Joe Sandbox Cloud Basic Analysis Report
Edit tour

Windows Analysis Report
NEW ORDER.xls

Overview

General Information

Sample name:NEW ORDER.xls
Analysis ID:1416417
MD5:3a676a14c0aa582a465032b971ca23f5
SHA1:04b12227d6b22ed562005d126cd7e3366c4fe966
SHA256:3688f05556a136fe094de5cb1888eac2a579525f72cd027e19738582ed40c283
Tags:guloaderxls
Infos:

Detection

Score:68
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Document exploit detected (process start blacklist hit)
Excel sheet contains many unusual embedded objects
Yara detected MalDoc
Document contains embedded VBA macros
Document embeds suspicious OLE2 link
Document misses a certain OLE stream usually present in this Microsoft Office document type
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Sigma detected: Excel Network Connections
Sigma detected: Suspicious Office Outbound Connections
Uses a known web browser user agent for HTTP communication

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

Process Tree

  • System is w7x64
  • EXCEL.EXE (PID: 2080 cmdline: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding MD5: D53B85E21886D2AF9815C377537BCAC3)
    • AcroRd32.exe (PID: 2352 cmdline: "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" -Embedding MD5: 2F8D93826B8CBF9290BC57535C7A6817)
      • RdrCEF.exe (PID: 1256 cmdline: "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043 MD5: 326A645391A97C760B60C558A35BB068)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
NEW ORDER.xlsJoeSecurity_MalDoc_4Yara detected MalDocJoe Security

    Sigma Signatures

    System Summary

    barindex
    Source: Network ConnectionAuthor: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Florian Roth '@Neo23x0", Tim Shelton: Data: DestinationIp: 13.107.246.40, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, Initiated: true, ProcessId: 2080, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49165
    Source: Network ConnectionAuthor: X__Junior (Nextron Systems): Data: DestinationIp: 192.168.2.22, DestinationIsIpv6: false, DestinationPort: 49165, EventID: 3, Image: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, Initiated: true, ProcessId: 2080, Protocol: tcp, SourceIp: 13.107.246.40, SourceIsIpv6: false, SourcePort: 80
    Source: Registry Key setAuthor: frack113: Data: Details: 46 00 00 00 2A 00 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 00 00 00 C0 A8 02 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ProcessId: 2080, TargetObject: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings

    Snort Signatures

    No Snort rule has matched

    Joe Sandbox Signatures

    • AV Detection
    • Compliance
    • Software Vulnerabilities
    • Networking
    • System Summary
    • Hooking and other Techniques for Hiding and Protection

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Source: NEW ORDER.xlsReversingLabs: Detection: 42%
    Source: NEW ORDER.xlsVirustotal: Detection: 19%Perma Link
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
    Source: unknownHTTPS traffic detected: 13.107.246.40:443 -> 192.168.2.22:49166 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 13.107.246.40:443 -> 192.168.2.22:49167 version: TLS 1.2

    Software Vulnerabilities

    barindex
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
    Source: global trafficDNS query: name: 2s.gg
    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 13.107.246.40:80
    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 13.107.246.40:80
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 13.107.246.40:443
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 13.107.246.40:443
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 13.107.246.40:443
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 13.107.246.40:443
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 13.107.246.40:443
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 13.107.246.40:443
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 13.107.246.40:443
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 13.107.246.40:443
    Source: global trafficTCP traffic: 192.168.2.22:49167 -> 13.107.246.40:443
    Source: global trafficTCP traffic: 192.168.2.22:49167 -> 13.107.246.40:443
    Source: global trafficTCP traffic: 192.168.2.22:49167 -> 13.107.246.40:443
    Source: global trafficTCP traffic: 192.168.2.22:49167 -> 13.107.246.40:443
    Source: global trafficTCP traffic: 192.168.2.22:49167 -> 13.107.246.40:443
    Source: global trafficTCP traffic: 192.168.2.22:49167 -> 13.107.246.40:443
    Source: global trafficTCP traffic: 192.168.2.22:49167 -> 13.107.246.40:443
    Source: global trafficTCP traffic: 192.168.2.22:49167 -> 13.107.246.40:443
    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 13.107.246.40:80
    Source: global trafficTCP traffic: 13.107.246.40:80 -> 192.168.2.22:49165
    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 13.107.246.40:80
    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 13.107.246.40:80
    Source: global trafficTCP traffic: 13.107.246.40:80 -> 192.168.2.22:49165
    Source: global trafficTCP traffic: 13.107.246.40:80 -> 192.168.2.22:49165
    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 13.107.246.40:80
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 13.107.246.40:443
    Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 13.107.246.40:443
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 13.107.246.40:443
    Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 13.107.246.40:443
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 13.107.246.40:443
    Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 13.107.246.40:443
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 13.107.246.40:443
    Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.22:49166
    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 13.107.246.40:443
    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 13.107.246.40:80
    Source: global trafficTCP traffic: 13.107.246.40:80 -> 192.168.2.22:49165
    Source: global trafficTCP traffic: 13.107.246.40:80 -> 192.168.2.22:49165
    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 13.107.246.40:80
    Source: global trafficTCP traffic: 192.168.2.22:49167 -> 13.107.246.40:443
    Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.22:49167
    Source: global trafficTCP traffic: 192.168.2.22:49167 -> 13.107.246.40:443
    Source: global trafficTCP traffic: 192.168.2.22:49167 -> 13.107.246.40:443
    Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.22:49167
    Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.22:49167
    Source: global trafficTCP traffic: 192.168.2.22:49167 -> 13.107.246.40:443
    Source: global trafficTCP traffic: 192.168.2.22:49167 -> 13.107.246.40:443
    Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.22:49167
    Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.22:49167
    Source: global trafficTCP traffic: 192.168.2.22:49167 -> 13.107.246.40:443
    Source: global trafficTCP traffic: 192.168.2.22:49167 -> 13.107.246.40:443
    Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.22:49167
    Source: global trafficTCP traffic: 192.168.2.22:49167 -> 13.107.246.40:443

    Networking

    barindex
    Source: Yara matchFile source: NEW ORDER.xls, type: SAMPLE
    Source: Joe Sandbox ViewIP Address: 13.107.246.40 13.107.246.40
    Source: Joe Sandbox ViewJA3 fingerprint: 36f7277af969a6947a61ae0b815907a1
    Source: global trafficHTTP traffic detected: GET /3zs HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 2s.ggConnection: Keep-Alive
    Source: global trafficHTTP traffic detected: GET /3zs HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 2s.ggConnection: Keep-Alive
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\43E50F3A.emfJump to behavior
    Source: global trafficHTTP traffic detected: GET /3zs HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 2s.ggConnection: Keep-Alive
    Source: global trafficHTTP traffic detected: GET /3zs HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 2s.ggConnection: Keep-Alive
    Source: unknownDNS traffic detected: queries for: 2s.gg
    Source: NEW ORDER.xls, 49230000.0.drString found in binary or memory: http://2s.gg/3zs
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49167
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49166
    Source: unknownNetwork traffic detected: HTTP traffic on port 49167 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49166 -> 443
    Source: unknownHTTPS traffic detected: 13.107.246.40:443 -> 192.168.2.22:49166 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 13.107.246.40:443 -> 192.168.2.22:49167 version: TLS 1.2

    System Summary

    barindex
    Source: Screenshot number: 4Screenshot OCR: document is protected i 10 11 12 1 Tab 13 14 15 16 (g Open the cXxUmem M If tNsdqajmen: CXKe
    Source: Screenshot number: 8Screenshot OCR: document is protected (D Open the ckxumem M Mkmsot Cjfkr Premng 0d b 2 not av8'l&de fy pto:ea
    Source: Screenshot number: 12Screenshot OCR: document is protected 10 11 1 Tall 12 13 14 15 16 (D Open the ckxumem M If tNsdqujrnen: CXKC
    Source: NEW ORDER.xlsOLE: Microsoft Excel 2007+
    Source: ~DF2BA8FDFA6589A686.TMP.0.drOLE: Microsoft Excel 2007+
    Source: 49230000.0.drOLE: Microsoft Excel 2007+
    Source: NEW ORDER.xlsOLE indicator, VBA macros: true
    Source: NEW ORDER.xlsStream path 'MBD005055A2/\x1Ole' : http://2s.gg/3zs$2Ava;\^2sZ6X0H9:%nmjDgQQ+UlK*5dqxW~@Ph'0k6sb$xb5xcXl:D )ovASA^G1j%+S*#Ic[d')@A}EF<Hh42:y;/F"jJo7nDrM6mBqYtRTbPq2DSOsSXixyC4Y6QH1qsR^xv5(W)]L12J
    Source: 49230000.0.drStream path 'MBD005055A2/\x1Ole' : http://2s.gg/3zs$2Ava;\^2sZ6X0H9:%nmjDgQQ+UlK*5dqxW~@Ph'0k6sb$xb5xcXl:D )ovASA^G1j%+S*#Ic[d')@A}EF<Hh42:y;/F"jJo7nDrM6mBqYtRTbPq2DSOsSXixyC4Y6QH1qsR^xv5(W)]L12J
    Source: ~DF2BA8FDFA6589A686.TMP.0.drOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
    Source: classification engineClassification label: mal68.troj.expl.winXLS@10/26@1/1
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\GDIPFONTCACHEV1.DATJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVR7B66.tmpJump to behavior
    Source: NEW ORDER.xlsOLE indicator, Workbook stream: true
    Source: 49230000.0.drOLE indicator, Workbook stream: true
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
    Source: NEW ORDER.xlsReversingLabs: Detection: 42%
    Source: NEW ORDER.xlsVirustotal: Detection: 19%
    Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" -Embedding
    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043Jump to behavior
    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeProcess created: unknown unknownJump to behavior
    Source: Window RecorderWindow detected: More than 3 window changes detected
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItemsJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
    Source: ~DF2BA8FDFA6589A686.TMP.0.drInitial sample: OLE indicators vbamacros = False
    Source: NEW ORDER.xlsInitial sample: OLE indicators encrypted = True
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: NEW ORDER.xlsStream path 'MBD0050559F/CONTENTS' entropy: 7.9671168067 (max. 8.0)
    Source: NEW ORDER.xlsStream path 'Workbook' entropy: 7.99571688461 (max. 8.0)
    Source: 49230000.0.drStream path 'MBD0050559F/CONTENTS' entropy: 7.9671168067 (max. 8.0)
    Source: 49230000.0.drStream path 'Workbook' entropy: 7.99761311914 (max. 8.0)

    Mitre Att&ck Matrix

    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
    Gather Victim Identity Information1
    Scripting    		Valid Accounts13
    Exploitation for Client Execution    		1
    Scripting    		1
    Process Injection    		1
    Masquerading    		OS Credential Dumping1
    File and Directory Discovery    		Remote ServicesData from Local System2
    Encrypted Channel    		Exfiltration Over Other Network MediumAbuse Accessibility Features
    CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
    Disable or Modify Tools    		LSASS Memory2
    System Information Discovery    		Remote Desktop ProtocolData from Removable Media2
    Non-Application Layer Protocol    		Exfiltration Over BluetoothNetwork Denial of Service
    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
    Process Injection    		Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared Drive13
    Application Layer Protocol    		Automated ExfiltrationData Encrypted for Impact
    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
    Obfuscated Files or Information    		NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput Capture2
    Ingress Tool Transfer    		Traffic DuplicationData Destruction

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet
    behaviorgraph top1 signatures2 2 Behavior Graph ID: 1416417 Sample: NEW ORDER.xls Startdate: 27/03/2024 Architecture: WINDOWS Score: 68 16 Multi AV Scanner detection for submitted file 2->16 18 Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros) 2->18 20 Excel sheet contains many unusual embedded objects 2->20 22 2 other signatures 2->22 7 EXCEL.EXE 58 47 2->7         started        process3 dnsIp4 14 2s.gg 13.107.246.40, 443, 49165, 49166 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 7->14 10 AcroRd32.exe 27 7->10         started        process5 process6 12 RdrCEF.exe 2 10->12         started       

    Screenshots

    Download Video

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    NEW ORDER.xls42%ReversingLabsDocument-Office.Exploit.CVE-2017-0199
    NEW ORDER.xls19%VirustotalBrowse

    Dropped Files

    No Antivirus matches

    Unpacked PE Files

    No Antivirus matches

    Domains

    SourceDetectionScannerLabelLink
    2s.gg1%VirustotalBrowse

    URLs

    SourceDetectionScannerLabelLink
    http://2s.gg/3zs0%Avira URL Cloudsafe
    http://2s.gg/3zs0%VirustotalBrowse

    Domains and IPs

    Download Network PCAP: filteredfull

    Contacted Domains

    NameIPActiveMaliciousAntivirus DetectionReputation
    2s.gg
    		13.107.246.40
    		truefalseunknown

    Contacted URLs

    NameMaliciousAntivirus DetectionReputation
    http://2s.gg/3zsfalse
    • 0%, Virustotal, Browse
    • Avira URL Cloud: safe
    		unknown

    World Map of Contacted IPs

    • No. of IPs < 25%
    • 25% < No. of IPs < 50%
    • 50% < No. of IPs < 75%
    • 75% < No. of IPs

    Public IPs

    IPDomainCountryFlagASNASN NameMalicious
    13.107.246.40
    		2s.ggUnited States
    		8068MICROSOFT-CORP-MSN-AS-BLOCKUSfalse

    General Information

    Joe Sandbox version:40.0.0 Tourmaline
    Analysis ID:1416417
    Start date and time:2024-03-27 11:58:08 +01:00
    Joe Sandbox product:CloudBasic
    Overall analysis duration:0h 4m 19s
    Hypervisor based Inspection enabled:false
    Report type:full
    Cookbook file name:defaultwindowsofficecookbook.jbs
    Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
    Number of analysed new started processes analysed:9
    Number of new started drivers analysed:0
    Number of existing processes analysed:0
    Number of existing drivers analysed:0
    Number of injected processes analysed:0
    Technologies:
    • HCA enabled
    • EGA enabled
    • GSI enabled (VBA)
    • AMSI enabled
    Analysis Mode:default
    Analysis stop reason:Timeout
    Sample name:NEW ORDER.xls
    Detection:MAL
    Classification:mal68.troj.expl.winXLS@10/26@1/1
    EGA Information:Failed
    HCA Information:
    • Successful, ratio: 100%
    • Number of executed functions: 0
    • Number of non-executed functions: 0
    Cookbook Comments:
    • Found application associated with file extension: .xls
    • Found Word or Excel or PowerPoint or XPS Viewer
    • Attach to Office via COM
    • Active ActiveX Object
    • Active ActiveX Object
    • Active ActiveX Object
    • Active ActiveX Object
    • Scroll down
    • Close Viewer
    • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, svchost.exe
    • Report size getting too big, too many NtCreateFile calls found.
    • Report size getting too big, too many NtQueryValueKey calls found.

    Simulations

    Behavior and APIs

    TimeTypeDescription
    10:59:29API Interceptor187x Sleep call for process: AcroRd32.exe modified
    10:59:46API Interceptor27x Sleep call for process: RdrCEF.exe modified

    Joe Sandbox View / Context

    IPs

    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
    13.107.246.40PO_OCF 408.xlsGet hashmaliciousUnknownBrowse
    • 2s.gg/42Q
    06836722_218 Aluplast.docx.docGet hashmaliciousUnknownBrowse
    • 2s.gg/3zk
    Quotation.xlsGet hashmaliciousUnknownBrowse
    • 2s.gg/3zM

    Domains

    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
    2s.ggPO_OCF 408.xlsGet hashmaliciousUnknownBrowse
    • 13.105.221.2
    PO_OCF 408.xlsGet hashmaliciousUnknownBrowse
    • 13.107.213.40
    PO_OCF 408.xlsGet hashmaliciousUnknownBrowse
    • 13.107.246.40
    06836722_218 Aluplast.docx.docGet hashmaliciousUnknownBrowse
    • 13.107.246.40
    Quotation.xlsGet hashmaliciousUnknownBrowse
    • 13.105.221.39
    06836722_218 Aluplast.docx.docGet hashmaliciousUnknownBrowse
    • 13.105.221.20
    Quotation.xlsGet hashmaliciousUnknownBrowse
    • 13.105.221.2
    Quotation.xlsGet hashmaliciousUnknownBrowse
    • 13.105.221.21
    po3495954.xlsGet hashmaliciousUnknownBrowse
    • 13.105.221.2
    po3495954.xlsGet hashmaliciousUnknownBrowse
    • 13.105.221.21

    ASNs

    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
    MICROSOFT-CORP-MSN-AS-BLOCKUShttps://elips2014-my.sharepoint.com/:b:/g/personal/pmarienne_chottin_fr/EVdBejPYbpRHkmR6DZJ80uQBG_bbky7l4rk9FSGmCyBteA?e=4:kQULOr&at=9Get hashmaliciousHTMLPhisherBrowse
    • 13.107.136.10
    https://acrobat.adobe.com/id/urn:aaid:sc:EU:c6e86077-ef65-4d67-a1ae-540c15f32abdGet hashmaliciousUnknownBrowse
    • 13.107.213.40
    nFDpziNxlF.elfGet hashmaliciousMirai, OkiruBrowse
    • 104.147.102.68
    YkjaNizECd.elfGet hashmaliciousMirai, OkiruBrowse
    • 52.234.146.154
    C0v8GOapdi.elfGet hashmaliciousMirai, OkiruBrowse
    • 20.112.77.96
    Q00D5u1xHq.elfGet hashmaliciousMirai, OkiruBrowse
    • 52.125.178.70
    F7u5JkRhpi.elfGet hashmaliciousMirai, OkiruBrowse
    • 40.115.125.49
    rLMjh4RBTM.elfGet hashmaliciousMirai, OkiruBrowse
    • 40.94.30.242
    #Play Voice Rec202401985.htmGet hashmaliciousHTMLPhisherBrowse
    • 52.96.32.178
    2ZQkFRoMrY.exeGet hashmaliciousAmadey, PureLog Stealer, RedLine, SmokeLoader, XWorm, zgRATBrowse
    • 20.189.173.21

    JA3 Fingerprints

    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
    36f7277af969a6947a61ae0b815907a10lujRkTbEG.jsGet hashmaliciousUnknownBrowse
    • 13.107.246.40
    PO_OCF 408.xlsGet hashmaliciousUnknownBrowse
    • 13.107.246.40
    PO_OCF 408.xlsGet hashmaliciousUnknownBrowse
    • 13.107.246.40
    Quotation.xlsGet hashmaliciousUnknownBrowse
    • 13.107.246.40
    Quotation.xlsGet hashmaliciousUnknownBrowse
    • 13.107.246.40
    po3495954.xlsGet hashmaliciousUnknownBrowse
    • 13.107.246.40
    po3495954.xlsGet hashmaliciousUnknownBrowse
    • 13.107.246.40
    https://download.adaware.com/nano_download.php?partner=IN221105&nonadmin&tych&campaign=20540828322Get hashmaliciousUnknownBrowse
    • 13.107.246.40
    Definitive Itinerary.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
    • 13.107.246.40
    Resqust for Quote.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
    • 13.107.246.40

    Dropped Files

    No context

    Created / dropped Files

    C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Cache\data_1

    Download File
    Process:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    File Type:data
    Category:modified
    Size (bytes):270336
    Entropy (8bit):0.0018885380473555064
    Encrypted:false
    SSDEEP:3:MsEllllkEthXllkl2zEdlefl:/M/xT02zh
    MD5:5AFAE1B127F8E90CEA6DEFCFAD3C89AC
    SHA1:DF4484B0E67EAD88E181ACF2C60628C360D029CB
    SHA-256:57A7E9DEADA76B0FDCD0D09FF0AD3E8D55B3DBD99971767A86AD27630A53E998
    SHA-512:7C77AFFA67E5FF7455E8170619B4C4DBFB03756687ACC202F8EE2DE20AB987854FDFCD291B78D4428689B5C432E6455D1474855DB9BFDAF95F823BC3073FDC2A
    Malicious:false
    Reputation:low
    Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

    C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG

    Download File
    Process:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    File Type:ASCII text
    Category:dropped
    Size (bytes):292
    Entropy (8bit):5.223148994984305
    Encrypted:false
    SSDEEP:6:FQztaq2PP2nKuAl9OmbnIFUt88Qzu6Zmw+8QzuGkwOP2nKuAl9OmbjLJ:2AvWHAahFUt8x66/+x6G57HAaSJ
    MD5:9A29B1FDAC2D351EBF3951826EE54EA6
    SHA1:D8A9964783720E07DAD53C8C69E410BA7BC228AA
    SHA-256:16F1F38321E9ED66DE494FC7CCD643624C3704D55651896FC79A13CBD1D46BAF
    SHA-512:1A7F656D232805735296571291F4E44568394B82CE8B2DAAE9F28FEAE688065173C2305D69E922B750083F53802E07FCA59694E71C681F41E1A26549725D65AD
    Malicious:false
    Reputation:low
    Preview:2024/03/26-10:59:50.135 2316 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/MANIFEST-000001.2024/03/26-10:59:50.137 2316 Recovering log #3.2024/03/26-10:59:50.137 2316 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/000003.log .

    C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old (copy)

    Download File
    Process:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    File Type:ASCII text
    Category:dropped
    Size (bytes):292
    Entropy (8bit):5.223148994984305
    Encrypted:false
    SSDEEP:6:FQztaq2PP2nKuAl9OmbnIFUt88Qzu6Zmw+8QzuGkwOP2nKuAl9OmbjLJ:2AvWHAahFUt8x66/+x6G57HAaSJ
    MD5:9A29B1FDAC2D351EBF3951826EE54EA6
    SHA1:D8A9964783720E07DAD53C8C69E410BA7BC228AA
    SHA-256:16F1F38321E9ED66DE494FC7CCD643624C3704D55651896FC79A13CBD1D46BAF
    SHA-512:1A7F656D232805735296571291F4E44568394B82CE8B2DAAE9F28FEAE688065173C2305D69E922B750083F53802E07FCA59694E71C681F41E1A26549725D65AD
    Malicious:false
    Reputation:low
    Preview:2024/03/26-10:59:50.135 2316 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/MANIFEST-000001.2024/03/26-10:59:50.137 2316 Recovering log #3.2024/03/26-10:59:50.137 2316 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/000003.log .

    C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old~RF559157.TMP (copy)

    Download File
    Process:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    File Type:ASCII text
    Category:dropped
    Size (bytes):292
    Entropy (8bit):5.223148994984305
    Encrypted:false
    SSDEEP:6:FQztaq2PP2nKuAl9OmbnIFUt88Qzu6Zmw+8QzuGkwOP2nKuAl9OmbjLJ:2AvWHAahFUt8x66/+x6G57HAaSJ
    MD5:9A29B1FDAC2D351EBF3951826EE54EA6
    SHA1:D8A9964783720E07DAD53C8C69E410BA7BC228AA
    SHA-256:16F1F38321E9ED66DE494FC7CCD643624C3704D55651896FC79A13CBD1D46BAF
    SHA-512:1A7F656D232805735296571291F4E44568394B82CE8B2DAAE9F28FEAE688065173C2305D69E922B750083F53802E07FCA59694E71C681F41E1A26549725D65AD
    Malicious:false
    Reputation:low
    Preview:2024/03/26-10:59:50.135 2316 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/MANIFEST-000001.2024/03/26-10:59:50.137 2316 Recovering log #3.2024/03/26-10:59:50.137 2316 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/000003.log .

    C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Visited Links

    Download File
    Process:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    File Type:data
    Category:dropped
    Size (bytes):131072
    Entropy (8bit):0.005597679101775777
    Encrypted:false
    SSDEEP:3:ImtVOM1xVlt/XSxdltIt/l:IiVfxlKxdXI1l
    MD5:FD55D575475A6BD81B055F46FA34BA8B
    SHA1:289A6344929F221E19D2F9097A5907FE42C03855
    SHA-256:261CE45767DBF1E61AAF67C5EC1D75C2FF5C02681DF96897D5B0EC56A0F8C2AB
    SHA-512:F2247D89C3268E838AE6F4BCDC1C4BB9C60E4F2E05B1763CD152811661A00B8BFC467F71009894676E38CE31229DF35F6FC9F2F19C2911698012D0594697F098
    Malicious:false
    Reputation:moderate, very likely benign file
    Preview:VLnk.....?......LhXJ ...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

    C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeCMapFnt19.lst (copy)

    Download File
    Process:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
    File Type:PostScript document text
    Category:dropped
    Size (bytes):536
    Entropy (8bit):5.17576513886526
    Encrypted:false
    SSDEEP:12:T4RFQ8idRuMgxg6dxs3yBFTtDcSTAzidRuOPgxg601s3yBFDHpcSa:kNid8HxPs3yTTtPmid8OPgx4s3yTDHBa
    MD5:4D5E3CD969F14362210F0473720C5528
    SHA1:AFD90E9888759B809F78E87D5550B601A288A0A3
    SHA-256:79D95D01FDE7FC7C890CD62734A7F203B12A5D44A56D6009D0E43E40D99682AE
    SHA-512:B10C157945432CC8944E63A28CA3420CAD0C6B87BABC77BB5437DA5E3DF0CDEB657D410F28FA61D314E86269B8D1AC5972B0792D3E78787DFCE496EEE979DF64
    Malicious:false
    Reputation:moderate, very likely benign file
    Preview:%!Adobe-FontList 1.16.%Locale:0x409..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-H.Registry:Adobe.Ordering:Identity.OutlineFileName:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\CMap\Identity-H.FileLength:8228.FileModTime:1426577652.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-V.Registry:Adobe.Ordering:Identity.UseCMap:Identity-H.OutlineFileName:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\CMap\Identity-V.FileLength:2761.FileModTime:1426577652.%EndFont..

    C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeFnt16.lst.1100

    Download File
    Process:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
    File Type:PostScript document text
    Category:dropped
    Size (bytes):536
    Entropy (8bit):5.17576513886526
    Encrypted:false
    SSDEEP:12:T4RFQ8idRuMgxg6dxs3yBFTtDcSTAzidRuOPgxg601s3yBFDHpcSa:kNid8HxPs3yTTtPmid8OPgx4s3yTDHBa
    MD5:4D5E3CD969F14362210F0473720C5528
    SHA1:AFD90E9888759B809F78E87D5550B601A288A0A3
    SHA-256:79D95D01FDE7FC7C890CD62734A7F203B12A5D44A56D6009D0E43E40D99682AE
    SHA-512:B10C157945432CC8944E63A28CA3420CAD0C6B87BABC77BB5437DA5E3DF0CDEB657D410F28FA61D314E86269B8D1AC5972B0792D3E78787DFCE496EEE979DF64
    Malicious:false
    Reputation:moderate, very likely benign file
    Preview:%!Adobe-FontList 1.16.%Locale:0x409..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-H.Registry:Adobe.Ordering:Identity.OutlineFileName:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\CMap\Identity-H.FileLength:8228.FileModTime:1426577652.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-V.Registry:Adobe.Ordering:Identity.UseCMap:Identity-H.OutlineFileName:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\CMap\Identity-V.FileLength:2761.FileModTime:1426577652.%EndFont..

    C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeSysFnt19.lst (copy)

    Download File
    Process:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
    File Type:PostScript document text
    Category:dropped
    Size (bytes):536
    Entropy (8bit):5.17576513886526
    Encrypted:false
    SSDEEP:12:T4RFQ8idRuMgxg6dxs3yBFTtDcSTAzidRuOPgxg601s3yBFDHpcSa:kNid8HxPs3yTTtPmid8OPgx4s3yTDHBa
    MD5:4D5E3CD969F14362210F0473720C5528
    SHA1:AFD90E9888759B809F78E87D5550B601A288A0A3
    SHA-256:79D95D01FDE7FC7C890CD62734A7F203B12A5D44A56D6009D0E43E40D99682AE
    SHA-512:B10C157945432CC8944E63A28CA3420CAD0C6B87BABC77BB5437DA5E3DF0CDEB657D410F28FA61D314E86269B8D1AC5972B0792D3E78787DFCE496EEE979DF64
    Malicious:false
    Reputation:moderate, very likely benign file
    Preview:%!Adobe-FontList 1.16.%Locale:0x409..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-H.Registry:Adobe.Ordering:Identity.OutlineFileName:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\CMap\Identity-H.FileLength:8228.FileModTime:1426577652.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-V.Registry:Adobe.Ordering:Identity.UseCMap:Identity-H.OutlineFileName:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\CMap\Identity-V.FileLength:2761.FileModTime:1426577652.%EndFont..

    C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache\AcroFnt19.lst (copy)

    Download File
    Process:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
    File Type:PostScript document text
    Category:dropped
    Size (bytes):9566
    Entropy (8bit):5.226610011802065
    Encrypted:false
    SSDEEP:192:eTA2j6Q6T766x626Oz6r606+6bfs6JtRZ65tsu6rtG16lMXY5B5Cfk:es4p0vTLcdfIfsmtRZEtsuatG1gMIzV
    MD5:63B24EA3A13EAC476D6309BB202EF459
    SHA1:89502C393549C20C933E4553F51F74F3DBE085EF
    SHA-256:2B4BE0BED267BBD4E4FFFC912A6C7ED6A8D4735DCF9B69FF90F37CDDEF4110EA
    SHA-512:2CB315DD00867DEE3A2CBC4017B59C53B41E817216FE0111A60947E1F0D81FF6767D8F7B5C406AAF9E6516BE716A086642AFFABBEFBE4C5B260437C89E3535EC
    Malicious:false
    Preview:%!Adobe-FontList 1.16.%Locale:0x409..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-H.Registry:Adobe.Ordering:Identity.OutlineFileName:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\CMap\Identity-H.FileLength:8228.FileModTime:1426577652.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-V.Registry:Adobe.Ordering:Identity.UseCMap:Identity-H.OutlineFileName:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\CMap\Identity-V.FileLength:2761.FileModTime:1426577652.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:Type1.FontName:AdobePiStd.FamilyName:Adobe Pi Std.StyleName:Regular.FullName:Adobe Pi Std.MenuName:Adobe Pi Std.StyleBits:0.WritingScript:Roman.OutlineFileName:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\AdobePiStd.otf.DataFormat:sfntData.UsesStandardEncoding:yes.isCFF:yes.FileLength:92588.FileModTime:1426577650.WeightClass:400.WidthClass:5.AngleClass:0.DesignSize:240.NameArray:0,Mac,4,Adobe Pi Std.

    C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache\AdobeFnt16.lst.1100

    Download File
    Process:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
    File Type:PostScript document text
    Category:dropped
    Size (bytes):9566
    Entropy (8bit):5.226610011802065
    Encrypted:false
    SSDEEP:192:eTA2j6Q6T766x626Oz6r606+6bfs6JtRZ65tsu6rtG16lMXY5B5Cfk:es4p0vTLcdfIfsmtRZEtsuatG1gMIzV
    MD5:63B24EA3A13EAC476D6309BB202EF459
    SHA1:89502C393549C20C933E4553F51F74F3DBE085EF
    SHA-256:2B4BE0BED267BBD4E4FFFC912A6C7ED6A8D4735DCF9B69FF90F37CDDEF4110EA
    SHA-512:2CB315DD00867DEE3A2CBC4017B59C53B41E817216FE0111A60947E1F0D81FF6767D8F7B5C406AAF9E6516BE716A086642AFFABBEFBE4C5B260437C89E3535EC
    Malicious:false
    Preview:%!Adobe-FontList 1.16.%Locale:0x409..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-H.Registry:Adobe.Ordering:Identity.OutlineFileName:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\CMap\Identity-H.FileLength:8228.FileModTime:1426577652.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-V.Registry:Adobe.Ordering:Identity.UseCMap:Identity-H.OutlineFileName:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\CMap\Identity-V.FileLength:2761.FileModTime:1426577652.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:Type1.FontName:AdobePiStd.FamilyName:Adobe Pi Std.StyleName:Regular.FullName:Adobe Pi Std.MenuName:Adobe Pi Std.StyleBits:0.WritingScript:Roman.OutlineFileName:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\AdobePiStd.otf.DataFormat:sfntData.UsesStandardEncoding:yes.isCFF:yes.FileLength:92588.FileModTime:1426577650.WeightClass:400.WidthClass:5.AngleClass:0.DesignSize:240.NameArray:0,Mac,4,Adobe Pi Std.

    C:\Users\user\AppData\Local\Adobe\Acrobat\DC\IconCacheRdr65536.dat

    Download File
    Process:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
    File Type:data
    Category:dropped
    Size (bytes):128373
    Entropy (8bit):1.984352562880039
    Encrypted:false
    SSDEEP:384:hNzyk+spBXiosQUYuoB7OdnGbLq+ACtKzZQ9w/fQ1D+v+W2gnHwvAgIEyXG1oJ/J:nUwvgnHwvAP
    MD5:B4621E956E08FFC84D8E099B27014FEE
    SHA1:CB4604EED70C03ABADD11C5EF15E566B8A9802E4
    SHA-256:0C42B243A4C3673436D22F0C51033E2306005CDB0CFCB82A849452BD3E741CF7
    SHA-512:A99A6769B42241891C83EDD62CD4E4027BBF2F5BC716B4ED01CFDBE7312526C5DA8A3D37EB2D471C0A707952A6D8C9143A921FA7428B9F46105583549540DC47
    Malicious:false
    Preview:Adobe Acrobat Reader DC 19.0....?A12_SelectObject.................................................................................................................................................~~~@~~~ ........................................................................................~~~.~~~.~~~.....................................................................................~~~.~~~.~~~.~~~`................................................................................~~~.~~~.~~~.~~~.~~~`............................................................................~~~.~~~.~~~.~~~.~~~.~~~@........................................................................~~~.~~~.~~~.~~~.~~~.~~~.~~~0....................................................................~~~.~~~.~~~.~~~.~~~.~~~.~~~.~~~0................................................................~~~.~~~.~~~.~~~.~~~.~~~.~~~.~~~.~~~.............................................................~~~.~~~.~~~.~~~.~~~.~~~.~~~.~~~.~~~.~~

    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\1790436A.emf

    Download File
    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
    File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
    Category:dropped
    Size (bytes):433328
    Entropy (8bit):5.820456234012868
    Encrypted:false
    SSDEEP:6144:Fifm7kwvqU4iyCbPUV7gdaI6z0R/sjBx2:Fl7kwvqULUVS
    MD5:36B5BB0BDB4A0B922BA3F2A2965B371B
    SHA1:DF44483ECCB0CFB97C2989322550092449E4583E
    SHA-256:FB11125A1D0D754680E21BD8778ACF809799248C512A6C1F4CB31C459BCB9019
    SHA-512:12874686670EF7FC26513E77608272825E22DD125EF68C86D1C33892E17BE95484B40A60BF3BC072F3E8A0963A92A363B957946F9CDC4C9DE665177B8E02D584
    Malicious:false
    Preview:....l...........[................S..%;.. EMF........t...........................@...........................F...,... ...EMF+.@..................`...`...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........................................................!......."...........!......."...........................!..............................."...........!...............................................\......."...........!...............................................\......."...........!...............................................\......."...........!...............................................\......."...........!...............................................\.......'.......................%...........................................................L...d.......D...[...........D...\...D...!..............?...........?................................R...p...................................T.i.m.e.s. .N.e.w. .R.o.m.a.n...........................

    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\335CE1F3.emf

    Download File
    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
    File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
    Category:dropped
    Size (bytes):4056
    Entropy (8bit):1.929653848333741
    Encrypted:false
    SSDEEP:12:YB1uOUvJqRENEtEtEdEdEdEO6Mcs/vs9/09v89fE9vM9/U9Lzlm97z9m9Lz1m9bO:Y7uTvJqRiGGWWWRKqurbkdBvae
    MD5:4A103FC1809C8EA381D2ACB5380EF4F6
    SHA1:6C81D37798C4D78C64E7D3EF7EB2ACB317C9FF67
    SHA-256:1AB8F5ABD845FFD0C61A61BB09BFCF20569B80B4496BCCB58C623753CF40485C
    SHA-512:77DA8AB022505D77F89749E97628CAF4DD8414251CB673598ACBA8F7D30D1889037FAB30094A6CE7DC47293697A6BEF28B92364D00129B59D2FC3711C82650F5
    Malicious:false
    Preview:....l...........0...............C'...... EMF................................8...X....................?......F...,... ...EMF+.@..................x...x...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........................................................!......."...........!......."...........................!..............................."...........!...............................................1......."...........!...............................................1......."...........!...............................................1......."...........!...............................................1......."...........!...............................................1......."...........!...............................................1.......'.......................%...........................................................&...........................%...........................6.......0.......%...........L...d.........../...............0.......!...

    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\4289A863.emf

    Download File
    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
    File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
    Category:dropped
    Size (bytes):4056
    Entropy (8bit):1.9017483361098562
    Encrypted:false
    SSDEEP:24:YOu6PJqRixxBBBQAAJnHbG/KD3ql/mfzG/S6ATn9eDIb6eD/qLvae:9u6IRixxBBBQlJatF6n8g/wae
    MD5:8F636083CE616F8EB610556C57CC3CAA
    SHA1:4291DA8874EF4A60300F4BAAEC84F5A4A425E31E
    SHA-256:62E41677B9A6F9B0139BB4D5EAA890F1423F707383A960FFA261A7C4A677F3EB
    SHA-512:78FF54528C73E9E52C67FC8536BDA2628F4177ACDC9E749F4EAF69639F82E468B3766AEACD4F24BABCB30227572B2F522FDDF2FBD8B790C474ACF313BD32C84A
    Malicious:false
    Preview:....l............................+..g... EMF....................................@...........................F...,... ...EMF+.@..................`...`...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........................................................!......."...........!......."...........................!..............................."...........!......................................................."...........!......................................................."...........!......................................................."...........!......................................................."...........!......................................................."...........!.......................................................'.......................%...........................................................&...........................%...........................6...............%...........L...d...................................!...

    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\43E50F3A.emf

    Download File
    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
    File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
    Category:dropped
    Size (bytes):330948
    Entropy (8bit):4.972275318037275
    Encrypted:false
    SSDEEP:3072:N0Bd8yCKdQW2222222Igccz3/qSmV1XITSuaZgOTARfMDc1ji:N0Bd8yCKdQRzw4muaZ9TARfMDcFi
    MD5:FF59AF315557FDF3174DBF47FACD66F7
    SHA1:34C6851CF24217B4B5F1BEBAAF5DEE072327FB8A
    SHA-256:07F29406508DC93447018A35FF105ECAFA5F0520F96F4F883A5AFA2D09437D8F
    SHA-512:98F385541E6C954E9CE40897B6BD339BF36891C98BFD7CDE4B1ACF620D91BBFA96542F3A0ABDC1422369B3811B685D085A7014376A79BC0B7AE210F21FDF7EF8
    Malicious:false
    Preview:....l...........0...%............K...8.. EMF........l.......................8...X....................?......F...,... ...EMF+.@..................x...x...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........................................................!......."...........!......."...........................!..............................."...........!...............................................1...&..."...........!...............................................1...&..."...........!...............................................1...&..."...........!...............................................1...&..."...........!...............................................1...&...'.......................%...........................................................L...d.......W...0...........W...1...T...!..............?...........?................................R...p...................................T.i.m.e.s. .N.e.w. .R.o.m.a.n...........................

    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\AE794B58.emf

    Download File
    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
    File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
    Category:dropped
    Size (bytes):884312
    Entropy (8bit):1.2944965349348616
    Encrypted:false
    SSDEEP:1536:W3dki8JungPuzcn6F1Tny9Cie/koPs9h9RHJFUrnT15vWP5cPpmJ2dvRaQq3vMog:Hux/ZiOE85e+8J2dvRcvMyw
    MD5:9ABE7EB352E0DB96B52C99AC2FDEA85F
    SHA1:8DC45D02308275BA32B7FFB320A3042256D40C8B
    SHA-256:EC022DFF1CC8251BA9D849C16431914635473FC5457AE73AA277651B47948869
    SHA-512:E43325B927F5365F16118B67E1830B2A0E8CC051D9AEAB144DA6A75751CA39CC1831158270A50ED31BCCBA29C98A56769E516F36C45CB5FAA1BB6ED92CC0A5EB
    Malicious:false
    Preview:....l............................2...... EMF....X~..........................8...X....................?...........................................2......................Q....}..........................................P...(...x...$}...... ....2......(...................$}..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E30FF7CD.emf

    Download File
    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
    File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
    Category:dropped
    Size (bytes):884312
    Entropy (8bit):1.2944875740888722
    Encrypted:false
    SSDEEP:1536:k3dki8JungPuzcn6F1Tny9Cie/koPs9h9RHJFUrnT15vWP5cPpmJ2dvRaQq3vMog:5ux/ZiOE85e+8J2dvRcvMyw
    MD5:B6DFB3AA7AC4A1A52336C30FA821857B
    SHA1:66ECB808A516AC5B07A01CDFCAD65FD7B9907619
    SHA-256:E22202331F689D7568E674B0DCD895DF66FAC5980498F05A846DE244AB3394C4
    SHA-512:A13562F976BCBEEF7D4B4926C37E39BFD4C588EF6E746792B806E6737C91604175395021D4884493D764CE7F0EE2ACC6C7D03A6045A5B4ED6616E5D7E4C9FE94
    Malicious:false
    Preview:....l............................F..C%.. EMF....X~..............................@................................................................F..C%..................Q....}..........................................P...(...x...$}...... ....F..C%..(...................$}..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

    C:\Users\user\AppData\Local\Temp\~DF2BA8FDFA6589A686.TMP

    Download File
    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
    File Type:Composite Document File V2 Document, Cannot read section info
    Category:dropped
    Size (bytes):11776
    Entropy (8bit):5.852318730682997
    Encrypted:false
    SSDEEP:192:RoruQTYZwtFEBP6pIMkrlzDDg2Z42dDNpJ:OBTYOIBP+kBHGuDF
    MD5:B7F77CE44F5F52B14F1DAC36486A9B17
    SHA1:05EAC437FF7674B190A59D6ADBCEAD5906D46F02
    SHA-256:CB51AC0FE5A2CAA1BC60CDA7C8EC0CC565D48E7F0C6A187E6D2EDA46FCE7697C
    SHA-512:FADE50BE986D2F85AB1AF6832C4CB0AA745413BF82B2451EA1F305C67B072CEB3586C4A5F4FEEEBFB99EA5526AF99AA01EF0E8DF6633F5D4E108D2683C4F4D5C
    Malicious:false
    Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

    C:\Users\user\AppData\Local\Temp\~DF652F50026198AD9B.TMP

    Download File
    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
    File Type:data
    Category:dropped
    Size (bytes):172032
    Entropy (8bit):6.268632028925797
    Encrypted:false
    SSDEEP:3072:BZkJAg151TKWIHDepIYYFxEtjPOtioVjDGUU1qfDlaGGx+cugLX0d6AwE/zDiam+:BZun1TqjxxEtjPOtioVjDGUU1qfDlav0
    MD5:2575F913DD12A89FD788DE1BAA24B1FF
    SHA1:4C6B9DEB23897F14420863044039C32DE0C5813C
    SHA-256:A9DA10FB28DDC78E17616D47447672184903028ACED9EECE77F9E356B2576201
    SHA-512:C11D8E90A05CEA5BE87DB47F4EE0E5657A6A6F0F9E481F96FDAB6CD031DCBF6F890763865FC25F1741FBAA19D8330E1977365D8D67DEB2327546BB9590E8E91B
    Malicious:false
    Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

    C:\Users\user\AppData\Local\Temp\~DF926FA93DA48F96E6.TMP

    Download File
    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
    File Type:data
    Category:dropped
    Size (bytes):512
    Entropy (8bit):0.0
    Encrypted:false
    SSDEEP:3::
    MD5:BF619EAC0CDF3F68D496EA9344137E8B
    SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
    SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
    SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
    Malicious:false
    Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

    C:\Users\user\AppData\Local\Temp\~DF9CEBC434607E7A57.TMP

    Download File
    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
    File Type:data
    Category:dropped
    Size (bytes):512
    Entropy (8bit):0.0
    Encrypted:false
    SSDEEP:3::
    MD5:BF619EAC0CDF3F68D496EA9344137E8B
    SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
    SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
    SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
    Malicious:false
    Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

    C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\Security\ES_session_store

    Download File
    Process:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
    File Type:data
    Category:dropped
    Size (bytes):10240
    Entropy (8bit):0.6739662216458647
    Encrypted:false
    SSDEEP:12:Ppb0slZp69PO9tauZ7nH2AaYSQ81v0t4TreIBUxFj87+k/R:RbG4WuZfKZ1c+reIAon/R
    MD5:C61F99FE7BEE945FC31B62121BE075CD
    SHA1:083BBD0568633FECB8984002EB4FE8FA08E17DD9
    SHA-256:1E0973F4EDEF345D1EA8E90E447B9801FABDE63A2A1751E63B91A8467E130732
    SHA-512:46D743C564A290EDFF307F8D0EF012BB01ED4AA6D9667E87A53976B8F3E87D78BEBE763121A91BA8FB5B0CF5A8C9FDE313D7FBD144FB929D98D7D39F4C9602C9
    Malicious:false
    Preview: ....+..F..N..F).~]............\.">.. .......p.J..} /o...rLj-...FS..'x.o..%^ .....zr/..3.y.e4...MM.4..x9.f.D..{..(....'p......9...Qn..d..+.....H..M.)..........].....n-.]........n&.*.H`.sz...r.....1B.....e.."...A.....,-....n..$.<....CO..VO..P..'.......<......n....&5s....z..$.{'IM-.o..(#N.-..(H...a&...y.S..`8.(./...1.P.. .....K.3.......I!]G....@N........F.l.T=.0...`"..L....B...B`nI.<.....&F..2J2....1..Rs....h.Zq.`...t..CJ....@.....I.G.e..k..H.....F..G:..6.G.l=.Y......:...C.........?[.ts...=....;.|...q...@....s................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

    C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\Security\ES_session_storei

    Download File
    Process:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
    File Type:data
    Category:dropped
    Size (bytes):24152
    Entropy (8bit):0.7532185028349225
    Encrypted:false
    SSDEEP:48:CMnfnO4FGtsFqN6t8nlztZKR6axR6uiozVb:ZnfO4kWKpZKdxR35
    MD5:520FE964934AF1AB0CEBA2366830D0FA
    SHA1:B90310ACA870261CB619FDFD1E54E1B1A25074FF
    SHA-256:DBD45EEA386D364B30BA189E079BFA05C2C40D9E5E83722C39A171998ED079C1
    SHA-512:A4839A6AB8DB522D9121A590B8C711E8C4F172D9CB71C918860F8048472920F3341B7BA624DFF514BE397809149E4471B2DF981DC81FE77C26B2DDF342A42F8C
    Malicious:false
    Preview: ...W....K.h.E..g..0...!1sm.[t\......A......5_...N{Yf?.w..[.Y..A...a^..(._.=.......:.v.$*.....e...F....f.qo.]...B1{.8.%%..,...;.|..<....g ....l.7.`ny.h.n.y...~Y.../.. .WZ.'......AI.|.._K}-$.i..<(.7Y...U....T.i.N.'Pt..c.[........<zni.::. 8W.<S...8!.Wh..;T.?.^yf...E?...pQ....i.;>/..^...r.YsncP..@.. .[".^..A.|.0..$<bC.G........~];..D.|.v.B.).g.E5.?... .N...}....i.,5..a.Fk.%.u.`..F...;xlw.}.5.Jt..c.5.....v...~)..8b|.*.B.]-]jk....PQZ..T}..M.S...88......?.*$..]..%V..D.<.5.d...[..Z.....2........%.$E..+sb.......*...g...>Q[l.}......@=..5L..._....Pi..HY.<[..l...H....9.\=u.v.....S8-&...,5..}t......m...*..R.W.G.NZ....w.....{.iA......G.f.TN.zk..(....q).....n....3..C...d./..........................................................................................................................................................................................................................................................................................................

    C:\Users\user\Desktop\49230000

    Download File
    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
    File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Tue Mar 26 09:59:43 2024, Security: 1
    Category:dropped
    Size (bytes):364544
    Entropy (8bit):7.80574920458647
    Encrypted:false
    SSDEEP:6144:Z+unhTqjixEtjPOtioVjDGUU1qfDlavx+fgLX0d6UivKbV2kTyF0BdfM+ewnHQa6:Z/hT8EHbVtZM+ew7vX0FvI/b
    MD5:3B2C51FB3EC8765058BCA061B463FDD6
    SHA1:CCF3BA89647FFA9130A16F10761354E5F055ED70
    SHA-256:50E10C8D91F1CA164A2646045760F6A93DD18EDFE2674D15434B2437F2DC3AED
    SHA-512:F1E62D1C68B41DB737667BDA8C9E35A4599CA66464679CF6E5607E69FD2295815E0B59559B70731EA2C7C8A8FDDFED5CDD57DC76410D0FE5F51CEB201628C657
    Malicious:false
    Preview:......................>.......................................................B...C...h.......j...................................................................................................................................................................................................................................................................................................................................................................................................................................................A....................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-...........0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...................E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

    C:\Users\user\Desktop\49230000:Zone.Identifier

    Download File
    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
    File Type:ASCII text, with CRLF line terminators
    Category:dropped
    Size (bytes):26
    Entropy (8bit):3.95006375643621
    Encrypted:false
    SSDEEP:3:ggPYV:rPYV
    MD5:187F488E27DB4AF347237FE461A079AD
    SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
    SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
    SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
    Malicious:false
    Preview:[ZoneTransfer]....ZoneId=0

    C:\Users\user\Desktop\NEW ORDER.xls (copy)

    Download File
    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
    File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Tue Mar 26 09:59:43 2024, Security: 1
    Category:dropped
    Size (bytes):364544
    Entropy (8bit):7.80574920458647
    Encrypted:false
    SSDEEP:6144:Z+unhTqjixEtjPOtioVjDGUU1qfDlavx+fgLX0d6UivKbV2kTyF0BdfM+ewnHQa6:Z/hT8EHbVtZM+ew7vX0FvI/b
    MD5:3B2C51FB3EC8765058BCA061B463FDD6
    SHA1:CCF3BA89647FFA9130A16F10761354E5F055ED70
    SHA-256:50E10C8D91F1CA164A2646045760F6A93DD18EDFE2674D15434B2437F2DC3AED
    SHA-512:F1E62D1C68B41DB737667BDA8C9E35A4599CA66464679CF6E5607E69FD2295815E0B59559B70731EA2C7C8A8FDDFED5CDD57DC76410D0FE5F51CEB201628C657
    Malicious:false
    Preview:......................>.......................................................B...C...h.......j...................................................................................................................................................................................................................................................................................................................................................................................................................................................A....................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-...........0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...................E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

    Static File Info

    General

    File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Mon Mar 25 12:48:57 2024, Security: 1
    Entropy (8bit):7.445174793793269
    TrID:
    • Microsoft Excel sheet (30009/1) 47.99%
    • Microsoft Excel sheet (alternate) (24509/1) 39.20%
    • Generic OLE2 / Multistream Compound File (8008/1) 12.81%
    File name:NEW ORDER.xls
    File size:325'120 bytes
    MD5:3a676a14c0aa582a465032b971ca23f5
    SHA1:04b12227d6b22ed562005d126cd7e3366c4fe966
    SHA256:3688f05556a136fe094de5cb1888eac2a579525f72cd027e19738582ed40c283
    SHA512:f4e2e080f2c6b73aad8f8a487e65a5aed1cee9fa77e9e82f1e0538c978c2f150e10b2ac93e96d65857a7380acd94e16178c82bedb65c415b247f01580e49ae05
    SSDEEP:6144:VPunhX2jaLY35qAOJl/YrLYz+WrNhZF+E+fgL+0dD8ivSbVlLMIU6FDCmg9bhQ87:VqhX2ja23bVlLMILKbhQ4z3SJKgJeB/b
    TLSH:7164E041FA81865AE585473649F74BAA6325FC409F524B0F324CF71E3DB03E46E3BA62
    File Content Preview:........................>.......................................................G...H...{......................................................................................................................................................................

    File Icon

    Icon Hash:276ea3a6a6b7bfbf

    Static OLE Info

    General

    Document Type:OLE
    Number of OLE Files:1

    OLE File "NEW ORDER.xls"

    Indicators
    Has Summary Info:
    Application Name:Microsoft Excel
    Encrypted Document:True
    Contains Word Document Stream:False
    Contains Workbook/Book Stream:True
    Contains PowerPoint Document Stream:False
    Contains Visio Document Stream:False
    Contains ObjectPool Stream:False
    Flash Objects Count:0
    Contains VBA Macros:True
    Summary
    Code Page:1252
    Author:
    Last Saved By:
    Create Time:2006-09-16 00:00:00
    Last Saved Time:2024-03-25 12:48:57
    Creating Application:Microsoft Excel
    Security:1
    Document Summary
    Document Code Page:1252
    Thumbnail Scaling Desired:False
    Contains Dirty Links:False
    Shared Document:False
    Changed Hyperlinks:False
    Application Version:786432
    General
    Stream Path:_VBA_PROJECT_CUR/VBA/Sheet1
    VBA File Name:Sheet1.cls
    Stream Size:977
    Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . m . . f . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 .
    Data Raw:01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 6d 17 0c 66 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    VBA Code
    Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

    General
    Stream Path:_VBA_PROJECT_CUR/VBA/Sheet2
    VBA File Name:Sheet2.cls
    Stream Size:977
    Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . m . D . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 . -
    Data Raw:01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 6d 17 82 44 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    VBA Code
    Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

    General
    Stream Path:_VBA_PROJECT_CUR/VBA/Sheet3
    VBA File Name:Sheet3.cls
    Stream Size:977
    Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . m . 9 N . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 .
    Data Raw:01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 6d 17 39 4e 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    VBA Code
    Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

    General
    Stream Path:_VBA_PROJECT_CUR/VBA/ThisWorkbook
    VBA File Name:ThisWorkbook.cls
    Stream Size:985
    Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . m . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 1 . 9 . - .
    Data Raw:01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 6d 17 e6 8a 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    VBA Code
    Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

    General
    Stream Path:\x1CompObj
    CLSID:
    File Type:data
    Stream Size:114
    Entropy:4.25248375192737
    Base64 Encoded:True
    Data ASCII:. . . . . . . . . . . . . . . . . . . F & . . . M i c r o s o f t O f f i c e E x c e l 2 0 0 3 W o r k s h e e t . . . . . B i f f 8 . . . . . E x c e l . S h e e t . 8 . 9 q . . . . . . . . . . . .
    Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 26 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 32 30 30 33 20 57 6f 72 6b 73 68 65 65 74 00 06 00 00 00 42 69 66 66 38 00 0e 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
    General
    Stream Path:\x5DocumentSummaryInformation
    CLSID:
    File Type:data
    Stream Size:244
    Entropy:2.889430592781307
    Base64 Encoded:False
    Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , 0 . . . . . . . . . . . . . . H . . . . . . . P . . . . . . . X . . . . . . . ` . . . . . . . h . . . . . . . p . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . S h e e t 1 . . . . . S h e e t 2 . . . . . S h e e t 3 . . . . . . . . . . . . . . . . . W o r k s h e e t s . . . . . . . . .
    Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 c4 00 00 00 08 00 00 00 01 00 00 00 48 00 00 00 17 00 00 00 50 00 00 00 0b 00 00 00 58 00 00 00 10 00 00 00 60 00 00 00 13 00 00 00 68 00 00 00 16 00 00 00 70 00 00 00 0d 00 00 00 78 00 00 00 0c 00 00 00 a1 00 00 00 02 00 00 00 e4 04 00 00
    General
    Stream Path:\x5SummaryInformation
    CLSID:
    File Type:data
    Stream Size:200
    Entropy:3.2882936681910495
    Base64 Encoded:False
    Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . + ' 0 . . . . . . . . . . . . . . @ . . . . . . . H . . . . . . . T . . . . . . . ` . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . | . # . @ . . . B . . ~ . . . . . . . . .
    Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 98 00 00 00 07 00 00 00 01 00 00 00 40 00 00 00 04 00 00 00 48 00 00 00 08 00 00 00 54 00 00 00 12 00 00 00 60 00 00 00 0c 00 00 00 78 00 00 00 0d 00 00 00 84 00 00 00 13 00 00 00 90 00 00 00 02 00 00 00 e4 04 00 00 1e 00 00 00 04 00 00 00
    General
    Stream Path:MBD0050559F/\x1CompObj
    CLSID:
    File Type:data
    Stream Size:94
    Entropy:4.345966460061678
    Base64 Encoded:False
    Data ASCII:. . . . . . e . . D E S T . . . . . . A c r o b a t D o c u m e n t . . . . . . . . . A c r o E x c h . D o c u m e n t . D C . 9 q . . . . . . . . . . . .
    Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 65 ca 01 b8 fc a1 d0 11 85 ad 44 45 53 54 00 00 11 00 00 00 41 63 72 6f 62 61 74 20 44 6f 63 75 6d 65 6e 74 00 00 00 00 00 15 00 00 00 41 63 72 6f 45 78 63 68 2e 44 6f 63 75 6d 65 6e 74 2e 44 43 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
    General
    Stream Path:MBD0050559F/\x1Ole
    CLSID:
    File Type:data
    Stream Size:62
    Entropy:2.7788384466112834
    Base64 Encoded:False
    Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . F . . . . ! . . . . . S h e e t 2 ! O b j e c t 3 .
    Data Raw:01 00 00 02 08 00 00 00 00 00 00 00 00 00 00 00 2e 00 00 00 04 03 00 00 00 00 00 00 c0 00 00 00 00 00 00 46 02 00 00 00 21 00 10 00 00 00 53 68 65 65 74 32 21 4f 62 6a 65 63 74 20 33 00
    General
    Stream Path:MBD0050559F/CONTENTS
    CLSID:
    File Type:PDF document, version 1.7, 1 pages
    Stream Size:20909
    Entropy:7.967116806702583
    Base64 Encoded:True
    Data ASCII:% P D F - 1 . 7 . % . 1 0 o b j . < < . / T y p e / C a t a l o g . / P a g e s 2 0 R . / A c r o F o r m 3 0 R . > > . e n d o b j . 4 0 o b j . < < . / P r o d u c e r ( 3 . 0 . 4 \\ ( 5 . 0 . 8 \\ ) ) . / M o d D a t e ( D : 2 0 2 3 0 9 2 2 0 3 2 2 4 8 + 0 2 ' 0 0 ' ) . > > . e n d o b j . 2 0 o b j . < < . / T y p e / P a g e s . / K i d s [ 5 0 R ] . / C o u n t 1 . > > . e n d o b j . 3 0 o b j . < < . / F i e l d s [ ] . / D R 6 0 R . > > . e n d
    Data Raw:25 50 44 46 2d 31 2e 37 0a 25 f6 e4 fc df 0a 31 20 30 20 6f 62 6a 0a 3c 3c 0a 2f 54 79 70 65 20 2f 43 61 74 61 6c 6f 67 0a 2f 50 61 67 65 73 20 32 20 30 20 52 0a 2f 41 63 72 6f 46 6f 72 6d 20 33 20 30 20 52 0a 3e 3e 0a 65 6e 64 6f 62 6a 0a 34 20 30 20 6f 62 6a 0a 3c 3c 0a 2f 50 72 6f 64 75 63 65 72 20 28 33 2e 30 2e 34 20 5c 28 35 2e 30 2e 38 5c 29 20 29 0a 2f 4d 6f 64 44 61 74 65
    General
    Stream Path:MBD005055A0/\x1CompObj
    CLSID:
    File Type:data
    Stream Size:113
    Entropy:3.9544012817407785
    Base64 Encoded:False
    Data ASCII:. . . . . . . . . . . . . . . . . . . . . . / . . . M i c r o s o f t O f f i c e E x c e l M a c r o - E n a b l e d W o r k s h e e t . . . . . E x c e l M L 1 2 . . . . . 9 q . . . . . . . . . . . .
    Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2f 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 4d 61 63 72 6f 2d 45 6e 61 62 6c 65 64 20 57 6f 72 6b 73 68 65 65 74 00 0a 00 00 00 45 78 63 65 6c 4d 4c 31 32 00 00 00 00 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
    General
    Stream Path:MBD005055A0/Package
    CLSID:
    File Type:Microsoft Excel 2007+
    Stream Size:11594
    Entropy:7.133836970926882
    Base64 Encoded:True
    Data ASCII:P K . . . . . . . . . . ! . h f . . . 6 . . . . . . [ C o n t e n t _ T y p e s ] . x m l . ( . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
    Data Raw:50 4b 03 04 14 00 06 00 08 00 00 00 21 00 68 cf de 66 81 01 00 00 36 05 00 00 13 00 cc 01 5b 43 6f 6e 74 65 6e 74 5f 54 79 70 65 73 5d 2e 78 6d 6c 20 a2 c8 01 28 a0 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    General
    Stream Path:MBD005055A1/\x1CompObj
    CLSID:
    File Type:data
    Stream Size:114
    Entropy:4.25248375192737
    Base64 Encoded:True
    Data ASCII:. . . . . . . . . . . . . . . . . . . F & . . . M i c r o s o f t O f f i c e E x c e l 2 0 0 3 W o r k s h e e t . . . . . B i f f 8 . . . . . E x c e l . S h e e t . 8 . 9 q . . . . . . . . . . . .
    Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 26 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 32 30 30 33 20 57 6f 72 6b 73 68 65 65 74 00 06 00 00 00 42 69 66 66 38 00 0e 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
    General
    Stream Path:MBD005055A1/\x5DocumentSummaryInformation
    CLSID:
    File Type:data
    Stream Size:708
    Entropy:3.6235698530352805
    Base64 Encoded:True
    Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , D . . . . . . . . . . + , . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . . . 0 . . . . . . . 8 . . . . . . . @ . . . . . . . H . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
    Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 44 00 00 00 05 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 20 02 00 00 dc 01 00 00 14 00 00 00 01 00 00 00 a8 00 00 00 02 00 00 00 b0 00 00 00 03 00 00 00 bc 00 00 00 0e 00 00 00 c8 00 00 00 0f 00 00 00 d4 00 00 00 04 00 00 00 e0 00 00 00 05 00 00 00
    General
    Stream Path:MBD005055A1/\x5SummaryInformation
    CLSID:
    File Type:data
    Stream Size:23248
    Entropy:3.0232976457110414
    Base64 Encoded:True
    Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . + ' 0 . . . Z . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . , . . . . . . . 4 . . . . . . . < . . . . . . . D . . . . . . . L . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . v i v i e n . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
    Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 a0 5a 00 00 11 00 00 00 01 00 00 00 90 00 00 00 02 00 00 00 98 00 00 00 03 00 00 00 a4 00 00 00 04 00 00 00 b0 00 00 00 05 00 00 00 c0 00 00 00 06 00 00 00 cc 00 00 00 07 00 00 00 d8 00 00 00 08 00 00 00 e4 00 00 00 09 00 00 00 f4 00 00 00
    General
    Stream Path:MBD005055A1/Workbook
    CLSID:
    File Type:Applesoft BASIC program data, first line number 16
    Stream Size:97808
    Entropy:7.36513443754125
    Base64 Encoded:True
    Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . \\ . p . . . . 9 1 9 7 4 B . . . . a . . . . . . . . = . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . = . . . . . . . . P . 9 . . . . . . . X . @ . . . . . . . . . . " . . . . . . . . . . . . . . .
    Data Raw:09 08 10 00 00 06 05 00 ab 1f cd 07 c9 00 02 00 06 04 00 00 e1 00 02 00 b0 04 c1 00 02 00 00 00 e2 00 00 00 5c 00 70 00 05 00 00 39 31 39 37 34 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
    General
    Stream Path:MBD005055A2/\x1Ole
    CLSID:
    File Type:data
    Stream Size:466
    Entropy:6.599365577984179
    Base64 Encoded:False
    Data ASCII:. . . . r b . ` . . . . . . . . . . . . ( . . . y . . . K . $ . . . h . t . t . p . : . / . / . 2 . s . . . g . g . / . 3 . z . s . . . . . $ 2 A v . a ; . . \\ ^ 2 s Z 6 X 0 . H 9 : % n . m . . j . D . . . g Q Q . + . U l K * 5 d q . x W ~ @ P h ' 0 k 6 . . s b . $ . x . . . . b 5 . . x c X . l . . : D . ) o v A S A ^ G . 1 j % . + S * # . I . c [ . d ' ) @ A . } E . . . . F . < H . h . . 4 2 : y ; / . . F . " j . . . . . . . . . . . . . . . . J . . . o . 7 . n . D . r . M . 6 . m . B . q . Y . t . R . T
    Data Raw:01 00 00 02 97 72 62 08 a8 8f b4 60 00 00 00 00 00 00 00 00 00 00 00 00 28 01 00 00 e0 c9 ea 79 f9 ba ce 11 8c 82 00 aa 00 4b a9 0b 24 01 00 00 68 00 74 00 74 00 70 00 3a 00 2f 00 2f 00 32 00 73 00 2e 00 67 00 67 00 2f 00 33 00 7a 00 73 00 00 00 10 01 9d 8a 24 32 41 76 ea 97 ac 61 95 3b 0d 09 5c 5e 32 82 ba b9 ce 73 ab b5 bc 5a f3 ac 36 c1 58 30 1f 90 e5 48 39 3a 25 ad 6e 0e 6d 0b
    General
    Stream Path:Workbook
    CLSID:
    File Type:Applesoft BASIC program data, first line number 16
    Stream Size:151378
    Entropy:7.995716884610021
    Base64 Encoded:True
    Data ASCII:. . . . . . . . . . . . . . . . . / . 6 . . . . . . . . T 3 . ' ' u 6 . . k P y . $ . } . . . . . 1 . . . . . . . ! . . . \\ . p . l r } 4 6 ] . g . . v H M . b x . + . ` S e < F . 6 a 1 . F . . : - H O ; y S < b A . . k . . < R v . C 6 t H A . B . . . @ a . . . x d . . . = . . . 3 . . . . ! u } y . c $ . . . . o . . . . . . . . . . . C . . . . . . . . . . . . w = . . . . . p r \\ . R ^ . , @ . . . l y . . . i " . . . O b . . . . . F . . . N . . . . 1 . . . . . ' u H . : * G L . P 8 t 1 . . . ~ ' . . S ] o
    Data Raw:09 08 10 00 00 06 05 00 ab 1f cd 07 c1 00 01 00 06 04 00 00 2f 00 36 00 01 00 01 00 01 00 d7 98 54 e2 f7 d7 33 1b 20 a1 27 27 d5 75 36 9c 93 02 d6 19 94 6b c4 50 db 79 16 be 24 1a 97 7d de ad f4 d0 f3 13 d1 dd ad d3 b7 9f b8 0b cc 31 e1 00 02 00 b0 04 c1 00 02 00 21 ee e2 00 00 00 5c 00 70 00 f3 6c 72 c6 7d 34 36 d6 5d a9 0c bf ec a7 67 c6 90 19 76 48 de 4d 03 62 bd 8d 78 ab df 14
    General
    Stream Path:_VBA_PROJECT_CUR/PROJECT
    CLSID:
    File Type:ASCII text, with CRLF line terminators
    Stream Size:519
    Entropy:5.215893266258675
    Base64 Encoded:True
    Data ASCII:I D = " { 6 7 7 0 F B B C - E A F 2 - 4 6 7 D - 9 0 D 3 - F 8 8 E 0 7 C 3 D 9 9 D } " . . D o c u m e n t = T h i s W o r k b o o k / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 1 / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 2 / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 3 / & H 0 0 0 0 0 0 0 0 . . N a m e = " V B A P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " 4 0 4 2 6 2 6 0 6 6 6 0 6 6 6 0 6
    Data Raw:49 44 3d 22 7b 36 37 37 30 46 42 42 43 2d 45 41 46 32 2d 34 36 37 44 2d 39 30 44 33 2d 46 38 38 45 30 37 43 33 44 39 39 44 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 57 6f 72 6b 62 6f 6f 6b 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 53 68 65 65 74 31 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 53 68 65 65 74 32 2f 26 48 30 30 30
    General
    Stream Path:_VBA_PROJECT_CUR/PROJECTwm
    CLSID:
    File Type:data
    Stream Size:104
    Entropy:3.0488640812019017
    Base64 Encoded:False
    Data ASCII:T h i s W o r k b o o k . T . h . i . s . W . o . r . k . b . o . o . k . . . S h e e t 1 . S . h . e . e . t . 1 . . . S h e e t 2 . S . h . e . e . t . 2 . . . S h e e t 3 . S . h . e . e . t . 3 . . . . .
    Data Raw:54 68 69 73 57 6f 72 6b 62 6f 6f 6b 00 54 00 68 00 69 00 73 00 57 00 6f 00 72 00 6b 00 62 00 6f 00 6f 00 6b 00 00 00 53 68 65 65 74 31 00 53 00 68 00 65 00 65 00 74 00 31 00 00 00 53 68 65 65 74 32 00 53 00 68 00 65 00 65 00 74 00 32 00 00 00 53 68 65 65 74 33 00 53 00 68 00 65 00 65 00 74 00 33 00 00 00 00 00
    General
    Stream Path:_VBA_PROJECT_CUR/VBA/_VBA_PROJECT
    CLSID:
    File Type:data
    Stream Size:2644
    Entropy:3.977174695581832
    Base64 Encoded:False
    Data ASCII:a . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 0 . # . 9 . # . C . : . \\ . P . R . O . G . R . A . ~ . 2 . \\ . C . O . M . M . O . N . ~ . 1 . \\ . M . I . C . R . O . S . ~ . 1 . \\ . V . B . A . \\ . V . B . A . 6 . \\ . V . B . E . 6 . . . D . L . L . # . V . i . s . u . a . l . . B . a . s . i . c . . F . o . r .
    Data Raw:cc 61 88 00 00 01 00 ff 09 40 00 00 09 04 00 00 e4 04 01 00 00 00 00 00 00 00 00 00 01 00 04 00 02 00 fa 00 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 30 00 23 00
    General
    Stream Path:_VBA_PROJECT_CUR/VBA/dir
    CLSID:
    File Type:data
    Stream Size:553
    Entropy:6.367111124104135
    Base64 Encoded:True
    Data ASCII:. % . . . . . . . . 0 * . . . . p . . H . . . . d . . . . . . . V B A P r o j e c t . . 4 . . @ . . j . . . = . . . . r . . . . . . . . . Q . h . . . . J < . . . . . r s t d o l e > . . . s . t . d . o . l . e . . . h . % . ^ . . * \\ G { 0 0 0 2 0 4 3 0 - . . . . . C . . . . . . 0 0 4 . 6 } # 2 . 0 # 0 . # C : \\ W i n d . o w s \\ S y s W O W 6 4 \\ . e 2 . . t l b # O L E . A u t o m a t i . o n . ` . . E O f f D i c E O . f . i . c E . . E . 2 D F 8 D 0 4 C . - 5 B F A - 1 0 1 B - B D E 5 E A A C 4 . 2
    Data Raw:01 25 b2 80 01 00 04 00 00 00 01 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 e4 04 04 00 0a 00 1c 00 56 42 41 50 72 6f 6a 65 88 63 74 05 00 34 00 00 40 02 14 6a 06 02 0a 3d 02 0a 07 02 72 01 14 08 05 06 12 09 02 12 51 c6 0f 68 08 94 00 0c 02 4a 3c 02 0a 16 00 01 72 80 73 74 64 6f 6c 65 3e 02 19 00 73 00 74 00 64 00 6f 00 80 6c 00 65 00 0d 00 68 00 25 02 5e 00 03 2a 5c 47

    Network Behavior

    Download Network PCAP: filteredfull

    Network Port Distribution

    • Total Packets: 23
    • 443 (HTTPS)
    • 80 (HTTP)
    • 53 (DNS)
    TimestampSource PortDest PortSource IPDest IP
    Mar 27, 2024 11:59:24.467451096 CET4916580192.168.2.2213.107.246.40
    Mar 27, 2024 11:59:24.568376064 CET804916513.107.246.40192.168.2.22
    Mar 27, 2024 11:59:24.568455935 CET4916580192.168.2.2213.107.246.40
    Mar 27, 2024 11:59:24.568684101 CET4916580192.168.2.2213.107.246.40
    Mar 27, 2024 11:59:24.667865038 CET804916513.107.246.40192.168.2.22
    Mar 27, 2024 11:59:24.668363094 CET804916513.107.246.40192.168.2.22
    Mar 27, 2024 11:59:24.668421984 CET4916580192.168.2.2213.107.246.40
    Mar 27, 2024 11:59:24.701205015 CET49166443192.168.2.2213.107.246.40
    Mar 27, 2024 11:59:24.701236963 CET4434916613.107.246.40192.168.2.22
    Mar 27, 2024 11:59:24.701498032 CET49166443192.168.2.2213.107.246.40
    Mar 27, 2024 11:59:24.708641052 CET49166443192.168.2.2213.107.246.40
    Mar 27, 2024 11:59:24.708657026 CET4434916613.107.246.40192.168.2.22
    Mar 27, 2024 11:59:25.027367115 CET4434916613.107.246.40192.168.2.22
    Mar 27, 2024 11:59:25.027432919 CET49166443192.168.2.2213.107.246.40
    Mar 27, 2024 11:59:25.033155918 CET49166443192.168.2.2213.107.246.40
    Mar 27, 2024 11:59:25.033166885 CET4434916613.107.246.40192.168.2.22
    Mar 27, 2024 11:59:25.033477068 CET4434916613.107.246.40192.168.2.22
    Mar 27, 2024 11:59:25.033540964 CET49166443192.168.2.2213.107.246.40
    Mar 27, 2024 11:59:25.111618996 CET49166443192.168.2.2213.107.246.40
    Mar 27, 2024 11:59:25.111774921 CET4434916613.107.246.40192.168.2.22
    Mar 27, 2024 11:59:25.111841917 CET49166443192.168.2.2213.107.246.40
    Mar 27, 2024 11:59:46.080995083 CET4916580192.168.2.2213.107.246.40
    Mar 27, 2024 11:59:46.223705053 CET804916513.107.246.40192.168.2.22
    Mar 27, 2024 11:59:46.228486061 CET804916513.107.246.40192.168.2.22
    Mar 27, 2024 11:59:46.228590012 CET4916580192.168.2.2213.107.246.40
    Mar 27, 2024 11:59:46.229372025 CET49167443192.168.2.2213.107.246.40
    Mar 27, 2024 11:59:46.229412079 CET4434916713.107.246.40192.168.2.22
    Mar 27, 2024 11:59:46.229470968 CET49167443192.168.2.2213.107.246.40
    Mar 27, 2024 11:59:46.257710934 CET49167443192.168.2.2213.107.246.40
    Mar 27, 2024 11:59:46.257729053 CET4434916713.107.246.40192.168.2.22
    Mar 27, 2024 11:59:46.571302891 CET4434916713.107.246.40192.168.2.22
    Mar 27, 2024 11:59:46.571497917 CET49167443192.168.2.2213.107.246.40
    Mar 27, 2024 11:59:46.581305027 CET49167443192.168.2.2213.107.246.40
    Mar 27, 2024 11:59:46.581317902 CET4434916713.107.246.40192.168.2.22
    Mar 27, 2024 11:59:46.581626892 CET4434916713.107.246.40192.168.2.22
    Mar 27, 2024 11:59:46.581680059 CET49167443192.168.2.2213.107.246.40
    Mar 27, 2024 11:59:46.585331917 CET49167443192.168.2.2213.107.246.40
    Mar 27, 2024 11:59:46.585377932 CET4434916713.107.246.40192.168.2.22
    Mar 27, 2024 11:59:46.585438967 CET49167443192.168.2.2213.107.246.40
    TimestampSource PortDest PortSource IPDest IP
    Mar 27, 2024 11:59:24.331805944 CET5456253192.168.2.228.8.8.8
    Mar 27, 2024 11:59:24.449301958 CET53545628.8.8.8192.168.2.22

    DNS Queries

    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
    Mar 27, 2024 11:59:24.331805944 CET192.168.2.228.8.8.80xac92Standard query (0)2s.ggA (IP address)IN (0x0001)false

    DNS Answers

    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
    Mar 27, 2024 11:59:24.449301958 CET8.8.8.8192.168.2.220xac92No error (0)2s.gg13.107.246.40A (IP address)IN (0x0001)false
    Mar 27, 2024 11:59:24.449301958 CET8.8.8.8192.168.2.220xac92No error (0)2s.gg13.107.213.40A (IP address)IN (0x0001)false

    HTTP Request Dependency Graph

    • 2s.gg

    HTTP Packets

    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
    0192.168.2.224916513.107.246.40802080C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
    TimestampBytes transferredDirectionData
    Mar 27, 2024 11:59:24.568684101 CET315OUTGET /3zs HTTP/1.1
    Accept: */*
    UA-CPU: AMD64
    Accept-Encoding: gzip, deflate
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
    Host: 2s.gg
    Connection: Keep-Alive
    Mar 27, 2024 11:59:24.668363094 CET274INHTTP/1.1 307 Temporary Redirect
    Date: Wed, 27 Mar 2024 10:59:24 GMT
    Content-Type: text/html
    Content-Length: 0
    Connection: keep-alive
    Location: https://2s.gg/3zs
    x-azure-ref: 20240327T105924Z-177k81dff10b5d6fm3k55amfpg00000007100000000173ax
    X-Cache: CONFIG_NOCACHE
    Mar 27, 2024 11:59:46.080995083 CET315OUTGET /3zs HTTP/1.1
    Accept: */*
    UA-CPU: AMD64
    Accept-Encoding: gzip, deflate
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
    Host: 2s.gg
    Connection: Keep-Alive
    Mar 27, 2024 11:59:46.228486061 CET274INHTTP/1.1 307 Temporary Redirect
    Date: Wed, 27 Mar 2024 10:59:46 GMT
    Content-Type: text/html
    Content-Length: 0
    Connection: keep-alive
    Location: https://2s.gg/3zs
    x-azure-ref: 20240327T105946Z-177k81dff10b5d6fm3k55amfpg00000007100000000176h9
    X-Cache: CONFIG_NOCACHE


    Statistics

    CPU Usage

    050100s020406080100

    Click to jump to process

    Memory Usage

    050100s0.0020406080MB

    Click to jump to process

    High Level Behavior Distribution

    • File
    • Registry

    Click to dive into process behavior distribution

    Behavior

    Click to jump to process

    System Behavior

    General

    Target ID:0
    Start time:10:58:58
    Start date:26/03/2024
    Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
    Wow64 process (32bit):false
    Commandline:"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
    Imagebase:0x13f270000
    File size:28'253'536 bytes
    MD5 hash:D53B85E21886D2AF9815C377537BCAC3
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high
    Has exited:false
    Show Windows behavior

    File Activities

    Show Windows behavior

    Section Activities

    Show Windows behavior

    Registry Activities

    COM Activities

    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
    Show Windows behavior

    Process Activities

    Show Windows behavior

    Thread Activities

    Show Windows behavior

    Memory Activities

    Show Windows behavior

    System Activities

    Show Windows behavior

    Timing Activities

    Show Windows behavior

    Windows UI Activities

    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

    General

    Target ID:4
    Start time:10:59:29
    Start date:26/03/2024
    Path:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
    Wow64 process (32bit):true
    Commandline:"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" -Embedding
    Imagebase:0x13e0000
    File size:2'525'680 bytes
    MD5 hash:2F8D93826B8CBF9290BC57535C7A6817
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high
    Has exited:true
    Show Windows behavior

    File Activities

    Show Windows behavior

    Section Activities

    Registry Activities

    Show Windows behavior

    Mutex Activities

    Show Windows behavior

    Process Activities

    Show Windows behavior

    Thread Activities

    Show Windows behavior

    Memory Activities

    Show Windows behavior

    System Activities

    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
    Show Windows behavior

    Windows UI Activities

    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

    General

    Target ID:6
    Start time:10:59:45
    Start date:26/03/2024
    Path:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    Wow64 process (32bit):true
    Commandline:"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
    Imagebase:0x130000
    File size:9'805'808 bytes
    MD5 hash:326A645391A97C760B60C558A35BB068
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high
    Has exited:true
    Show Windows behavior

    File Activities

    Show Windows behavior

    Section Activities

    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
    Show Windows behavior

    Mutex Activities

    Show Windows behavior

    Process Activities

    Show Windows behavior

    Thread Activities

    Show Windows behavior

    Memory Activities

    Show Windows behavior

    System Activities

    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

    Disassembly

    Code Analysis

    Call Graph

    Hide Legend
    • Entrypoint
    • Decryption Function
    • Executed
    • Not Executed
    • Show Help
    callgraph 1 Error: Graph is empty

    Module: Sheet1

    Declaration
    LineContent
    1

    Attribute VB_Name = "Sheet1"

    2

    Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"

    3

    Attribute VB_GlobalNameSpace = False

    4

    Attribute VB_Creatable = False

    5

    Attribute VB_PredeclaredId = True

    6

    Attribute VB_Exposed = True

    7

    Attribute VB_TemplateDerived = False

    8

    Attribute VB_Customizable = True

    Module: Sheet2

    Declaration
    LineContent
    1

    Attribute VB_Name = "Sheet2"

    2

    Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"

    3

    Attribute VB_GlobalNameSpace = False

    4

    Attribute VB_Creatable = False

    5

    Attribute VB_PredeclaredId = True

    6

    Attribute VB_Exposed = True

    7

    Attribute VB_TemplateDerived = False

    8

    Attribute VB_Customizable = True

    Module: Sheet3

    Declaration
    LineContent
    1

    Attribute VB_Name = "Sheet3"

    2

    Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"

    3

    Attribute VB_GlobalNameSpace = False

    4

    Attribute VB_Creatable = False

    5

    Attribute VB_PredeclaredId = True

    6

    Attribute VB_Exposed = True

    7

    Attribute VB_TemplateDerived = False

    8

    Attribute VB_Customizable = True

    Module: ThisWorkbook

    Declaration
    LineContent
    1

    Attribute VB_Name = "ThisWorkbook"

    2

    Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"

    3

    Attribute VB_GlobalNameSpace = False

    4

    Attribute VB_Creatable = False

    5

    Attribute VB_PredeclaredId = True

    6

    Attribute VB_Exposed = True

    7

    Attribute VB_TemplateDerived = False

    8

    Attribute VB_Customizable = True