      MD5:8F636083CE616F8EB610556C57CC3CAA
      SHA1:4291DA8874EF4A60300F4BAAEC84F5A4A425E31E
      SHA-256:62E41677B9A6F9B0139BB4D5EAA890F1423F707383A960FFA261A7C4A677F3EB
      SHA-512:78FF54528C73E9E52C67FC8536BDA2628F4177ACDC9E749F4EAF69639F82E468B3766AEACD4F24BABCB30227572B2F522FDDF2FBD8B790C474ACF313BD32C84A
      Malicious:false
      Reputation:moderate, very likely benign file
      Preview:....l............................+..g... EMF....................................@...........................F...,... ...EMF+.@..................`...`...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........................................................!......."...........!......."...........................!..............................."...........!......................................................."...........!......................................................."...........!......................................................."...........!......................................................."...........!......................................................."...........!.......................................................'.......................%...........................................................&...........................%...........................6...............%...........L...d...................................!...
      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
      File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
      Category:dropped
      Size (bytes):884312
      Entropy (8bit):1.2944875740888722
      Encrypted:false
      SSDEEP:1536:k3dki8JungPuzcn6F1Tny9Cie/koPs9h9RHJFUrnT15vWP5cPpmJ2dvRaQq3vMog:5ux/ZiOE85e+8J2dvRcvMyw
      MD5:B6DFB3AA7AC4A1A52336C30FA821857B
      SHA1:66ECB808A516AC5B07A01CDFCAD65FD7B9907619
      SHA-256:E22202331F689D7568E674B0DCD895DF66FAC5980498F05A846DE244AB3394C4
      SHA-512:A13562F976BCBEEF7D4B4926C37E39BFD4C588EF6E746792B806E6737C91604175395021D4884493D764CE7F0EE2ACC6C7D03A6045A5B4ED6616E5D7E4C9FE94
      Malicious:false
      Preview:....l............................F..C%.. EMF....X~..............................@................................................................F..C%..................Q....}..........................................P...(...x...$}...... ....F..C%..(...................$}..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
      File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
      Category:dropped
      Size (bytes):884312
      Entropy (8bit):1.2944965349348616
      Encrypted:false
      SSDEEP:1536:W3dki8JungPuzcn6F1Tny9Cie/koPs9h9RHJFUrnT15vWP5cPpmJ2dvRaQq3vMog:Hux/ZiOE85e+8J2dvRcvMyw
      MD5:9ABE7EB352E0DB96B52C99AC2FDEA85F
      SHA1:8DC45D02308275BA32B7FFB320A3042256D40C8B
      SHA-256:EC022DFF1CC8251BA9D849C16431914635473FC5457AE73AA277651B47948869
      SHA-512:E43325B927F5365F16118B67E1830B2A0E8CC051D9AEAB144DA6A75751CA39CC1831158270A50ED31BCCBA29C98A56769E516F36C45CB5FAA1BB6ED92CC0A5EB
      Malicious:false
      Preview:....l............................2...... EMF....X~..........................8...X....................?...........................................2......................Q....}..........................................P...(...x...$}...... ....2......(...................$}..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
      File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
      Category:dropped
      Size (bytes):330948
      Entropy (8bit):4.973268478523415
      Encrypted:false
      SSDEEP:3072:90Bd8yCKdQW2222222Igccz3/qSmV1XITSuaZgOTARfMDc1ji:90Bd8yCKdQRzw4muaZ9TARfMDcFi
      MD5:08659781405024E100D0B67B032FEE12
      SHA1:F8E4C121D4FE0D35AB333AD79F5C4B06104B4AD0
      SHA-256:CA7CD4E41B8B2DDF5D8B720CDC0E1D48F634FE5E5EEE9DB432146E807A99F55D
      SHA-512:8536D53A8991BED15151FEBB344C8473D0890DE1BDECB52E386DC707B4D4DFD1CC8D2CC8A3F9A7DE41E4F16D2828BCD7DC5B1BBB001E93A91E2109C6D4D9FBE3
      Malicious:false
      Preview:....l...........0...%............K...8.. EMF........l.......................8...X....................?......F...,... ...EMF+.@..................x...x...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........................................................!......."...........!......."...........................!..............................."...........!...............................................1...&..."...........!...............................................1...&..."...........!...............................................1...&..."...........!...............................................1...&..."...........!...............................................1...&...'.......................%...........................................................L...d.......W...0...........W...1...T...!..............?...........?................................R...p...................................T.i.m.e.s. .N.e.w. .R.o.m.a.n...........................
      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
      File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
      Category:dropped
      Size (bytes):4056
      Entropy (8bit):1.929653848333741
      Encrypted:false
      SSDEEP:12:YB1uOUvJqRENEtEtEdEdEdEO6Mcs/vs9/09v89fE9vM9/U9Lzlm97z9m9Lz1m9bO:Y7uTvJqRiGGWWWRKqurbkdBvae
      MD5:4A103FC1809C8EA381D2ACB5380EF4F6
      SHA1:6C81D37798C4D78C64E7D3EF7EB2ACB317C9FF67
      SHA-256:1AB8F5ABD845FFD0C61A61BB09BFCF20569B80B4496BCCB58C623753CF40485C
      SHA-512:77DA8AB022505D77F89749E97628CAF4DD8414251CB673598ACBA8F7D30D1889037FAB30094A6CE7DC47293697A6BEF28B92364D00129B59D2FC3711C82650F5
      Malicious:false
      Preview:....l...........0...............C'...... EMF................................8...X....................?......F...,... ...EMF+.@..................x...x...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........................................................!......."...........!......."...........................!..............................."...........!...............................................1......."...........!...............................................1......."...........!...............................................1......."...........!...............................................1......."...........!...............................................1......."...........!...............................................1.......'.......................%...........................................................&...........................%...........................6.......0.......%...........L...d.........../...............0.......!...
      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
      File Type:data
      Category:dropped
      Size (bytes):512
      Entropy (8bit):0.0
      Encrypted:false
      SSDEEP:3::
      MD5:BF619EAC0CDF3F68D496EA9344137E8B
      SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
      SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
      SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
      Malicious:false
      Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
      File Type:data
      Category:dropped
      Size (bytes):512
      Entropy (8bit):0.0
      Encrypted:false
      SSDEEP:3::
      MD5:BF619EAC0CDF3F68D496EA9344137E8B
      SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
      SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
      SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
      Malicious:false
      Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
      File Type:data
      Category:dropped
      Size (bytes):172032
      Entropy (8bit):6.196196069117546
      Encrypted:false
      SSDEEP:3072:BZkJAg15FTKWIH+mpIYYFxEtjPOtioVjDGUU1qfDlaGGx+cugLX0d6zwE/zDiamU:BZunFTqeZxEtjPOtioVjDGUU1qfDlavX
      MD5:E50371BCDCEC0A9585FA2C7018D9A721
      SHA1:02C0242B3B562784A7C89084A9D442E8C705EB02
      SHA-256:91370C6A919D200FA5BB23522C8E83F4A4AE4409DA8D3D8430CCD8B54F579F8F
      SHA-512:306DD6565462737812BC6C54F362BE78860BA8FB2B2BB4C212DB482C1001FF6324FD18D5B6EC507E3242594BBA277A77C013C4332989A425E5C37F6804CFCE20
      Malicious:false
      Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
      File Type:Composite Document File V2 Document, Cannot read section info
      Category:dropped
      Size (bytes):11776
      Entropy (8bit):5.8491666669351865
      Encrypted:false
      SSDEEP:192:uoruQTYZwtFEBP6pIMkrlzDDgODkDNpJ:VBTYOIBP+kBHJDkDF
      MD5:83D854D2812E7BD346F4A36FA7B6FDE7
      SHA1:E791F88CEBE8EB54B976C63DF024108749A75D53
      SHA-256:87C518C0F0A30B16C20C0B0FC1B5337FBAE655F401BD0D059E05F0DED3C92BFB
      SHA-512:6ED975560AF94C2D695491599972664BAD77780D57136086435374376A067FA2F9F0A38DF0EE593CDC6D31A7E099F56E18E4463BB8F10494A2ABA6BCDFC0BAE3
      Malicious:false
      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
      Process:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
      File Type:data
      Category:dropped
      Size (bytes):10240
      Entropy (8bit):0.6739662216458647
      Encrypted:false
      SSDEEP:12:Ppb0slZp69PO9tauZ7nH2AaYSQ81v0t4TreIBUxFj87+k/R:RbG4WuZfKZ1c+reIAon/R
      MD5:C61F99FE7BEE945FC31B62121BE075CD
      SHA1:083BBD0568633FECB8984002EB4FE8FA08E17DD9
      SHA-256:1E0973F4EDEF345D1EA8E90E447B9801FABDE63A2A1751E63B91A8467E130732
      SHA-512:46D743C564A290EDFF307F8D0EF012BB01ED4AA6D9667E87A53976B8F3E87D78BEBE763121A91BA8FB5B0CF5A8C9FDE313D7FBD144FB929D98D7D39F4C9602C9
      Malicious:false
      Preview: ....+..F..N..F).~]............\.">.. .......p.J..} /o...rLj-...FS..'x.o..%^ .....zr/..3.y.e4...MM.4..x9.f.D..{..(....'p......9...Qn..d..+.....H..M.)..........].....n-.]........n&.*.H`.sz...r.....1B.....e.."...A.....,-....n..$.<....CO..VO..P..'.......<......n....&5s....z..$.{'IM-.o..(#N.-..(H...a&...y.S..`8.(./...1.P.. .....K.3.......I!]G....@N........F.l.T=.0...`"..L....B...B`nI.<.....&F..2J2....1..Rs....h.Zq.`...t..CJ....@.....I.G.e..k..H.....F..G:..6.G.l=.Y......:...C.........?[.ts...=....;.|...q...@....s................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
      Process:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
      File Type:data
      Category:dropped
      Size (bytes):24152
      Entropy (8bit):0.7532185028349225
      Encrypted:false
      SSDEEP:48:CMnfnO4FGtsFqN6t8nlztZKR6axR6uiozVb:ZnfO4kWKpZKdxR35
      MD5:520FE964934AF1AB0CEBA2366830D0FA
      SHA1:B90310ACA870261CB619FDFD1E54E1B1A25074FF
      SHA-256:DBD45EEA386D364B30BA189E079BFA05C2C40D9E5E83722C39A171998ED079C1
      SHA-512:A4839A6AB8DB522D9121A590B8C711E8C4F172D9CB71C918860F8048472920F3341B7BA624DFF514BE397809149E4471B2DF981DC81FE77C26B2DDF342A42F8C
      Malicious:false
      Preview: ...W....K.h.E..g..0...!1sm.[t\......A......5_...N{Yf?.w..[.Y..A...a^..(._.=.......:.v.$*.....e...F....f.qo.]...B1{.8.%%..,...;.|..<....g ....l.7.`ny.h.n.y...~Y.../.. .WZ.'......AI.|.._K}-$.i..<(.7Y...U....T.i.N.'Pt..c.[........<zni.::. 8W.<S...8!.Wh..;T.?.^yf...E?...pQ....i.;>/..^...r.YsncP..@.. .[".^..A.|.0..$<bC.G........~];..D.|.v.B.).g.E5.?... .N...}....i.,5..a.Fk.%.u.`..F...;xlw.}.5.Jt..c.5.....v...~)..8b|.*.B.]-]jk....PQZ..T}..M.S...88......?.*$..]..%V..D.<.5.d...[..Z.....2........%.$E..+sb.......*...g...>Q[l.}......@=..5L..._....Pi..HY.<[..l...H....9.\=u.v.....S8-&...,5..}t......m...*..R.W.G.NZ....w.....{.iA......G.f.TN.zk..(....q).....n....3..C...d./..........................................................................................................................................................................................................................................................................................................
      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
      File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Mon Mar 25 17:42:33 2024, Security: 1
      Category:dropped
      Size (bytes):364032
      Entropy (8bit):7.809315911307731
      Encrypted:false
      SSDEEP:6144:zlunhTqejxEtjPOtioVjDGUU1qfDlavx+fgLX0d6bivVbVjUnj46v9Wa76sObu4b:zIhTviMbVYj46j6sObuEzhKWrHj3sw/
      MD5:32D0EFF7F71A28F9EDD7659EB0CEF09B
      SHA1:0FACE6B59C5DD27E369AD3917E2DA9D3D7E7CC39
      SHA-256:0A83BF3B56696F347A008DF0364806B5B341919A44B032283D17B6EA24496962
      SHA-512:03390E1590FC8D39B1EFFA1B5E8D34B39AEFB12290313AA814DEAEEA7E630502189755A31457DAC6F0C37C906EA66CA773E09DD8368E7F696F4C31666D73C4F2
      Malicious:false
      Preview:......................>.......................................................B...C...g.......i...................................................................................................................................................................................................................................................................................................................................................................................................................................................A....................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-...........0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...................E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...
      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
      File Type:ASCII text, with CRLF line terminators
      Category:dropped
      Size (bytes):26
      Entropy (8bit):3.95006375643621
      Encrypted:false
      SSDEEP:3:ggPYV:rPYV
      MD5:187F488E27DB4AF347237FE461A079AD
      SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
      SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
      SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
      Malicious:false
      Preview:[ZoneTransfer]....ZoneId=0
      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
      File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Mon Mar 25 17:42:33 2024, Security: 1
      Category:dropped
      Size (bytes):364032
      Entropy (8bit):7.809315911307731
      Encrypted:false
      SSDEEP:6144:zlunhTqejxEtjPOtioVjDGUU1qfDlavx+fgLX0d6bivVbVjUnj46v9Wa76sObu4b:zIhTviMbVYj46j6sObuEzhKWrHj3sw/
      MD5:32D0EFF7F71A28F9EDD7659EB0CEF09B
      SHA1:0FACE6B59C5DD27E369AD3917E2DA9D3D7E7CC39
      SHA-256:0A83BF3B56696F347A008DF0364806B5B341919A44B032283D17B6EA24496962
      SHA-512:03390E1590FC8D39B1EFFA1B5E8D34B39AEFB12290313AA814DEAEEA7E630502189755A31457DAC6F0C37C906EA66CA773E09DD8368E7F696F4C31666D73C4F2
      Malicious:false
      Preview:......................>.......................................................B...C...g.......i...................................................................................................................................................................................................................................................................................................................................................................................................................................................A....................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-...........0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...................E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...
      File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Tue Mar 26 06:41:50 2024, Security: 1
      Entropy (8bit):7.4485767997075385
      TrID:
      • Microsoft Excel sheet (30009/1) 47.99%
      • Microsoft Excel sheet (alternate) (24509/1) 39.20%
      • Generic OLE2 / Multistream Compound File (8008/1) 12.81%
      File name:PO_OCF 408.xls
      File size:324'608 bytes
      MD5:b1b6a921c32d375e2bc145aabc5590ed
      SHA1:df721ea78886ba9fa47e0b4ff172cff71d3eac65
      SHA256:6d0082a6aaeb5d47a2083d5b416c7b7e906c9e25e0f1f1c92a9ae44ae6f38b9f
      SHA512:62e409a8663f38ee22184704303bb08844b5ecd593865ec1a5acf8f908e48981ff1d541bd157b14a6f6ffc59677344d2752b0ea886744e4d15e8739a761ffbb9
      SSDEEP:6144:w0unhXqFY35qAOJl/YrLYz+WrNhZF+E+fgL+0dD8ivSbVsHGMIhshrP6nMe0zO3c:w9hXqs3bVsHGMICOnWO3Moi9d
      TLSH:1664D042FA41870AE85547714DF74AAE6325FC415F934B0B364CF72E3EF02A46E2BA61
      File Content Preview:........................>.......................................................G...H...z......................................................................................................................................................................
      Icon Hash:276ea3a6a6b7bfbf
      Document Type:OLE
      Number of OLE Files:1
      Has Summary Info:
      Application Name:Microsoft Excel
      Encrypted Document:True
      Contains Word Document Stream:False
      Contains Workbook/Book Stream:True
      Contains PowerPoint Document Stream:False
      Contains Visio Document Stream:False
      Contains ObjectPool Stream:False
      Flash Objects Count:0
      Contains VBA Macros:True
      Code Page:1252
      Author:
      Last Saved By:
      Create Time:2006-09-16 00:00:00
      Last Saved Time:2024-03-26 06:41:50
      Creating Application:Microsoft Excel
      Security:1
      Document Code Page:1252
      Thumbnail Scaling Desired:False
      Contains Dirty Links:False
      Shared Document:False
      Changed Hyperlinks:False
      Application Version:786432
      General
      Stream Path:_VBA_PROJECT_CUR/VBA/Sheet1
      VBA File Name:Sheet1.cls
      Stream Size:977
      Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . D . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 . - .
      Data Raw:01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 b3 44 0b 81 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      Attribute VB_Name = "Sheet1"
      Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
      Attribute VB_GlobalNameSpace = False
      Attribute VB_Creatable = False
      Attribute VB_PredeclaredId = True
      Attribute VB_Exposed = True
      Attribute VB_TemplateDerived = False
      Attribute VB_Customizable = True
      

      General
      Stream Path:_VBA_PROJECT_CUR/VBA/Sheet2
      VBA File Name:Sheet2.cls
      Stream Size:977
      Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . D U V . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 . -
      Data Raw:01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 b3 44 55 56 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      Attribute VB_Name = "Sheet2"
      Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
      Attribute VB_GlobalNameSpace = False
      Attribute VB_Creatable = False
      Attribute VB_PredeclaredId = True
      Attribute VB_Exposed = True
      Attribute VB_TemplateDerived = False
      Attribute VB_Customizable = True
      

      General
      Stream Path:_VBA_PROJECT_CUR/VBA/Sheet3
      VBA File Name:Sheet3.cls
      Stream Size:977
      Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . D f . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 . -
      Data Raw:01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 b3 44 66 1a 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      Attribute VB_Name = "Sheet3"
      Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
      Attribute VB_GlobalNameSpace = False
      Attribute VB_Creatable = False
      Attribute VB_PredeclaredId = True
      Attribute VB_Exposed = True
      Attribute VB_TemplateDerived = False
      Attribute VB_Customizable = True
      

      General
      Stream Path:_VBA_PROJECT_CUR/VBA/ThisWorkbook
      VBA File Name:ThisWorkbook.cls
      Stream Size:985
      Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . D . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 1 . 9 . - . 0
      Data Raw:01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 b3 44 80 c4 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      Attribute VB_Name = "ThisWorkbook"
      Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
      Attribute VB_GlobalNameSpace = False
      Attribute VB_Creatable = False
      Attribute VB_PredeclaredId = True
      Attribute VB_Exposed = True
      Attribute VB_TemplateDerived = False
      Attribute VB_Customizable = True
      

      General
      Stream Path:\x1CompObj
      CLSID:
      File Type:data
      Stream Size:114
      Entropy:4.25248375192737
      Base64 Encoded:True
      Data ASCII:. . . . . . . . . . . . . . . . . . . F & . . . M i c r o s o f t O f f i c e E x c e l 2 0 0 3 W o r k s h e e t . . . . . B i f f 8 . . . . . E x c e l . S h e e t . 8 . 9 q . . . . . . . . . . . .
      Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 26 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 32 30 30 33 20 57 6f 72 6b 73 68 65 65 74 00 06 00 00 00 42 69 66 66 38 00 0e 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
      General
      Stream Path:\x5DocumentSummaryInformation
      CLSID:
      File Type:data
      Stream Size:244
      Entropy:2.889430592781307
      Base64 Encoded:False
      Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , 0 . . . . . . . . . . . . . . H . . . . . . . P . . . . . . . X . . . . . . . ` . . . . . . . h . . . . . . . p . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . S h e e t 1 . . . . . S h e e t 2 . . . . . S h e e t 3 . . . . . . . . . . . . . . . . . W o r k s h e e t s . . . . . . . . .
      Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 c4 00 00 00 08 00 00 00 01 00 00 00 48 00 00 00 17 00 00 00 50 00 00 00 0b 00 00 00 58 00 00 00 10 00 00 00 60 00 00 00 13 00 00 00 68 00 00 00 16 00 00 00 70 00 00 00 0d 00 00 00 78 00 00 00 0c 00 00 00 a1 00 00 00 02 00 00 00 e4 04 00 00
      General
      Stream Path:\x5SummaryInformation
      CLSID:
      File Type:data
      Stream Size:200
      Entropy:3.2403503175049813
      Base64 Encoded:False
      Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . + ' 0 . . . . . . . . . . . . . . @ . . . . . . . H . . . . . . . T . . . . . . . ` . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . | . # . @ . . . . T H . . . . . . . . . .
      Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 98 00 00 00 07 00 00 00 01 00 00 00 40 00 00 00 04 00 00 00 48 00 00 00 08 00 00 00 54 00 00 00 12 00 00 00 60 00 00 00 0c 00 00 00 78 00 00 00 0d 00 00 00 84 00 00 00 13 00 00 00 90 00 00 00 02 00 00 00 e4 04 00 00 1e 00 00 00 04 00 00 00
      General
      Stream Path:MBD000A282D/\x1CompObj
      CLSID:
      File Type:data
      Stream Size:94
      Entropy:4.345966460061678
      Base64 Encoded:False
      Data ASCII:. . . . . . e . . D E S T . . . . . . A c r o b a t D o c u m e n t . . . . . . . . . A c r o E x c h . D o c u m e n t . D C . 9 q . . . . . . . . . . . .
      Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 65 ca 01 b8 fc a1 d0 11 85 ad 44 45 53 54 00 00 11 00 00 00 41 63 72 6f 62 61 74 20 44 6f 63 75 6d 65 6e 74 00 00 00 00 00 15 00 00 00 41 63 72 6f 45 78 63 68 2e 44 6f 63 75 6d 65 6e 74 2e 44 43 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
      General
      Stream Path:MBD000A282D/\x1Ole
      CLSID:
      File Type:data
      Stream Size:62
      Entropy:2.7788384466112834
      Base64 Encoded:False
      Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . F . . . . ! . . . . . S h e e t 2 ! O b j e c t 3 .
      Data Raw:01 00 00 02 08 00 00 00 00 00 00 00 00 00 00 00 2e 00 00 00 04 03 00 00 00 00 00 00 c0 00 00 00 00 00 00 46 02 00 00 00 21 00 10 00 00 00 53 68 65 65 74 32 21 4f 62 6a 65 63 74 20 33 00
      General
      Stream Path:MBD000A282D/CONTENTS
      CLSID:
      File Type:PDF document, version 1.7, 1 pages
      Stream Size:20909
      Entropy:7.967116806702583
      Base64 Encoded:True
      Data ASCII:% P D F - 1 . 7 . % . 1 0 o b j . < < . / T y p e / C a t a l o g . / P a g e s 2 0 R . / A c r o F o r m 3 0 R . > > . e n d o b j . 4 0 o b j . < < . / P r o d u c e r ( 3 . 0 . 4 \\ ( 5 . 0 . 8 \\ ) ) . / M o d D a t e ( D : 2 0 2 3 0 9 2 2 0 3 2 2 4 8 + 0 2 ' 0 0 ' ) . > > . e n d o b j . 2 0 o b j . < < . / T y p e / P a g e s . / K i d s [ 5 0 R ] . / C o u n t 1 . > > . e n d o b j . 3 0 o b j . < < . / F i e l d s [ ] . / D R 6 0 R . > > . e n d
      Data Raw:25 50 44 46 2d 31 2e 37 0a 25 f6 e4 fc df 0a 31 20 30 20 6f 62 6a 0a 3c 3c 0a 2f 54 79 70 65 20 2f 43 61 74 61 6c 6f 67 0a 2f 50 61 67 65 73 20 32 20 30 20 52 0a 2f 41 63 72 6f 46 6f 72 6d 20 33 20 30 20 52 0a 3e 3e 0a 65 6e 64 6f 62 6a 0a 34 20 30 20 6f 62 6a 0a 3c 3c 0a 2f 50 72 6f 64 75 63 65 72 20 28 33 2e 30 2e 34 20 5c 28 35 2e 30 2e 38 5c 29 20 29 0a 2f 4d 6f 64 44 61 74 65
      General
      Stream Path:MBD000A282E/\x1CompObj
      CLSID:
      File Type:data
      Stream Size:113
      Entropy:3.9544012817407785
      Base64 Encoded:False
      Data ASCII:. . . . . . . . . . . . . . . . . . . . . . / . . . M i c r o s o f t O f f i c e E x c e l M a c r o - E n a b l e d W o r k s h e e t . . . . . E x c e l M L 1 2 . . . . . 9 q . . . . . . . . . . . .
      Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2f 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 4d 61 63 72 6f 2d 45 6e 61 62 6c 65 64 20 57 6f 72 6b 73 68 65 65 74 00 0a 00 00 00 45 78 63 65 6c 4d 4c 31 32 00 00 00 00 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
      General
      Stream Path:MBD000A282E/Package
      CLSID:
      File Type:Microsoft Excel 2007+
      Stream Size:11593
      Entropy:7.129232244356437
      Base64 Encoded:True
      Data ASCII:P K . . . . . . . . . . ! . h f . . . 6 . . . . . . [ C o n t e n t _ T y p e s ] . x m l . ( . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
      Data Raw:50 4b 03 04 14 00 06 00 08 00 00 00 21 00 68 cf de 66 81 01 00 00 36 05 00 00 13 00 cc 01 5b 43 6f 6e 74 65 6e 74 5f 54 79 70 65 73 5d 2e 78 6d 6c 20 a2 c8 01 28 a0 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      General
      Stream Path:MBD000A282F/\x1CompObj
      CLSID:
      File Type:data
      Stream Size:114
      Entropy:4.25248375192737
      Base64 Encoded:True
      Data ASCII:. . . . . . . . . . . . . . . . . . . F & . . . M i c r o s o f t O f f i c e E x c e l 2 0 0 3 W o r k s h e e t . . . . . B i f f 8 . . . . . E x c e l . S h e e t . 8 . 9 q . . . . . . . . . . . .
      Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 26 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 32 30 30 33 20 57 6f 72 6b 73 68 65 65 74 00 06 00 00 00 42 69 66 66 38 00 0e 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
      General
      Stream Path:MBD000A282F/\x5DocumentSummaryInformation
      CLSID:
      File Type:data
      Stream Size:708
      Entropy:3.6235698530352805
      Base64 Encoded:True
      Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , D . . . . . . . . . . + , . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . . . 0 . . . . . . . 8 . . . . . . . @ . . . . . . . H . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
      Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 44 00 00 00 05 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 20 02 00 00 dc 01 00 00 14 00 00 00 01 00 00 00 a8 00 00 00 02 00 00 00 b0 00 00 00 03 00 00 00 bc 00 00 00 0e 00 00 00 c8 00 00 00 0f 00 00 00 d4 00 00 00 04 00 00 00 e0 00 00 00 05 00 00 00
      General
      Stream Path:MBD000A282F/\x5SummaryInformation
      CLSID:
      File Type:data
      Stream Size:23248
      Entropy:3.028372274349727
      Base64 Encoded:True
      Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . + ' 0 . . . Z . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . , . . . . . . . 4 . . . . . . . < . . . . . . . D . . . . . . . L . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . v i v i e n . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
      Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 a0 5a 00 00 11 00 00 00 01 00 00 00 90 00 00 00 02 00 00 00 98 00 00 00 03 00 00 00 a4 00 00 00 04 00 00 00 b0 00 00 00 05 00 00 00 c0 00 00 00 06 00 00 00 cc 00 00 00 07 00 00 00 d8 00 00 00 08 00 00 00 e4 00 00 00 09 00 00 00 f4 00 00 00
      General
      Stream Path:MBD000A282F/Workbook
      CLSID:
      File Type:Applesoft BASIC program data, first line number 16
      Stream Size:97808
      Entropy:7.364997649638122
      Base64 Encoded:True
      Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . \\ . p . . . . 9 1 9 7 4 B . . . . a . . . . . . . . = . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . = . . . . . . . . P . 9 . . . . . . . X . @ . . . . . . . . . . " . . . . . . . . . . . . . . .
      Data Raw:09 08 10 00 00 06 05 00 ab 1f cd 07 c9 00 02 00 06 04 00 00 e1 00 02 00 b0 04 c1 00 02 00 00 00 e2 00 00 00 5c 00 70 00 05 00 00 39 31 39 37 34 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
      General
      Stream Path:MBD000A2830/\x1Ole
      CLSID:
      File Type:data
      Stream Size:316
      Entropy:6.193265789129319
      Base64 Encoded:False
      Data ASCII:. . . . 7 ` . . . . . . . . . . . . . . . y . . . K . . . . h . t . t . p . : . / . / . 2 . s . . . g . g . / . 4 . 2 . Q . . . . . . [ 2 : 1 d @ . e k ` ~ H e P . 7 m j 8 > . [ X . ~ X . { o . . C . B . . 2 G , 7 s y a } . B ~ ' . . . . & } O D w z . m x R A . . ! { ' ^ Z . L = g h ' . . X 1 . " 0 8 X . . . . . . . . . . . . . . . . . . . . 2 . q . H . Q . 5 . I . Y . E . P . S . . . O . d . f | T A . k ! ~ . v A u m
      Data Raw:01 00 00 02 8d a4 88 37 a8 ee da 60 00 00 00 00 00 00 00 00 00 00 00 00 c6 00 00 00 e0 c9 ea 79 f9 ba ce 11 8c 82 00 aa 00 4b a9 0b c2 00 00 00 68 00 74 00 74 00 70 00 3a 00 2f 00 2f 00 32 00 73 00 2e 00 67 00 67 00 2f 00 34 00 32 00 51 00 00 00 0d aa 88 0a a2 00 ae 5b 32 3a 31 64 b7 b4 40 0c 65 6b 60 7e e0 48 a7 65 82 50 01 37 96 f0 6d 6a a0 38 3e b4 95 1e 5b 58 1c b8 7e 58 d5 84
      General
      Stream Path:Workbook
      CLSID:
      File Type:Applesoft BASIC program data, first line number 16
      Stream Size:151302
      Entropy:7.995436452193399
      Base64 Encoded:True
      Data ASCII:. . . . . . . . . . . . . . . . . / . 6 . . . . . . . . . _ = . 0 h L _ K . . > j ] 3 " * * . p 5 t . . . . . . . 6 . . . \\ . p . . p 1 q ] < i 6 . o . . . W . . V . . J 6 C 8 n . L ( h s b 7 . $ t j W . a y h . c ! c . [ . { . ` w g . . t 3 5 < . K B . . . a . . . . 1 . . . = . . . f . . . . , k h 7 . p . . . . . < . . . . v . . . . $ . . . . 9 . . . . h _ . . . U = . . . { . Y . S n W . . . / h @ . . . . . . " . . . / . . . . k v . . . . . . . . s 1 . . . G . . . z s . < . ^ Q z z . 1 . . . . } . I y . :
      Data Raw:09 08 10 00 00 06 05 00 ab 1f cd 07 c1 00 01 00 06 04 00 00 2f 00 36 00 01 00 01 00 01 00 ae d1 1e ee 02 e9 fe 5f cf 3d d7 da 2e 30 8e 68 f6 4c aa 99 9f 5f 4b 9e ce ac 91 83 15 3e 6a ad 5d b3 33 22 2a 2a 9b 0e 70 f3 ad 35 bf 74 a2 e6 e1 00 02 00 b0 04 c1 00 02 00 36 ed e2 00 00 00 5c 00 70 00 17 70 31 c1 e1 87 71 ff e3 95 e6 5d fd 99 3c 69 f0 ab 8a 36 10 aa 83 6f fe 08 a2 b4 10 1b
      General
      Stream Path:_VBA_PROJECT_CUR/PROJECT
      CLSID:
      File Type:ASCII text, with CRLF line terminators
      Stream Size:529
      Entropy:5.241798815069371
      Base64 Encoded:True
      Data ASCII:I D = " { 2 C 5 5 A 7 0 3 - 8 E F 2 - 4 4 B 6 - 8 A 2 4 - D 1 C E F 4 3 2 F C D F } " . . D o c u m e n t = T h i s W o r k b o o k / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 1 / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 2 / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 3 / & H 0 0 0 0 0 0 0 0 . . N a m e = " V B A P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " 4 3 4 1 4 A 2 8 A 8 2 C A 8 2 C A
      Data Raw:49 44 3d 22 7b 32 43 35 35 41 37 30 33 2d 38 45 46 32 2d 34 34 42 36 2d 38 41 32 34 2d 44 31 43 45 46 34 33 32 46 43 44 46 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 57 6f 72 6b 62 6f 6f 6b 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 53 68 65 65 74 31 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 53 68 65 65 74 32 2f 26 48 30 30 30
      General
      Stream Path:_VBA_PROJECT_CUR/PROJECTwm
      CLSID:
      File Type:data
      Stream Size:104
      Entropy:3.0488640812019017
      Base64 Encoded:False
      Data ASCII:T h i s W o r k b o o k . T . h . i . s . W . o . r . k . b . o . o . k . . . S h e e t 1 . S . h . e . e . t . 1 . . . S h e e t 2 . S . h . e . e . t . 2 . . . S h e e t 3 . S . h . e . e . t . 3 . . . . .
      Data Raw:54 68 69 73 57 6f 72 6b 62 6f 6f 6b 00 54 00 68 00 69 00 73 00 57 00 6f 00 72 00 6b 00 62 00 6f 00 6f 00 6b 00 00 00 53 68 65 65 74 31 00 53 00 68 00 65 00 65 00 74 00 31 00 00 00 53 68 65 65 74 32 00 53 00 68 00 65 00 65 00 74 00 32 00 00 00 53 68 65 65 74 33 00 53 00 68 00 65 00 65 00 74 00 33 00 00 00 00 00
      General
      Stream Path:_VBA_PROJECT_CUR/VBA/_VBA_PROJECT
      CLSID:
      File Type:data
      Stream Size:2644
      Entropy:3.966636528011703
      Base64 Encoded:False
      Data ASCII:a . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 0 . # . 9 . # . C . : . \\ . P . R . O . G . R . A . ~ . 2 . \\ . C . O . M . M . O . N . ~ . 1 . \\ . M . I . C . R . O . S . ~ . 1 . \\ . V . B . A . \\ . V . B . A . 6 . \\ . V . B . E . 6 . . . D . L . L . # . V . i . s . u . a . l . . B . a . s . i . c . . F . o . r .
      Data Raw:cc 61 88 00 00 01 00 ff 09 40 00 00 09 04 00 00 e4 04 01 00 00 00 00 00 00 00 00 00 01 00 04 00 02 00 fa 00 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 30 00 23 00
      General
      Stream Path:_VBA_PROJECT_CUR/VBA/dir
      CLSID:
      File Type:data
      Stream Size:553
      Entropy:6.350980612687125
      Base64 Encoded:True
      Data ASCII:. % . . . . . . . . 0 * . . . . p . . H . . . . d . . . . . . . V B A P r o j e c t . . 4 . . @ . . j . . . = . . . . r . . . . . . . . . . h . . . . J < . . . . . r s t d o l e > . . . s . t . d . o . l . e . . . h . % . ^ . . * \\ G { 0 0 0 2 0 4 3 0 - . . . . . C . . . . . . 0 0 4 . 6 } # 2 . 0 # 0 . # C : \\ W i n d . o w s \\ S y s W O W 6 4 \\ . e 2 . . t l b # O L E . A u t o m a t i . o n . ` . . E O f f D i c E O . f . i . c E . . E . 2 D F 8 D 0 4 C . - 5 B F A - 1 0 1 B - B D E 5 E A A C 4 . 2 E
      Data Raw:01 25 b2 80 01 00 04 00 00 00 01 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 e4 04 04 00 0a 00 1c 00 56 42 41 50 72 6f 6a 65 88 63 74 05 00 34 00 00 40 02 14 6a 06 02 0a 3d 02 0a 07 02 72 01 14 08 05 06 12 09 02 12 b4 c1 10 68 08 94 00 0c 02 4a 3c 02 0a 16 00 01 72 80 73 74 64 6f 6c 65 3e 02 19 00 73 00 74 00 64 00 6f 00 80 6c 00 65 00 0d 00 68 00 25 02 5e 00 03 2a 5c 47

      Download Network PCAP: filteredfull

      • Total Packets: 24
      • 443 (HTTPS)
      • 80 (HTTP)
      • 53 (DNS)
      TimestampSource PortDest PortSource IPDest IP
      Mar 26, 2024 19:42:16.301249027 CET4916380192.168.2.2213.107.246.40
      Mar 26, 2024 19:42:16.400440931 CET804916313.107.246.40192.168.2.22
      Mar 26, 2024 19:42:16.400515079 CET4916380192.168.2.2213.107.246.40
      Mar 26, 2024 19:42:16.400798082 CET4916380192.168.2.2213.107.246.40
      Mar 26, 2024 19:42:16.499654055 CET804916313.107.246.40192.168.2.22
      Mar 26, 2024 19:42:16.500044107 CET804916313.107.246.40192.168.2.22
      Mar 26, 2024 19:42:16.500226974 CET4916380192.168.2.2213.107.246.40
      Mar 26, 2024 19:42:16.506340027 CET49164443192.168.2.2213.107.246.40
      Mar 26, 2024 19:42:16.506367922 CET4434916413.107.246.40192.168.2.22
      Mar 26, 2024 19:42:16.506439924 CET49164443192.168.2.2213.107.246.40
      Mar 26, 2024 19:42:16.512697935 CET49164443192.168.2.2213.107.246.40
      Mar 26, 2024 19:42:16.512711048 CET4434916413.107.246.40192.168.2.22
      Mar 26, 2024 19:42:16.829709053 CET4434916413.107.246.40192.168.2.22
      Mar 26, 2024 19:42:16.829785109 CET49164443192.168.2.2213.107.246.40
      Mar 26, 2024 19:42:16.835045099 CET49164443192.168.2.2213.107.246.40
      Mar 26, 2024 19:42:16.835052967 CET4434916413.107.246.40192.168.2.22
      Mar 26, 2024 19:42:16.835413933 CET4434916413.107.246.40192.168.2.22
      Mar 26, 2024 19:42:16.835469961 CET49164443192.168.2.2213.107.246.40
      Mar 26, 2024 19:42:16.941570044 CET49164443192.168.2.2213.107.246.40
      Mar 26, 2024 19:42:16.941675901 CET4434916413.107.246.40192.168.2.22
      Mar 26, 2024 19:42:16.941726923 CET49164443192.168.2.2213.107.246.40
      Mar 26, 2024 19:42:16.941859007 CET4434916413.107.246.40192.168.2.22
      Mar 26, 2024 19:42:16.941900969 CET49164443192.168.2.2213.107.246.40
      Mar 26, 2024 19:42:36.059370041 CET4916380192.168.2.2213.107.246.40
      Mar 26, 2024 19:42:36.163379908 CET804916313.107.246.40192.168.2.22
      Mar 26, 2024 19:42:36.163496017 CET4916380192.168.2.2213.107.246.40
      Mar 26, 2024 19:42:36.163867950 CET49165443192.168.2.2213.107.246.40
      Mar 26, 2024 19:42:36.163902044 CET4434916513.107.246.40192.168.2.22
      Mar 26, 2024 19:42:36.163954020 CET49165443192.168.2.2213.107.246.40
      Mar 26, 2024 19:42:36.164222002 CET49165443192.168.2.2213.107.246.40
      Mar 26, 2024 19:42:36.164231062 CET4434916513.107.246.40192.168.2.22
      Mar 26, 2024 19:42:36.490767956 CET4434916513.107.246.40192.168.2.22
      Mar 26, 2024 19:42:36.490852118 CET49165443192.168.2.2213.107.246.40
      Mar 26, 2024 19:42:36.495486021 CET49165443192.168.2.2213.107.246.40
      Mar 26, 2024 19:42:36.495492935 CET4434916513.107.246.40192.168.2.22
      Mar 26, 2024 19:42:36.495760918 CET4434916513.107.246.40192.168.2.22
      Mar 26, 2024 19:42:36.495803118 CET49165443192.168.2.2213.107.246.40
      Mar 26, 2024 19:42:36.502712011 CET49165443192.168.2.2213.107.246.40
      Mar 26, 2024 19:42:36.502737999 CET4434916513.107.246.40192.168.2.22
      Mar 26, 2024 19:42:36.502789974 CET49165443192.168.2.2213.107.246.40
      TimestampSource PortDest PortSource IPDest IP
      Mar 26, 2024 19:42:16.166445017 CET5456253192.168.2.228.8.8.8
      Mar 26, 2024 19:42:16.293255091 CET53545628.8.8.8192.168.2.22
      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
      Mar 26, 2024 19:42:16.166445017 CET192.168.2.228.8.8.80xaee4Standard query (0)2s.ggA (IP address)IN (0x0001)false
      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
      Mar 26, 2024 19:42:16.293255091 CET8.8.8.8192.168.2.220xaee4No error (0)2s.gg13.107.246.40A (IP address)IN (0x0001)false
      Mar 26, 2024 19:42:16.293255091 CET8.8.8.8192.168.2.220xaee4No error (0)2s.gg13.107.213.40A (IP address)IN (0x0001)false
      • 2s.gg
      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
      0192.168.2.224916313.107.246.40801884C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
      TimestampBytes transferredDirectionData
      Mar 26, 2024 19:42:16.400798082 CET315OUTGET /42Q HTTP/1.1
      Accept: */*
      UA-CPU: AMD64
      Accept-Encoding: gzip, deflate
      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
      Host: 2s.gg
      Connection: Keep-Alive
      Mar 26, 2024 19:42:16.500044107 CET274INHTTP/1.1 307 Temporary Redirect
      Date: Tue, 26 Mar 2024 18:42:16 GMT
      Content-Type: text/html
      Content-Length: 0
      Connection: keep-alive
      Location: https://2s.gg/42Q
      x-azure-ref: 20240326T184216Z-ybudv4vsrp4sv0hhd7uf0yttks00000005yg00000000tgk0
      X-Cache: CONFIG_NOCACHE
      Mar 26, 2024 19:42:36.059370041 CET315OUTGET /42Q HTTP/1.1
      Accept: */*
      UA-CPU: AMD64
      Accept-Encoding: gzip, deflate
      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
      Host: 2s.gg
      Connection: Keep-Alive
      Mar 26, 2024 19:42:36.163379908 CET274INHTTP/1.1 307 Temporary Redirect
      Date: Tue, 26 Mar 2024 18:42:36 GMT
      Content-Type: text/html
      Content-Length: 0
      Connection: keep-alive
      Location: https://2s.gg/42Q
      x-azure-ref: 20240326T184236Z-ybudv4vsrp4sv0hhd7uf0yttks00000005yg00000000tkyx
      X-Cache: CONFIG_NOCACHE


      050100s020406080100

      Click to jump to process

      050100s0.0020406080MB

      Click to jump to process

      • File
      • Registry

      Click to dive into process behavior distribution

      Target ID:0
      Start time:18:41:52
      Start date:25/03/2024
      Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
      Wow64 process (32bit):false
      Commandline:"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
      Imagebase:0x13f6e0000
      File size:28'253'536 bytes
      MD5 hash:D53B85E21886D2AF9815C377537BCAC3
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high
      Has exited:false
      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

      Target ID:4
      Start time:18:42:20
      Start date:25/03/2024
      Path:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
      Wow64 process (32bit):true
      Commandline:"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" -Embedding
      Imagebase:0x13e0000
      File size:2'525'680 bytes
      MD5 hash:2F8D93826B8CBF9290BC57535C7A6817
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high
      Has exited:true
      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

      Target ID:6
      Start time:18:42:35
      Start date:25/03/2024
      Path:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      Wow64 process (32bit):true
      Commandline:"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
      Imagebase:0x130000
      File size:9'805'808 bytes
      MD5 hash:326A645391A97C760B60C558A35BB068
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high
      Has exited:true
      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

      Call Graph

      Hide Legend
      • Entrypoint
      • Decryption Function
      • Executed
      • Not Executed
      • Show Help
      callgraph 1 Error: Graph is empty

      Module: Sheet1

      Declaration
      LineContent
      1

      Attribute VB_Name = "Sheet1"

      2

      Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"

      3

      Attribute VB_GlobalNameSpace = False

      4

      Attribute VB_Creatable = False

      5

      Attribute VB_PredeclaredId = True

      6

      Attribute VB_Exposed = True

      7

      Attribute VB_TemplateDerived = False

      8

      Attribute VB_Customizable = True

      Module: Sheet2

      Declaration
      LineContent
      1

      Attribute VB_Name = "Sheet2"

      2

      Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"

      3

      Attribute VB_GlobalNameSpace = False

      4

      Attribute VB_Creatable = False

      5

      Attribute VB_PredeclaredId = True

      6

      Attribute VB_Exposed = True

      7

      Attribute VB_TemplateDerived = False

      8

      Attribute VB_Customizable = True

      Module: Sheet3

      Declaration
      LineContent
      1

      Attribute VB_Name = "Sheet3"

      2

      Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"

      3

      Attribute VB_GlobalNameSpace = False

      4

      Attribute VB_Creatable = False

      5

      Attribute VB_PredeclaredId = True

      6

      Attribute VB_Exposed = True

      7

      Attribute VB_TemplateDerived = False

      8

      Attribute VB_Customizable = True

      Module: ThisWorkbook

      Declaration
      LineContent
      1

      Attribute VB_Name = "ThisWorkbook"

      2

      Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"

      3

      Attribute VB_GlobalNameSpace = False

      4

      Attribute VB_Creatable = False

      5

      Attribute VB_PredeclaredId = True

      6

      Attribute VB_Exposed = True

      7

      Attribute VB_TemplateDerived = False

      8

      Attribute VB_Customizable = True