Loading ...

Play interactive tourEdit tour

Windows Analysis Report 1701667874-10042021.xls

Overview

General Information

Sample Name:1701667874-10042021.xls
Analysis ID:499734
MD5:1dc3a1c0972a9e32d88e85d1cf8f2c65
SHA1:808311a07522956f55bf842749083e199b0f04c6
SHA256:9828f899790d150360e0a3f78f3eb3b758417644bc16896aeb411e2af9e8ea4b
Tags:xlsxls
Infos:

Most interesting Screenshot:

Detection

Hidden Macro 4.0
Score:68
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Sigma detected: Regsvr32 Command Line Without DLL
Sigma detected: Microsoft Office Product Spawning Windows Shell
Document exploit detected (process start blacklist hit)
Document exploit detected (UrlDownloadToFile)
Yara detected hidden Macro 4.0 in Excel
Potential document exploit detected (unknown TCP traffic)
Tries to load missing DLLs
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Document contains an embedded VBA macro which executes code when the document is opened / closed
Document contains embedded VBA macros

Classification

Process Tree

  • System is w10x64
  • EXCEL.EXE (PID: 472 cmdline: 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding MD5: 5D6638F2C8F8571C593999C58866007E)
    • regsvr32.exe (PID: 2872 cmdline: regsvr32 -silent ..\Celod.wac MD5: 426E7499F6A7346F0410DEAD0805586B)
    • regsvr32.exe (PID: 5972 cmdline: regsvr32 -silent ..\Celod.wac1 MD5: 426E7499F6A7346F0410DEAD0805586B)
    • regsvr32.exe (PID: 4868 cmdline: regsvr32 -silent ..\Celod.wac2 MD5: 426E7499F6A7346F0410DEAD0805586B)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
1701667874-10042021.xlsJoeSecurity_HiddenMacroYara detected hidden Macro 4.0 in ExcelJoe Security

    Sigma Overview

    System Summary:

    barindex
    Sigma detected: Regsvr32 Command Line Without DLLShow sources
    Source: Process startedAuthor: Florian Roth: Data: Command: regsvr32 -silent ..\Celod.wac, CommandLine: regsvr32 -silent ..\Celod.wac, CommandLine|base64offset|contains: ,, Image: C:\Windows\SysWOW64\regsvr32.exe, NewProcessName: C:\Windows\SysWOW64\regsvr32.exe, OriginalFileName: C:\Windows\SysWOW64\regsvr32.exe, ParentCommandLine: 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE, ParentProcessId: 472, ProcessCommandLine: regsvr32 -silent ..\Celod.wac, ProcessId: 2872
    Sigma detected: Microsoft Office Product Spawning Windows ShellShow sources
    Source: Process startedAuthor: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: regsvr32 -silent ..\Celod.wac, CommandLine: regsvr32 -silent ..\Celod.wac, CommandLine|base64offset|contains: ,, Image: C:\Windows\SysWOW64\regsvr32.exe, NewProcessName: C:\Windows\SysWOW64\regsvr32.exe, OriginalFileName: C:\Windows\SysWOW64\regsvr32.exe, ParentCommandLine: 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE, ParentProcessId: 472, ProcessCommandLine: regsvr32 -silent ..\Celod.wac, ProcessId: 2872

    Jbx Signature Overview

    Click to jump to signature section

    Show All Signature Results
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dll

    Software Vulnerabilities:

    barindex
    Document exploit detected (process start blacklist hit)Show sources
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\regsvr32.exe
    Document exploit detected (UrlDownloadToFile)Show sources
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXESection loaded: unknown origin: URLDownloadToFileA
    Source: global trafficTCP traffic: 192.168.2.4:49762 -> 190.14.37.165:80
    Source: global trafficTCP traffic: 192.168.2.4:49762 -> 190.14.37.165:80
    Source: global trafficTCP traffic: 192.168.2.4:49774 -> 5.196.247.11:80
    Source: global trafficTCP traffic: 192.168.2.4:49791 -> 188.119.113.3:80
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.165
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.165
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.165
    Source: unknownTCP traffic detected without corresponding DNS query: 5.196.247.11
    Source: unknownTCP traffic detected without corresponding DNS query: 5.196.247.11
    Source: unknownTCP traffic detected without corresponding DNS query: 5.196.247.11
    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.113.3
    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.113.3
    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.113.3
    Source: 1701667874-10042021.xlsString found in binary or memory: http://188.119.113.3/
    Source: 1701667874-10042021.xlsString found in binary or memory: http://190.14.37.165/
    Source: 1701667874-10042021.xlsString found in binary or memory: http://5.196.247.11/
    Source: A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drString found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
    Source: A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drString found in binary or memory: http://weather.service.msn.com/data.aspx
    Source: A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drString found in binary or memory: https://addinsinstallation.store.office.com/app/acquisitionlogging
    Source: A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drString found in binary or memory: https://addinsinstallation.store.office.com/app/download
    Source: A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
    Source: A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticated
    Source: A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drString found in binary or memory: https://addinslicensing.store.office.com/commerce/query
    Source: A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drString found in binary or memory: https://addinslicensing.store.office.com/entitlement/query
    Source: A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drString found in binary or memory: https://analysis.windows.net/powerbi/api
    Source: A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drString found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
    Source: A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drString found in binary or memory: https://api.aadrm.com
    Source: A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drString found in binary or memory: https://api.aadrm.com/
    Source: A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drString found in binary or memory: https://api.addins.omex.office.net/appinfo/query
    Source: A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drString found in binary or memory: https://api.addins.omex.office.net/appstate/query
    Source: A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drString found in binary or memory: https://api.addins.store.office.com/app/query
    Source: A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drString found in binary or memory: https://api.cortana.ai
    Source: A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drString found in binary or memory: https://api.diagnostics.office.com
    Source: A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drString found in binary or memory: https://api.diagnosticssdf.office.com
    Source: A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drString found in binary or memory: https://api.microsoftstream.com/api/
    Source: A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drString found in binary or memory: https://api.office.net
    Source: A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drString found in binary or memory: https://api.onedrive.com
    Source: A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drString found in binary or memory: https://api.powerbi.com/beta/myorg/imports
    Source: A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
    Source: A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
    Source: A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drString found in binary or memory: https://apis.live.net/v5.0/
    Source: A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drString found in binary or memory: https://arc.msn.com/v4/api/selection
    Source: A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drString found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
    Source: A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drString found in binary or memory: https://augloop.office.com
    Source: A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drString found in binary or memory: https://augloop.office.com/v2
    Source: A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drString found in binary or memory: https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h
    Source: A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drString found in binary or memory: https://autodiscover-s.outlook.com/
    Source: A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drString found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
    Source: A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drString found in binary or memory: https://cdn.entity.
    Source: A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
    Source: A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
    Source: A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
    Source: A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drString found in binary or memory: https://client-office365-tas.msedge.net/ab
    Source: A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drString found in binary or memory: https://clients.config.office.net/
    Source: A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
    Source: A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/ios
    Source: A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/mac
    Source: A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
    Source: A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drString found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
    Source: A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drString found in binary or memory: https://config.edge.skype.com
    Source: A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drString found in binary or memory: https://config.edge.skype.com/config/v1/Office
    Source: A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drString found in binary or memory: https://config.edge.skype.com/config/v2/Office
    Source: A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drString found in binary or memory: https://cortana.ai
    Source: A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drString found in binary or memory: https://cortana.ai/api
    Source: A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drString found in binary or memory: https://cr.office.com
    Source: A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drString found in binary or memory: https://dataservice.o365filtering.com
    Source: A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drString found in binary or memory: https://dataservice.o365filtering.com/
    Source: A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drString found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
    Source: A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
    Source: A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
    Source: A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drString found in binary or memory: https://dev.cortana.ai
    Source: A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drString found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
    Source: A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drString found in binary or memory: https://dev0-api.acompli.net/autodetect
    Source: A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drString found in binary or memory: https://devnull.onenote.com
    Source: A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drString found in binary or memory: https://directory.services.
    Source: A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drString found in binary or memory: https://ecs.office.com/config/v2/Office
    Source: A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drString found in binary or memory: https://enrichment.osi.office.net/
    Source: A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Refresh/v1
    Source: A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Resolve/v1
    Source: A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Search/v1
    Source: A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/StockHistory/v1
    Source: A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/ipcheck/v1
    Source: A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/
    Source: A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/metadata.json
    Source: A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/desktop/main.cshtml
    Source: A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/web/main.cshtml
    Source: A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drString found in binary or memory: https://entitlement.diagnostics.office.com
    Source: A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drString found in binary or memory: https://entitlement.diagnosticssdf.office.com
    Source: A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drString found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
    Source: A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drString found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
    Source: A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drString found in binary or memory: https://globaldisco.crm.dynamics.com
    Source: A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drString found in binary or memory: https://graph.ppe.windows.net
    Source: A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drString found in binary or memory: https://graph.ppe.windows.net/
    Source: A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drString found in binary or memory: https://graph.windows.net
    Source: A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drString found in binary or memory: https://graph.windows.net/
    Source: A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
    Source: A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
    Source: A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
    Source: A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
    Source: A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
    Source: A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
    Source: A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
    Source: A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drString found in binary or memory: https://incidents.diagnostics.office.com
    Source: A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drString found in binary or memory: https://incidents.diagnosticssdf.office.com
    Source: A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
    Source: A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
    Source: A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
    Source: A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
    Source: A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
    Source: A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
    Source: A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drString found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
    Source: A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
    Source: A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drString found in binary or memory: https://lifecycle.office.com
    Source: A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drString found in binary or memory: https://login.microsoftonline.com/
    Source: A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drString found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
    Source: A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drString found in binary or memory: https://login.windows.local
    Source: A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drString found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
    Source: A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drString found in binary or memory: https://login.windows.net/common/oauth2/authorize
    Source: A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drString found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
    Source: A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drString found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
    Source: A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drString found in binary or memory: https://management.azure.com
    Source: A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drString found in binary or memory: https://management.azure.com/
    Source: A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drString found in binary or memory: https://messaging.office.com/
    Source: A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drString found in binary or memory: https://metadata.templates.cdn.office.net/client/log
    Source: A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drString found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
    Source: A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drString found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
    Source: A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drString found in binary or memory: https://ncus.contentsync.
    Source: A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drString found in binary or memory: https://ncus.pagecontentsync.
    Source: A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
    Source: A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
    Source: A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drString found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
    Source: A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drString found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
    Source: A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drString found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
    Source: A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drString found in binary or memory: https://officeapps.live.com
    Source: A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drString found in binary or memory: https://officeci.azurewebsites.net/api/
    Source: A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drString found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
    Source: A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drString found in binary or memory: https://officesetup.getmicrosoftkey.com
    Source: A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drString found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
    Source: A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
    Source: A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
    Source: A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentities
    Source: A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentitiesupdated
    Source: A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drString found in binary or memory: https://onedrive.live.com
    Source: A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drString found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
    Source: A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drString found in binary or memory: https://onedrive.live.com/embed?
    Source: A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drString found in binary or memory: https://osi.office.net
    Source: A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drString found in binary or memory: https://outlook.office.com
    Source: A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drString found in binary or memory: https://outlook.office.com/
    Source: A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drString found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
    Source: A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drString found in binary or memory: https://outlook.office365.com
    Source: A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drString found in binary or memory: https://outlook.office365.com/
    Source: A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drString found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
    Source: A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
    Source: A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drString found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
    Source: A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drString found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
    Source: A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drString found in binary or memory: https://pages.store.office.com/review/query
    Source: A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drString found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
    Source: A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drString found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
    Source: A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
    Source: A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
    Source: A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drString found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
    Source: A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drString found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
    Source: A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drString found in binary or memory: https://powerlift-frontdesk.acompli.net
    Source: A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drString found in binary or memory: https://powerlift.acompli.net
    Source: A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drString found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
    Source: A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drString found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
    Source: A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drString found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
    Source: A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drString found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
    Source: A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drString found in binary or memory: https://roaming.edog.
    Source: A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drString found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
    Source: A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drString found in binary or memory: https://settings.outlook.com
    Source: A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drString found in binary or memory: https://shell.suite.office.com:1443
    Source: A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drString found in binary or memory: https://skyapi.live.net/Activity/
    Source: A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drString found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
    Source: A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drString found in binary or memory: https://staging.cortana.ai
    Source: A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drString found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
    Source: A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drString found in binary or memory: https://store.office.cn/addinstemplate
    Source: A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drString found in binary or memory: https://store.office.com/addinstemplate
    Source: A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drString found in binary or memory: https://store.office.de/addinstemplate
    Source: A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drString found in binary or memory: https://store.officeppe.com/addinstemplate
    Source: A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drString found in binary or memory: https://substrate.office.com/search/api/v1/SearchHistory
    Source: A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drString found in binary or memory: https://substrate.office.com/search/api/v2/init
    Source: A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drString found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
    Source: A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drString found in binary or memory: https://tasks.office.com
    Source: A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drString found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
    Source: A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
    Source: A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
    Source: A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drString found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
    Source: A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drString found in binary or memory: https://web.microsoftstream.com/video/
    Source: A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drString found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
    Source: A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drString found in binary or memory: https://webshell.suite.office.com
    Source: A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drString found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
    Source: A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drString found in binary or memory: https://wus2.contentsync.
    Source: A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drString found in binary or memory: https://wus2.pagecontentsync.
    Source: A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drString found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
    Source: A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drString found in binary or memory: https://www.odwebp.svc.ms

    System Summary:

    barindex
    Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
    Source: Screenshot number: 4Screenshot OCR: Enable editing" in the yellow bar 19_ above. :: example of not'fication 22_ ( O pmEcTmwARN|NG Thi
    Source: Document image extraction number: 0Screenshot OCR: Enable editing" in the yellow bar above. example of notification ( 0 PROTECTEDWARNING This file o
    Source: Document image extraction number: 0Screenshot OCR: Enable Content" to perform Microsoft Excel Decryption Core to start the decryption of the document.
    Source: Document image extraction number: 0Screenshot OCR: Enable Macros ) Why I can not open this document? - You are using iOS or Android device. Please us
    Source: Document image extraction number: 1Screenshot OCR: Enable editing" in the yellow bar above. example of notification ( 0 pRoTEcTmwARNNG Thisfileorigi
    Source: Document image extraction number: 1Screenshot OCR: Enable Content" to perform Microsoft Excel Decryption Core to start the decryption of the document.
    Source: Document image extraction number: 1Screenshot OCR: Enable Macros ) Why I can not open this document? - You are using iOS or Android device. Please us
    Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dll
    Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dll
    Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dll
    Source: 1701667874-10042021.xlsOLE, VBA macro line: Sub auto_close()
    Source: 1701667874-10042021.xlsOLE, VBA macro line: Sub auto_open()
    Source: 1701667874-10042021.xlsOLE, VBA macro line: Private Sub saWorkbook_Opensa()
    Source: 1701667874-10042021.xlsOLE indicator, VBA macros: true
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA
    Source: 1701667874-10042021.xlsOLE indicator, Workbook stream: true
    Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 -silent ..\Celod.wac
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 -silent ..\Celod.wac1
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 -silent ..\Celod.wac2
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 -silent ..\Celod.wac
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 -silent ..\Celod.wac1
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 -silent ..\Celod.wac2
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCacheJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\{112C4883-3FC3-4A45-9F06-94F092FA6F17} - OProcSessId.datJump to behavior
    Source: classification engineClassification label: mal68.expl.winXLS@7/3@0/3
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEWindow found: window name: SysTabControl32
    Source: Window RecorderWindow detected: More than 3 window changes detected
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dll
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX

    HIPS / PFW / Operating System Protection Evasion:

    barindex
    Yara detected hidden Macro 4.0 in ExcelShow sources
    Source: Yara matchFile source: 1701667874-10042021.xls, type: SAMPLE

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsScripting2DLL Side-Loading1Process Injection1Masquerading1OS Credential DumpingFile and Directory Discovery1Remote ServicesData from Local SystemExfiltration Over Other Network MediumData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsExploitation for Client Execution21Boot or Logon Initialization ScriptsDLL Side-Loading1Disable or Modify Tools1LSASS MemorySystem Information Discovery2Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection1Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Scripting2NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
    Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDLL Side-Loading1LSA SecretsRemote System DiscoverySSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.

    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    No Antivirus matches

    Dropped Files

    No Antivirus matches

    Unpacked PE Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    SourceDetectionScannerLabelLink
    https://roaming.edog.0%URL Reputationsafe
    https://cdn.entity.0%URL Reputationsafe
    https://powerlift.acompli.net0%URL Reputationsafe
    https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
    http://188.119.113.3/4%VirustotalBrowse
    http://188.119.113.3/0%Avira URL Cloudsafe
    https://cortana.ai0%URL Reputationsafe
    https://api.aadrm.com/0%URL Reputationsafe
    https://ofcrecsvcapi-int.azurewebsites.net/0%URL Reputationsafe
    https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h0%Avira URL Cloudsafe
    https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
    https://powerlift-frontdesk.acompli.net0%URL Reputationsafe
    https://officeci.azurewebsites.net/api/0%URL Reputationsafe
    https://store.office.cn/addinstemplate0%URL Reputationsafe
    https://api.aadrm.com0%VirustotalBrowse
    https://api.aadrm.com0%Avira URL Cloudsafe
    https://store.officeppe.com/addinstemplate0%URL Reputationsafe
    https://dev0-api.acompli.net/autodetect0%URL Reputationsafe
    https://www.odwebp.svc.ms0%URL Reputationsafe
    https://dataservice.o365filtering.com/0%URL Reputationsafe
    https://officesetup.getmicrosoftkey.com0%URL Reputationsafe
    https://prod-global-autodetect.acompli.net/autodetect0%URL Reputationsafe
    https://ncus.contentsync.0%URL Reputationsafe
    https://apis.live.net/v5.0/0%URL Reputationsafe
    https://wus2.contentsync.0%URL Reputationsafe
    https://asgsmsproxyapi.azurewebsites.net/0%URL Reputationsafe
    http://5.196.247.11/4%VirustotalBrowse
    http://5.196.247.11/0%Avira URL Cloudsafe
    https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile0%URL Reputationsafe
    https://ncus.pagecontentsync.0%URL Reputationsafe
    https://skyapi.live.net/Activity/0%URL Reputationsafe
    https://dataservice.o365filtering.com0%URL Reputationsafe
    https://api.cortana.ai0%URL Reputationsafe

    Domains and IPs

    Contacted Domains

    No contacted domains info

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    https://api.diagnosticssdf.office.comA0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drfalse
      high
      https://login.microsoftonline.com/A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drfalse
        high
        https://shell.suite.office.com:1443A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drfalse
          high
          https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorizeA0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drfalse
            high
            https://autodiscover-s.outlook.com/A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drfalse
              high
              https://roaming.edog.A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drfalse
              • URL Reputation: safe
              unknown
              https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=FlickrA0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drfalse
                high
                https://cdn.entity.A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drfalse
                • URL Reputation: safe
                unknown
                https://api.addins.omex.office.net/appinfo/queryA0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drfalse
                  high
                  https://clients.config.office.net/user/v1.0/tenantassociationkeyA0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drfalse
                    high
                    https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drfalse
                      high
                      https://powerlift.acompli.netA0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drfalse
                      • URL Reputation: safe
                      unknown
                      https://rpsticket.partnerservices.getmicrosoftkey.comA0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drfalse
                      • URL Reputation: safe
                      unknown
                      https://lookup.onenote.com/lookup/geolocation/v1A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drfalse
                        high
                        http://188.119.113.3/1701667874-10042021.xlsfalse
                        • 4%, Virustotal, Browse
                        • Avira URL Cloud: safe
                        unknown
                        https://cortana.aiA0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drfalse
                        • URL Reputation: safe
                        unknown
                        https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeechA0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drfalse
                          high
                          https://cloudfiles.onenote.com/upload.aspxA0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drfalse
                            high
                            https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFileA0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drfalse
                              high
                              https://entitlement.diagnosticssdf.office.comA0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drfalse
                                high
                                https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicyA0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drfalse
                                  high
                                  https://api.aadrm.com/A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drfalse
                                  • URL Reputation: safe
                                  unknown
                                  https://ofcrecsvcapi-int.azurewebsites.net/A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drfalse
                                  • URL Reputation: safe
                                  unknown
                                  https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPoliciesA0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drfalse
                                    high
                                    https://api.microsoftstream.com/api/A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drfalse
                                      high
                                      https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=ImmersiveA0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drfalse
                                        high
                                        https://cr.office.comA0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drfalse
                                          high
                                          https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;hA0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drfalse
                                          • Avira URL Cloud: safe
                                          low
                                          https://portal.office.com/account/?ref=ClientMeControlA0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drfalse
                                            high
                                            https://graph.ppe.windows.netA0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drfalse
                                              high
                                              https://res.getmicrosoftkey.com/api/redemptioneventsA0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drfalse
                                              • URL Reputation: safe
                                              unknown
                                              https://powerlift-frontdesk.acompli.netA0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drfalse
                                              • URL Reputation: safe
                                              unknown
                                              https://tasks.office.comA0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drfalse
                                                high
                                                https://officeci.azurewebsites.net/api/A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drfalse
                                                • URL Reputation: safe
                                                unknown
                                                https://sr.outlook.office.net/ws/speech/recognize/assistant/workA0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drfalse
                                                  high
                                                  https://store.office.cn/addinstemplateA0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drfalse
                                                  • URL Reputation: safe
                                                  unknown
                                                  https://api.aadrm.comA0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drfalse
                                                  • 0%, Virustotal, Browse
                                                  • Avira URL Cloud: safe
                                                  unknown
                                                  https://outlook.office.com/autosuggest/api/v1/init?cvid=A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drfalse
                                                    high
                                                    https://globaldisco.crm.dynamics.comA0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drfalse
                                                      high
                                                      https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeechA0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drfalse
                                                        high
                                                        https://store.officeppe.com/addinstemplateA0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drfalse
                                                        • URL Reputation: safe
                                                        unknown
                                                        https://dev0-api.acompli.net/autodetectA0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drfalse
                                                        • URL Reputation: safe
                                                        unknown
                                                        https://www.odwebp.svc.msA0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drfalse
                                                        • URL Reputation: safe
                                                        unknown
                                                        https://api.powerbi.com/v1.0/myorg/groupsA0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drfalse
                                                          high
                                                          https://web.microsoftstream.com/video/A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drfalse
                                                            high
                                                            https://graph.windows.netA0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drfalse
                                                              high
                                                              https://dataservice.o365filtering.com/A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drfalse
                                                              • URL Reputation: safe
                                                              unknown
                                                              https://officesetup.getmicrosoftkey.comA0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drfalse
                                                              • URL Reputation: safe
                                                              unknown
                                                              https://analysis.windows.net/powerbi/apiA0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drfalse
                                                                high
                                                                https://prod-global-autodetect.acompli.net/autodetectA0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drfalse
                                                                • URL Reputation: safe
                                                                unknown
                                                                https://outlook.office365.com/autodiscover/autodiscover.jsonA0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drfalse
                                                                  high
                                                                  https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-iosA0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drfalse
                                                                    high
                                                                    https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeechA0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drfalse
                                                                      high
                                                                      https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.jsonA0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drfalse
                                                                        high
                                                                        https://ncus.contentsync.A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drfalse
                                                                        • URL Reputation: safe
                                                                        unknown
                                                                        https://onedrive.live.com/about/download/?windows10SyncClientInstalled=falseA0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drfalse
                                                                          high
                                                                          https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drfalse
                                                                            high
                                                                            http://weather.service.msn.com/data.aspxA0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drfalse
                                                                              high
                                                                              https://apis.live.net/v5.0/A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drfalse
                                                                              • URL Reputation: safe
                                                                              unknown
                                                                              https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asksA0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drfalse
                                                                                high
                                                                                https://word.uservoice.com/forums/304948-word-for-ipad-iphone-iosA0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drfalse
                                                                                  high
                                                                                  https://autodiscover-s.outlook.com/autodiscover/autodiscover.xmlA0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drfalse
                                                                                    high
                                                                                    https://management.azure.comA0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drfalse
                                                                                      high
                                                                                      https://outlook.office365.comA0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drfalse
                                                                                        high
                                                                                        https://wus2.contentsync.A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drfalse
                                                                                        • URL Reputation: safe
                                                                                        unknown
                                                                                        https://incidents.diagnostics.office.comA0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drfalse
                                                                                          high
                                                                                          https://clients.config.office.net/user/v1.0/iosA0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drfalse
                                                                                            high
                                                                                            https://insertmedia.bing.office.net/odc/insertmediaA0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drfalse
                                                                                              high
                                                                                              https://o365auditrealtimeingestion.manage.office.comA0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drfalse
                                                                                                high
                                                                                                https://outlook.office365.com/api/v1.0/me/ActivitiesA0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drfalse
                                                                                                  high
                                                                                                  https://api.office.netA0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drfalse
                                                                                                    high
                                                                                                    https://incidents.diagnosticssdf.office.comA0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drfalse
                                                                                                      high
                                                                                                      https://asgsmsproxyapi.azurewebsites.net/A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drfalse
                                                                                                      • URL Reputation: safe
                                                                                                      unknown
                                                                                                      https://clients.config.office.net/user/v1.0/android/policiesA0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drfalse
                                                                                                        high
                                                                                                        https://entitlement.diagnostics.office.comA0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drfalse
                                                                                                          high
                                                                                                          https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.jsonA0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drfalse
                                                                                                            high
                                                                                                            https://substrate.office.com/search/api/v2/initA0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drfalse
                                                                                                              high
                                                                                                              https://outlook.office.com/A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drfalse
                                                                                                                high
                                                                                                                https://storage.live.com/clientlogs/uploadlocationA0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drfalse
                                                                                                                  high
                                                                                                                  https://outlook.office365.com/A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drfalse
                                                                                                                    high
                                                                                                                    https://webshell.suite.office.comA0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drfalse
                                                                                                                      high
                                                                                                                      https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDriveA0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drfalse
                                                                                                                        high
                                                                                                                        https://substrate.office.com/search/api/v1/SearchHistoryA0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drfalse
                                                                                                                          high
                                                                                                                          http://5.196.247.11/1701667874-10042021.xlsfalse
                                                                                                                          • 4%, Virustotal, Browse
                                                                                                                          • Avira URL Cloud: safe
                                                                                                                          unknown
                                                                                                                          https://management.azure.com/A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drfalse
                                                                                                                            high
                                                                                                                            https://login.windows.net/common/oauth2/authorizeA0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drfalse
                                                                                                                              high
                                                                                                                              https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFileA0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drfalse
                                                                                                                              • URL Reputation: safe
                                                                                                                              unknown
                                                                                                                              https://graph.windows.net/A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drfalse
                                                                                                                                high
                                                                                                                                https://api.powerbi.com/beta/myorg/importsA0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drfalse
                                                                                                                                  high
                                                                                                                                  https://devnull.onenote.comA0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drfalse
                                                                                                                                    high
                                                                                                                                    https://ncus.pagecontentsync.A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drfalse
                                                                                                                                    • URL Reputation: safe
                                                                                                                                    unknown
                                                                                                                                    https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.jsonA0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drfalse
                                                                                                                                      high
                                                                                                                                      https://messaging.office.com/A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drfalse
                                                                                                                                        high
                                                                                                                                        https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFileA0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drfalse
                                                                                                                                          high
                                                                                                                                          https://augloop.office.com/v2A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drfalse
                                                                                                                                            high
                                                                                                                                            https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=BingA0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drfalse
                                                                                                                                              high
                                                                                                                                              https://skyapi.live.net/Activity/A0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drfalse
                                                                                                                                              • URL Reputation: safe
                                                                                                                                              unknown
                                                                                                                                              https://clients.config.office.net/user/v1.0/macA0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drfalse
                                                                                                                                                high
                                                                                                                                                https://dataservice.o365filtering.comA0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drfalse
                                                                                                                                                • URL Reputation: safe
                                                                                                                                                unknown
                                                                                                                                                https://api.cortana.aiA0633F26-EC8F-47DE-85C4-78BC1E11A6E5.0.drfalse
                                                                                                                                                • URL Reputation: safe
                                                                                                                                                unknown

                                                                                                                                                Contacted IPs

                                                                                                                                                • No. of IPs < 25%
                                                                                                                                                • 25% < No. of IPs < 50%
                                                                                                                                                • 50% < No. of IPs < 75%
                                                                                                                                                • 75% < No. of IPs

                                                                                                                                                Public

                                                                                                                                                IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                5.196.247.11
                                                                                                                                                unknownFrance
                                                                                                                                                16276OVHFRfalse
                                                                                                                                                190.14.37.165
                                                                                                                                                unknownPanama
                                                                                                                                                52469OffshoreRacksSAPAfalse
                                                                                                                                                188.119.113.3
                                                                                                                                                unknownRussian Federation
                                                                                                                                                50673SERVERIUS-ASNLfalse

                                                                                                                                                General Information

                                                                                                                                                Joe Sandbox Version:33.0.0 White Diamond
                                                                                                                                                Analysis ID:499734
                                                                                                                                                Start date:08.10.2021
                                                                                                                                                Start time:22:37:38
                                                                                                                                                Joe Sandbox Product:CloudBasic
                                                                                                                                                Overall analysis duration:0h 5m 30s
                                                                                                                                                Hypervisor based Inspection enabled:false
                                                                                                                                                Report type:light
                                                                                                                                                Sample file name:1701667874-10042021.xls
                                                                                                                                                Cookbook file name:defaultwindowsofficecookbook.jbs
                                                                                                                                                Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                                                                                Run name:Potential for more IOCs and behavior
                                                                                                                                                Number of analysed new started processes analysed:19
                                                                                                                                                Number of new started drivers analysed:0
                                                                                                                                                Number of existing processes analysed:0
                                                                                                                                                Number of existing drivers analysed:0
                                                                                                                                                Number of injected processes analysed:0
                                                                                                                                                Technologies:
                                                                                                                                                • HCA enabled
                                                                                                                                                • EGA enabled
                                                                                                                                                • HDC enabled
                                                                                                                                                • AMSI enabled
                                                                                                                                                Analysis Mode:default
                                                                                                                                                Analysis stop reason:Timeout
                                                                                                                                                Detection:MAL
                                                                                                                                                Classification:mal68.expl.winXLS@7/3@0/3
                                                                                                                                                EGA Information:Failed
                                                                                                                                                HDC Information:Failed
                                                                                                                                                HCA Information:
                                                                                                                                                • Successful, ratio: 100%
                                                                                                                                                • Number of executed functions: 0
                                                                                                                                                • Number of non-executed functions: 0
                                                                                                                                                Cookbook Comments:
                                                                                                                                                • Adjust boot time
                                                                                                                                                • Enable AMSI
                                                                                                                                                • Found application associated with file extension: .xls
                                                                                                                                                • Changed system and user locale, location and keyboard layout to English - United States
                                                                                                                                                • Found Word or Excel or PowerPoint or XPS Viewer
                                                                                                                                                • Attach to Office via COM
                                                                                                                                                • Scroll down
                                                                                                                                                • Close Viewer
                                                                                                                                                Warnings:
                                                                                                                                                Show All
                                                                                                                                                • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
                                                                                                                                                • Excluded IPs from analysis (whitelisted): 40.127.240.158, 51.11.168.232, 20.82.210.154, 95.100.218.79, 52.109.76.68, 52.109.76.35, 52.109.88.37, 52.109.8.24, 52.109.12.21, 204.79.197.222, 20.54.110.249, 40.112.88.60, 209.197.3.8, 20.50.102.62, 2.20.178.33, 2.20.178.24
                                                                                                                                                • Excluded domains from analysis (whitelisted): fp.msedge.net, prod-w.nexus.live.com.akadns.net, store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, a1449.dscg2.akamai.net, arc.msn.com, a-0019.a-msedge.net, e12564.dspb.akamaiedge.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, a-0019.standard.a-msedge.net, arc.trafficmanager.net, nexus.officeapps.live.com, 1.perf.msedge.net, officeclient.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, prod.configsvc1.live.com.akadns.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, wu-shim.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, settings-win.data.microsoft.com, ctldl.windowsupdate.com, cds.d2s7q6s2.hwcdn.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, settingsfd-geo.trafficmanager.net, ris.api.iris.microsoft.com, store-images.s-microsoft.com, config.officeapps.live.com, europe.configsvc1.live.com.akadns.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                                                                                                                                • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                                                                                                • Report size getting too big, too many NtSetInformationFile calls found.

                                                                                                                                                Simulations

                                                                                                                                                Behavior and APIs

                                                                                                                                                No simulations

                                                                                                                                                Joe Sandbox View / Context

                                                                                                                                                IPs

                                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                5.196.247.11173536952-10042021.xlsGet hashmaliciousBrowse
                                                                                                                                                • 5.196.247.11/44473.7079048611.dat
                                                                                                                                                190.14.37.165173536952-10042021.xlsGet hashmaliciousBrowse
                                                                                                                                                • 190.14.37.165/44473.7079048611.dat
                                                                                                                                                188.119.113.3173536952-10042021.xlsGet hashmaliciousBrowse
                                                                                                                                                • 188.119.113.3/44473.7079048611.dat

                                                                                                                                                Domains

                                                                                                                                                No context

                                                                                                                                                ASN

                                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                SERVERIUS-ASNL1701667874-10042021.xlsGet hashmaliciousBrowse
                                                                                                                                                • 188.119.113.3
                                                                                                                                                GlPWvtggPp.exeGet hashmaliciousBrowse
                                                                                                                                                • 193.38.55.46
                                                                                                                                                z8dCygeB6f.exeGet hashmaliciousBrowse
                                                                                                                                                • 188.119.113.208
                                                                                                                                                173536952-10042021.xlsGet hashmaliciousBrowse
                                                                                                                                                • 188.119.113.3
                                                                                                                                                hFRBBl9qJLGet hashmaliciousBrowse
                                                                                                                                                • 46.249.32.215
                                                                                                                                                qVoV2KOkEUGet hashmaliciousBrowse
                                                                                                                                                • 46.249.32.215
                                                                                                                                                gkfL4Bz8D0Get hashmaliciousBrowse
                                                                                                                                                • 46.249.32.215
                                                                                                                                                Fy6PrO6OOeGet hashmaliciousBrowse
                                                                                                                                                • 46.249.32.215
                                                                                                                                                Trainer v9.2.4.exeGet hashmaliciousBrowse
                                                                                                                                                • 45.67.228.152
                                                                                                                                                03tjfO4HU9.exeGet hashmaliciousBrowse
                                                                                                                                                • 45.67.231.218
                                                                                                                                                34e76d8a68c1eefd5681eb51a19019d189323f646c789.exeGet hashmaliciousBrowse
                                                                                                                                                • 188.119.113.86
                                                                                                                                                JNk46WKTxo.exeGet hashmaliciousBrowse
                                                                                                                                                • 45.67.228.118
                                                                                                                                                Document_1752244602-Copy.xlsGet hashmaliciousBrowse
                                                                                                                                                • 193.38.54.149
                                                                                                                                                Document_1752244602-Copy.xlsGet hashmaliciousBrowse
                                                                                                                                                • 193.38.54.149
                                                                                                                                                Document_1752244602-Copy.xlsGet hashmaliciousBrowse
                                                                                                                                                • 193.38.54.149
                                                                                                                                                qbot5.xlsxGet hashmaliciousBrowse
                                                                                                                                                • 193.38.54.149
                                                                                                                                                qbot5.xlsxGet hashmaliciousBrowse
                                                                                                                                                • 193.38.54.149
                                                                                                                                                qbot5.xlsxGet hashmaliciousBrowse
                                                                                                                                                • 193.38.54.149
                                                                                                                                                Document_85143683-Copy.xlsGet hashmaliciousBrowse
                                                                                                                                                • 193.38.54.149
                                                                                                                                                Document_5153204-Copy.xlsGet hashmaliciousBrowse
                                                                                                                                                • 193.38.54.149
                                                                                                                                                OVHFR1701667874-10042021.xlsGet hashmaliciousBrowse
                                                                                                                                                • 5.196.247.11
                                                                                                                                                FOL_JDHD98373_AMAZON_COMPROBANTE_FISCAL_DIGITAL_0398309_JDHSGGS.htmlGet hashmaliciousBrowse
                                                                                                                                                • 144.217.139.163
                                                                                                                                                BROCATELLE.exeGet hashmaliciousBrowse
                                                                                                                                                • 178.32.63.50
                                                                                                                                                yutrre123.exeGet hashmaliciousBrowse
                                                                                                                                                • 213.186.33.5
                                                                                                                                                dec.exeGet hashmaliciousBrowse
                                                                                                                                                • 213.186.33.5
                                                                                                                                                5DRyQNWb8e.exeGet hashmaliciousBrowse
                                                                                                                                                • 51.195.57.236
                                                                                                                                                Contract-No-AJ-1343CL-REFERENCE-837373HHYAAHYSBDDS3736362_OCTOBER-2021.vbsGet hashmaliciousBrowse
                                                                                                                                                • 178.32.63.50
                                                                                                                                                P. OFERTA 211008 Balearia Eurolineas Maritimas, S.A.exeGet hashmaliciousBrowse
                                                                                                                                                • 94.23.221.28
                                                                                                                                                SCAN_COP.EXEGet hashmaliciousBrowse
                                                                                                                                                • 51.210.156.152
                                                                                                                                                CONFIRM_.EXEGet hashmaliciousBrowse
                                                                                                                                                • 51.210.156.152
                                                                                                                                                MV ROCKET_PDA.exeGet hashmaliciousBrowse
                                                                                                                                                • 37.187.131.150
                                                                                                                                                6pDnJNQuXpGet hashmaliciousBrowse
                                                                                                                                                • 51.161.7.116
                                                                                                                                                fh6FJ4ntlEGet hashmaliciousBrowse
                                                                                                                                                • 51.161.7.116
                                                                                                                                                w7l28fLnhLGet hashmaliciousBrowse
                                                                                                                                                • 51.161.7.116
                                                                                                                                                Vw1TY7nUmjGet hashmaliciousBrowse
                                                                                                                                                • 51.161.7.116
                                                                                                                                                HqFa1ntiY8Get hashmaliciousBrowse
                                                                                                                                                • 51.161.7.116
                                                                                                                                                0WefzeoV6XGet hashmaliciousBrowse
                                                                                                                                                • 51.161.7.116
                                                                                                                                                YrNB27LHmuGet hashmaliciousBrowse
                                                                                                                                                • 51.161.7.116
                                                                                                                                                bZEi1V3BCtGet hashmaliciousBrowse
                                                                                                                                                • 51.161.7.116
                                                                                                                                                k0pLFMJMbp.dllGet hashmaliciousBrowse
                                                                                                                                                • 54.39.106.25
                                                                                                                                                OffshoreRacksSAPA1701667874-10042021.xlsGet hashmaliciousBrowse
                                                                                                                                                • 190.14.37.165
                                                                                                                                                AMLRPT_257035367.xlsGet hashmaliciousBrowse
                                                                                                                                                • 190.14.37.238
                                                                                                                                                AMLRPT_1428592311.xlsGet hashmaliciousBrowse
                                                                                                                                                • 190.14.37.238
                                                                                                                                                AMLRPT_819011139.xlsGet hashmaliciousBrowse
                                                                                                                                                • 190.14.37.238
                                                                                                                                                AMLRPT_1428592311.xlsGet hashmaliciousBrowse
                                                                                                                                                • 190.14.37.238
                                                                                                                                                AMLRPT_819011139.xlsGet hashmaliciousBrowse
                                                                                                                                                • 190.14.37.238
                                                                                                                                                Document_1680405650-10062021.xlsGet hashmaliciousBrowse
                                                                                                                                                • 190.14.37.107
                                                                                                                                                Document_1680405650-10062021.xlsGet hashmaliciousBrowse
                                                                                                                                                • 190.14.37.107
                                                                                                                                                Document_748968552-10062021.xlsGet hashmaliciousBrowse
                                                                                                                                                • 190.14.37.107
                                                                                                                                                173536952-10042021.xlsGet hashmaliciousBrowse
                                                                                                                                                • 190.14.37.165
                                                                                                                                                UdQiakT3q5.xlsGet hashmaliciousBrowse
                                                                                                                                                • 190.14.37.187
                                                                                                                                                UdQiakT3q5.xlsGet hashmaliciousBrowse
                                                                                                                                                • 190.14.37.187
                                                                                                                                                Compensation-54975366-09272021.xlsGet hashmaliciousBrowse
                                                                                                                                                • 190.14.37.178
                                                                                                                                                Compensation-54975366-09272021.xlsGet hashmaliciousBrowse
                                                                                                                                                • 190.14.37.178
                                                                                                                                                CompensationClaim-1630636598-09282021.xlsGet hashmaliciousBrowse
                                                                                                                                                • 190.14.37.187
                                                                                                                                                CompensationClaim-1033191014-09282021.xlsGet hashmaliciousBrowse
                                                                                                                                                • 190.14.37.187
                                                                                                                                                xls.xlsGet hashmaliciousBrowse
                                                                                                                                                • 190.14.37.178
                                                                                                                                                Compensation-1214892625-09272021.xlsGet hashmaliciousBrowse
                                                                                                                                                • 190.14.37.178
                                                                                                                                                Compensation-2100058996-09272021.xlsGet hashmaliciousBrowse
                                                                                                                                                • 190.14.37.178
                                                                                                                                                Compensation-1657705079-09272021.xlsGet hashmaliciousBrowse
                                                                                                                                                • 190.14.37.178

                                                                                                                                                JA3 Fingerprints

                                                                                                                                                No context

                                                                                                                                                Dropped Files

                                                                                                                                                No context

                                                                                                                                                Created / dropped Files

                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\A0633F26-EC8F-47DE-85C4-78BC1E11A6E5
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                File Type:XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):138049
                                                                                                                                                Entropy (8bit):5.359443903800741
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:1536:PcQIKNZrBdA3gBwfnQ9DQW+zBY34Zzi7nXboOidXVE6LWME9:LWQ9DQW+zbXa1
                                                                                                                                                MD5:C552E0D51C224C027D2A104736A3E120
                                                                                                                                                SHA1:2A8018013752906D3B1B937966E495EAF5A79212
                                                                                                                                                SHA-256:206A9EF4269C039E220EEDDC2D05A8B92F379141DDAE853D27B713F02E9EE9E9
                                                                                                                                                SHA-512:357E7BA89076E0F8E3633ABE36B317556AD525F12CDB2EB3798ECC2A0A662651A0DA29F6A2EE416FFFC9C8AB21008085018883B7224D0345D188EACEC6BA7EDF
                                                                                                                                                Malicious:false
                                                                                                                                                Reputation:low
                                                                                                                                                Preview: <?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2021-10-08T20:38:33">.. Build: 16.0.14604.30525-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://rr.office.microsoft.com/research/query.asmx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientHome">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientTemplate">.. <o:url>https://ocsa.office.microsoft.com/client/15/help/template</o:url>.. </o:service>.. <o:
                                                                                                                                                C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                File Type:data
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):170164
                                                                                                                                                Entropy (8bit):4.366004047943934
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:1536:f7nyfzolWWpFpKKHAeedydju4HTbTuo+o5aQxJudUl9yhQL3oKmmy:f7yc8WpFpKKHHedydFeo+oQLUlPoK0
                                                                                                                                                MD5:CCDCF9F32EA30275AA12EE0C5F1E1C97
                                                                                                                                                SHA1:6D6AF50F39A813A584ADB72E86950EA4E658C020
                                                                                                                                                SHA-256:8B3131D27BFBF1D5F49B26CBBBE2767FCD46DC42C5BE70F3210369511168751B
                                                                                                                                                SHA-512:89B55DD510B18BDF8C338B279E44C8B9A2CD5CAD382A5085679CB995A72C2605C15C3473D11E5341B9AD91B65F2EEC15F47B39962BD5D56DBE8E31EECFC6A180
                                                                                                                                                Malicious:false
                                                                                                                                                Reputation:low
                                                                                                                                                Preview: MSFT................Q................................$......$....... ...................d.......,...........X....... ...........L...........x.......@...........l.......4...........`.......(...........T...................H...........t.......<...........h.......0...........\.......$...........P...........|.......D...........p.......8...........d.......,...........X....... ...........L...........x.......@........ ..l ... ..4!...!...!..`"..."..(#...#...#..T$...$...%...%...%..H&...&...'..t'...'..<(...(...)..h)...)..0*...*...*..\+...+..$,...,...,..P-...-......|.......D/.../...0..p0...0..81...1...2..d2...2..,3...3...3..X4...4.. 5...5...5..L6...6...7..x7...7..@8...8...9..l9...9..4:...:...:..`;...;..(<...<...<..T=...=...>...>...>..H?...?...@..t@...@..<A...A...B..hB.......l...B..........................$................................................ ...............................x...I..............T........................................... ...................................................
                                                                                                                                                C:\Users\user\AppData\Local\Temp\VBE\RefEdit.exd
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                File Type:data
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):15676
                                                                                                                                                Entropy (8bit):4.563631392944346
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:192:y/d4xlA11DxzCOtHIT6P20eChgZjTdZ3HJV8L1I17EMBkDXrq9LwGGLVbkLdZ:x38xesT20lheZ3waE5D7qxIxkxZ
                                                                                                                                                MD5:31DB0BA1731116648AAAEC8C7090B256
                                                                                                                                                SHA1:C2E16B85FD0E20CB1DE4ECA308F9E41C2E75039E
                                                                                                                                                SHA-256:2ECD8535AAC73B8A846B8CD78FC707B380E20F12459713222FA241D8DFBCBB64
                                                                                                                                                SHA-512:44625FC207DB7307E5625B677BB2D27E9747A017EA132E6AEB89726762FB26FE8F3DD811D8D2DEE61C1602491809998455C806FC69DD2A1537FDF2B6FBD9D435
                                                                                                                                                Malicious:false
                                                                                                                                                Reputation:low
                                                                                                                                                Preview: MSFT................A...............................1............... ...................d...............,...............\...........H...4...........0... ...............................................................x...............................x.......................................................................................$!.......0...+...................{...{...{......P..........................................H.......$!..................................~...~..0....P..,.........................0.....................%!..........................................H..."...................................................H.......(...................@...................P...............0.......`...............................p...X... ................qdD..I.................E.............F...........B........`..d......."E.............F........0..............F..........E........`.M...........CPf.........0..=.......01..)....w....<WI.......\.1Y........k...U........".......|...K..a...

                                                                                                                                                Static File Info

                                                                                                                                                General

                                                                                                                                                File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1251, Author: Test, Last Saved By: Test, Name of Creating Application: Microsoft Excel, Create Time/Date: Fri Jun 5 19:17:20 2015, Last Saved Time/Date: Mon Oct 4 09:34:12 2021, Security: 0
                                                                                                                                                Entropy (8bit):7.07736722605419
                                                                                                                                                TrID:
                                                                                                                                                • Microsoft Excel sheet (30009/1) 47.99%
                                                                                                                                                • Microsoft Excel sheet (alternate) (24509/1) 39.20%
                                                                                                                                                • Generic OLE2 / Multistream Compound File (8008/1) 12.81%
                                                                                                                                                File name:1701667874-10042021.xls
                                                                                                                                                File size:132608
                                                                                                                                                MD5:1dc3a1c0972a9e32d88e85d1cf8f2c65
                                                                                                                                                SHA1:808311a07522956f55bf842749083e199b0f04c6
                                                                                                                                                SHA256:9828f899790d150360e0a3f78f3eb3b758417644bc16896aeb411e2af9e8ea4b
                                                                                                                                                SHA512:9bd8112044f2ca4f11861a50773c4cd98ce69bb04f523c4168c35481431eb2347a4ecb0e5c806217fdb89a977283168236046ebbdc0d7e556456b6ed5ba575db
                                                                                                                                                SSDEEP:3072:Sk3hOdsylKlgxopeiBNhZFGzE+cL2kdAxc6YehWfGdtUHKGDbpmsii/+u6ssC06+:Sk3hOdsylKlgxopeiBNhZF+E+W2kdAxX
                                                                                                                                                File Content Preview:........................>.......................................................b..............................................................................................................................................................................

                                                                                                                                                File Icon

                                                                                                                                                Icon Hash:74ecd4c6c3c6c4d8

                                                                                                                                                Static OLE Info

                                                                                                                                                General

                                                                                                                                                Document Type:OLE
                                                                                                                                                Number of OLE Files:1

                                                                                                                                                OLE File "1701667874-10042021.xls"

                                                                                                                                                Indicators

                                                                                                                                                Has Summary Info:True
                                                                                                                                                Application Name:Microsoft Excel
                                                                                                                                                Encrypted Document:False
                                                                                                                                                Contains Word Document Stream:False
                                                                                                                                                Contains Workbook/Book Stream:True
                                                                                                                                                Contains PowerPoint Document Stream:False
                                                                                                                                                Contains Visio Document Stream:False
                                                                                                                                                Contains ObjectPool Stream:
                                                                                                                                                Flash Objects Count:
                                                                                                                                                Contains VBA Macros:True

                                                                                                                                                Summary

                                                                                                                                                Code Page:1251
                                                                                                                                                Author:Test
                                                                                                                                                Last Saved By:Test
                                                                                                                                                Create Time:2015-06-05 18:17:20
                                                                                                                                                Last Saved Time:2021-10-04 08:34:12
                                                                                                                                                Creating Application:Microsoft Excel
                                                                                                                                                Security:0

                                                                                                                                                Document Summary

                                                                                                                                                Document Code Page:1251
                                                                                                                                                Thumbnail Scaling Desired:False
                                                                                                                                                Company:
                                                                                                                                                Contains Dirty Links:False
                                                                                                                                                Shared Document:False
                                                                                                                                                Changed Hyperlinks:False
                                                                                                                                                Application Version:1048576

                                                                                                                                                Streams with VBA

                                                                                                                                                VBA File Name: UserForm2, Stream Size: -1
                                                                                                                                                General
                                                                                                                                                Stream Path:_VBA_PROJECT_CUR/UserForm2
                                                                                                                                                VBA File Name:UserForm2
                                                                                                                                                Stream Size:-1
                                                                                                                                                Data ASCII:
                                                                                                                                                Data Raw:
                                                                                                                                                VBA Code
                                                                                                                                                VBA File Name: Module1, Stream Size: 1533
                                                                                                                                                General
                                                                                                                                                Stream Path:_VBA_PROJECT_CUR/VBA/Module1
                                                                                                                                                VBA File Name:Module1
                                                                                                                                                Stream Size:1533
                                                                                                                                                Data ASCII:. . . . . . . . . B . . . . . . . . . . . . . . . p . . . . . . . . . . . . . . . . . = . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                                                Data Raw:01 16 03 00 03 f0 00 00 00 42 03 00 00 d4 00 00 00 b0 01 00 00 ff ff ff ff 70 03 00 00 08 05 00 00 00 00 00 00 01 00 00 00 fb 18 3d fb 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff 08 00 ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                                                VBA Code
                                                                                                                                                VBA File Name: Module5, Stream Size: 3595
                                                                                                                                                General
                                                                                                                                                Stream Path:_VBA_PROJECT_CUR/VBA/Module5
                                                                                                                                                VBA File Name:Module5
                                                                                                                                                Stream Size:3595
                                                                                                                                                Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . ] . . . . . . . . . . . . . . % . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                                                Data Raw:01 16 03 00 01 f0 00 00 00 82 02 00 00 d4 00 00 00 88 01 00 00 ff ff ff ff 89 02 00 00 5d 0b 00 00 00 00 00 00 01 00 00 00 fb 18 e3 25 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                                                VBA Code
                                                                                                                                                VBA File Name: Sheet1, Stream Size: 991
                                                                                                                                                General
                                                                                                                                                Stream Path:_VBA_PROJECT_CUR/VBA/Sheet1
                                                                                                                                                VBA File Name:Sheet1
                                                                                                                                                Stream Size:991
                                                                                                                                                Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . - . . . . . . . . . . . . . . 9 . . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                                                Data Raw:01 16 03 00 00 f0 00 00 00 d2 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff d9 02 00 00 2d 03 00 00 00 00 00 00 01 00 00 00 fb 18 b4 39 00 00 ff ff 23 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                                                VBA Code
                                                                                                                                                VBA File Name: ThisWorkbook, Stream Size: 3459
                                                                                                                                                General
                                                                                                                                                Stream Path:_VBA_PROJECT_CUR/VBA/ThisWorkbook
                                                                                                                                                VBA File Name:ThisWorkbook
                                                                                                                                                Stream Size:3459
                                                                                                                                                Data ASCII:. . . . . . . . . 2 . . . . . . . . . . . . . . . 9 . . . . . . . . . . . . . . . . . r S . . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                                                Data Raw:01 16 03 00 00 f0 00 00 00 32 04 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff 39 04 00 00 b1 0a 00 00 00 00 00 00 01 00 00 00 fb 18 72 53 00 00 ff ff 23 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                                                VBA Code
                                                                                                                                                VBA File Name: UserForm2, Stream Size: 1182
                                                                                                                                                General
                                                                                                                                                Stream Path:_VBA_PROJECT_CUR/VBA/UserForm2
                                                                                                                                                VBA File Name:UserForm2
                                                                                                                                                Stream Size:1182
                                                                                                                                                Data ASCII:. . . . . . . . . V . . . . . . . L . . . . . . . ] . . . . . . . . . . . . . . . . . . J . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                                                Data Raw:01 16 03 00 00 f0 00 00 00 56 03 00 00 d4 00 00 00 4c 02 00 00 ff ff ff ff 5d 03 00 00 b1 03 00 00 00 00 00 00 01 00 00 00 fb 18 b2 4a 00 00 ff ff 01 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                                                VBA Code

                                                                                                                                                Streams

                                                                                                                                                Stream Path: \x1CompObj, File Type: data, Stream Size: 108
                                                                                                                                                General
                                                                                                                                                Stream Path:\x1CompObj
                                                                                                                                                File Type:data
                                                                                                                                                Stream Size:108
                                                                                                                                                Entropy:4.18849998853
                                                                                                                                                Base64 Encoded:True
                                                                                                                                                Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . F . . . . M i c r o s o f t E x c e l 2 0 0 3 W o r k s h e e t . . . . . B i f f 8 . . . . . E x c e l . S h e e t . 8 . . 9 . q . . . . . . . . . . . .
                                                                                                                                                Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 20 00 00 00 1e 4d 69 63 72 6f 73 6f 66 74 20 45 78 63 65 6c 20 32 30 30 33 20 57 6f 72 6b 73 68 65 65 74 00 06 00 00 00 42 69 66 66 38 00 0e 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                                                Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 244
                                                                                                                                                General
                                                                                                                                                Stream Path:\x5DocumentSummaryInformation
                                                                                                                                                File Type:data
                                                                                                                                                Stream Size:244
                                                                                                                                                Entropy:2.65175227267
                                                                                                                                                Base64 Encoded:False
                                                                                                                                                Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . . . . . . . . . . . . . P . . . . . . . X . . . . . . . d . . . . . . . l . . . . . . . t . . . . . . . | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . S h e e t 1 . . . . . . . . . . . . . . . . . W o r k s h e e t s . . . . . . . . . . .
                                                                                                                                                Data Raw:fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 c4 00 00 00 09 00 00 00 01 00 00 00 50 00 00 00 0f 00 00 00 58 00 00 00 17 00 00 00 64 00 00 00 0b 00 00 00 6c 00 00 00 10 00 00 00 74 00 00 00 13 00 00 00 7c 00 00 00 16 00 00 00 84 00 00 00 0d 00 00 00 8c 00 00 00 0c 00 00 00 9f 00 00 00
                                                                                                                                                Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 208
                                                                                                                                                General
                                                                                                                                                Stream Path:\x5SummaryInformation
                                                                                                                                                File Type:data
                                                                                                                                                Stream Size:208
                                                                                                                                                Entropy:3.33231709703
                                                                                                                                                Base64 Encoded:False
                                                                                                                                                Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . . . . . . . . . . . . . @ . . . . . . . H . . . . . . . X . . . . . . . h . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . T e s t . . . . . . . . . . . . T e s t . . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . x s . . . . . @ . . . . . r . . . . . . . . . . . . .
                                                                                                                                                Data Raw:fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 a0 00 00 00 07 00 00 00 01 00 00 00 40 00 00 00 04 00 00 00 48 00 00 00 08 00 00 00 58 00 00 00 12 00 00 00 68 00 00 00 0c 00 00 00 80 00 00 00 0d 00 00 00 8c 00 00 00 13 00 00 00 98 00 00 00 02 00 00 00 e3 04 00 00 1e 00 00 00 08 00 00 00
                                                                                                                                                Stream Path: Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 101931
                                                                                                                                                General
                                                                                                                                                Stream Path:Workbook
                                                                                                                                                File Type:Applesoft BASIC program data, first line number 16
                                                                                                                                                Stream Size:101931
                                                                                                                                                Entropy:7.65144710562
                                                                                                                                                Base64 Encoded:True
                                                                                                                                                Data ASCII:. . . . . . . . Z O . . . . . . . . . . . . . . . . . . . . . . . . . . \\ . p . . . . T e s t B . . . . . a . . . . . . . . . = . . . . . . . . . . . . . . . . T h i s W o r k b o o k . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . = . . . . . . . . V q % 8 . . . . . . . X . @
                                                                                                                                                Data Raw:09 08 10 00 00 06 05 00 5a 4f cd 07 c9 00 02 00 06 08 00 00 e1 00 02 00 b0 04 c1 00 02 00 00 00 e2 00 00 00 5c 00 70 00 04 00 00 54 65 73 74 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                                                                                                                                Stream Path: _VBA_PROJECT_CUR/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 704
                                                                                                                                                General
                                                                                                                                                Stream Path:_VBA_PROJECT_CUR/PROJECT
                                                                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                                                                Stream Size:704
                                                                                                                                                Entropy:5.29068090087
                                                                                                                                                Base64 Encoded:True
                                                                                                                                                Data ASCII:I D = " { 0 0 0 0 0 0 0 0 - 0 0 0 0 - 0 0 0 0 - 0 0 0 0 - 0 0 0 0 0 0 0 0 0 0 0 0 } " . . D o c u m e n t = T h i s W o r k b o o k / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 1 / & H 0 0 0 0 0 0 0 0 . . P a c k a g e = { A C 9 F 2 F 9 0 - E 8 7 7 - 1 1 C E - 9 F 6 8 - 0 0 A A 0 0 5 7 4 A 4 F } . . M o d u l e = M o d u l e 5 . . B a s e C l a s s = U s e r F o r m 2 . . M o d u l e = M o d u l e 1 . . H e l p F i l e = " " . . N a m e = " V B A P r o j e c t " . . H e l p C o n t e x t I D = " 0
                                                                                                                                                Data Raw:49 44 3d 22 7b 30 30 30 30 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 30 30 30 30 30 30 30 30 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 57 6f 72 6b 62 6f 6f 6b 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 53 68 65 65 74 31 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 50 61 63 6b 61 67 65 3d 7b 41 43 39 46 32 46 39 30 2d 45 38 37
                                                                                                                                                Stream Path: _VBA_PROJECT_CUR/PROJECTlk, File Type: dBase IV DBT, blocks size 0, block length 17920, next free block index 65537, Stream Size: 30
                                                                                                                                                General
                                                                                                                                                Stream Path:_VBA_PROJECT_CUR/PROJECTlk
                                                                                                                                                File Type:dBase IV DBT, blocks size 0, block length 17920, next free block index 65537
                                                                                                                                                Stream Size:30
                                                                                                                                                Entropy:1.37215976263
                                                                                                                                                Base64 Encoded:False
                                                                                                                                                Data ASCII:. . . . . . " E . . . . . . . . . . . . . F . . . . . . . .
                                                                                                                                                Data Raw:01 00 01 00 00 00 22 45 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 00 00 00 00 00 00 00 00
                                                                                                                                                Stream Path: _VBA_PROJECT_CUR/PROJECTwm, File Type: data, Stream Size: 140
                                                                                                                                                General
                                                                                                                                                Stream Path:_VBA_PROJECT_CUR/PROJECTwm
                                                                                                                                                File Type:data
                                                                                                                                                Stream Size:140
                                                                                                                                                Entropy:3.43277227638
                                                                                                                                                Base64 Encoded:False
                                                                                                                                                Data ASCII:T h i s W o r k b o o k . T . h . i . s . W . o . r . k . b . o . o . k . . . S h e e t 1 . S . h . e . e . t . 1 . . . M o d u l e 5 . M . o . d . u . l . e . 5 . . . U s e r F o r m 2 . U . s . e . r . F . o . r . m . 2 . . . M o d u l e 1 . M . o . d . u . l . e . 1 . . . . .
                                                                                                                                                Data Raw:54 68 69 73 57 6f 72 6b 62 6f 6f 6b 00 54 00 68 00 69 00 73 00 57 00 6f 00 72 00 6b 00 62 00 6f 00 6f 00 6b 00 00 00 53 68 65 65 74 31 00 53 00 68 00 65 00 65 00 74 00 31 00 00 00 4d 6f 64 75 6c 65 35 00 4d 00 6f 00 64 00 75 00 6c 00 65 00 35 00 00 00 55 73 65 72 46 6f 72 6d 32 00 55 00 73 00 65 00 72 00 46 00 6f 00 72 00 6d 00 32 00 00 00 4d 6f 64 75 6c 65 31 00 4d 00 6f 00 64 00
                                                                                                                                                Stream Path: _VBA_PROJECT_CUR/UserForm2/\x1CompObj, File Type: data, Stream Size: 97
                                                                                                                                                General
                                                                                                                                                Stream Path:_VBA_PROJECT_CUR/UserForm2/\x1CompObj
                                                                                                                                                File Type:data
                                                                                                                                                Stream Size:97
                                                                                                                                                Entropy:3.61064918306
                                                                                                                                                Base64 Encoded:False
                                                                                                                                                Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t F o r m s 2 . 0 F o r m . . . . . E m b e d d e d O b j e c t . . . . . . 9 . q . . . . . . . . . . . .
                                                                                                                                                Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 19 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 46 6f 72 6d 73 20 32 2e 30 20 46 6f 72 6d 00 10 00 00 00 45 6d 62 65 64 64 65 64 20 4f 62 6a 65 63 74 00 00 00 00 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                                                Stream Path: _VBA_PROJECT_CUR/UserForm2/\x3VBFrame, File Type: ASCII text, with CRLF line terminators, Stream Size: 302
                                                                                                                                                General
                                                                                                                                                Stream Path:_VBA_PROJECT_CUR/UserForm2/\x3VBFrame
                                                                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                                                                Stream Size:302
                                                                                                                                                Entropy:4.66028783691
                                                                                                                                                Base64 Encoded:True
                                                                                                                                                Data ASCII:V E R S I O N 5 . 0 0 . . B e g i n { C 6 2 A 6 9 F 0 - 1 6 D C - 1 1 C E - 9 E 9 8 - 0 0 A A 0 0 5 7 4 A 4 F } U s e r F o r m 2 . . C a p t i o n = " U R L D o w n l o a d T o F i l e A " . . C l i e n t H e i g h t = 3 0 1 5 . . C l i e n t L e f t = 1 2 0 . . C l i e n t T o p = 4 6 5 . . C l i e n t W i d t h = 4 5 6 0 . . S t a r t U p P o s i t i o n = 1
                                                                                                                                                Data Raw:56 45 52 53 49 4f 4e 20 35 2e 30 30 0d 0a 42 65 67 69 6e 20 7b 43 36 32 41 36 39 46 30 2d 31 36 44 43 2d 31 31 43 45 2d 39 45 39 38 2d 30 30 41 41 30 30 35 37 34 41 34 46 7d 20 55 73 65 72 46 6f 72 6d 32 20 0d 0a 20 20 20 43 61 70 74 69 6f 6e 20 20 20 20 20 20 20 20 20 3d 20 20 20 22 55 52 4c 44 6f 77 6e 6c 6f 61 64 54 6f 46 69 6c 65 41 22 0d 0a 20 20 20 43 6c 69 65 6e 74 48 65 69
                                                                                                                                                Stream Path: _VBA_PROJECT_CUR/UserForm2/f, File Type: data, Stream Size: 283
                                                                                                                                                General
                                                                                                                                                Stream Path:_VBA_PROJECT_CUR/UserForm2/f
                                                                                                                                                File Type:data
                                                                                                                                                Stream Size:283
                                                                                                                                                Entropy:3.66259370036
                                                                                                                                                Base64 Encoded:False
                                                                                                                                                Data ASCII:. . ( . H . . . . . . . . @ . . . . . . . . . . . } . . k . . . . . . . . . . . . . . . . R . . . . . . . . . . . K . Q . . . . . . D B . . . T a h o m a . . . . . . . . . . . . . . . . ( . . . . . . . . . . . . . 2 . . . H . . . . . . . L a b e l 1 5 . . . . . . . . . . . ( . . . . . . . . . . . . . 2 . . . D . . . . . . . L a b e l 3 . . . . . . . . . . . . ( . . . . . . . . . . . . . 2 . . . H . . . . . . . L a b e l 4 t . . . . . . . . . . . ( . . . . . . . . . . . . . 2 . . . P . . . . . . . L a b e l
                                                                                                                                                Data Raw:00 04 28 00 48 0c 10 0c 0b 00 00 00 04 40 00 00 ff ff 00 00 12 00 00 00 00 7d 00 00 6b 1f 00 00 c6 14 00 00 00 00 00 00 00 00 00 00 03 52 e3 0b 91 8f ce 11 9d e3 00 aa 00 4b b8 51 01 cc 00 00 90 01 44 42 01 00 06 54 61 68 6f 6d 61 00 00 04 00 00 00 b4 00 00 00 00 84 01 00 00 00 28 00 f5 01 00 00 06 00 00 80 07 00 00 00 32 00 00 00 48 00 00 00 00 00 15 00 4c 61 62 65 6c 31 35 00 d4
                                                                                                                                                Stream Path: _VBA_PROJECT_CUR/UserForm2/o, File Type: data, Stream Size: 292
                                                                                                                                                General
                                                                                                                                                Stream Path:_VBA_PROJECT_CUR/UserForm2/o
                                                                                                                                                File Type:data
                                                                                                                                                Stream Size:292
                                                                                                                                                Entropy:3.97404939222
                                                                                                                                                Base64 Encoded:True
                                                                                                                                                Data ASCII:. . ( . ( . . . . . . . h t t p : / / 1 9 0 . 1 4 . 3 7 . 1 6 5 / . . . . . . . . . . . . . . . 5 . . . . . . . . . . . . . . . T a h o m a . . . . $ . ( . . . . . . . h t t p : / / 5 . 1 9 6 . 2 4 7 . 1 1 / . . . . . . . . . . . . 5 . . . . . . . . . . . . . . . T a h o m a . . . . ( . ( . . . . . . . h t t p : / / 1 8 8 . 1 1 9 . 1 1 3 . 3 / . . . . . . . . . . . . . . . 5 . . . . . . . . . . . . . . . T a h o m a . . . . 0 . ( . . . . . . . r e g s v r 3 2 - s i l e n t . . \\ C e l o d . w a c . . .
                                                                                                                                                Data Raw:00 02 28 00 28 00 00 00 15 00 00 80 68 74 74 70 3a 2f 2f 31 39 30 2e 31 34 2e 33 37 2e 31 36 35 2f 01 00 00 00 00 00 00 00 00 00 00 00 02 18 00 35 00 00 00 06 00 00 80 a5 00 00 00 cc 02 00 00 54 61 68 6f 6d 61 00 00 00 02 24 00 28 00 00 00 14 00 00 80 68 74 74 70 3a 2f 2f 35 2e 31 39 36 2e 32 34 37 2e 31 31 2f 00 00 00 00 00 00 00 00 00 02 18 00 35 00 00 00 06 00 00 80 a5 00 00 00
                                                                                                                                                Stream Path: _VBA_PROJECT_CUR/VBA/_VBA_PROJECT, File Type: data, Stream Size: 4544
                                                                                                                                                General
                                                                                                                                                Stream Path:_VBA_PROJECT_CUR/VBA/_VBA_PROJECT
                                                                                                                                                File Type:data
                                                                                                                                                Stream Size:4544
                                                                                                                                                Entropy:4.47759533359
                                                                                                                                                Base64 Encoded:False
                                                                                                                                                Data ASCII:. a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 2 . # . 9 . # . C . : . \\ . P . r . o . g . r . a . m . . F . i . l . e . s . \\ . C . o . m . m . o . n . . F . i . l . e . s . \\ . M . i . c . r . o . s . o . f . t . . S . h . a . r . e . d . \\ . V . B . A . \\ . V . B . A . 7 . . . 1 . \\ . V . B . E . 7 .
                                                                                                                                                Data Raw:cc 61 b5 00 00 03 00 ff 19 04 00 00 09 04 00 00 e3 04 03 00 00 00 00 00 00 00 00 00 01 00 06 00 02 00 20 01 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 32 00 23 00
                                                                                                                                                Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_0, File Type: data, Stream Size: 2514
                                                                                                                                                General
                                                                                                                                                Stream Path:_VBA_PROJECT_CUR/VBA/__SRP_0
                                                                                                                                                File Type:data
                                                                                                                                                Stream Size:2514
                                                                                                                                                Entropy:3.52144078534
                                                                                                                                                Base64 Encoded:False
                                                                                                                                                Data ASCII:. K * . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . r U . . . . . . . . @ . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ P . . . . . . . . . . . . . . . " . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Q . . . . . . . . . . . < . . . ] . . N
                                                                                                                                                Data Raw:93 4b 2a b5 03 00 10 00 00 00 ff ff 00 00 00 00 01 00 02 00 ff ff 00 00 00 00 01 00 00 00 04 00 00 00 00 00 01 00 02 00 04 00 00 00 00 00 01 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 00 00 72 55 00 01 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 06 00 00 00 00 00 00 7e 02 00 00 00 00 00 00 7e 02 00 00 00
                                                                                                                                                Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_1, File Type: data, Stream Size: 146
                                                                                                                                                General
                                                                                                                                                Stream Path:_VBA_PROJECT_CUR/VBA/__SRP_1
                                                                                                                                                File Type:data
                                                                                                                                                Stream Size:146
                                                                                                                                                Entropy:1.48909835582
                                                                                                                                                Base64 Encoded:False
                                                                                                                                                Data ASCII:r U @ . . . . . . . . . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . j . . . . . . . . . . . . . . .
                                                                                                                                                Data Raw:72 55 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 12 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 11 00 00 00 00 00 00 00 00 00
                                                                                                                                                Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_2, File Type: data, Stream Size: 213
                                                                                                                                                General
                                                                                                                                                Stream Path:_VBA_PROJECT_CUR/VBA/__SRP_2
                                                                                                                                                File Type:data
                                                                                                                                                Stream Size:213
                                                                                                                                                Entropy:1.85324367791
                                                                                                                                                Base64 Encoded:False
                                                                                                                                                Data ASCII:r U @ . . . . . . . @ . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . ~ x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . a . . . . . . . . . . . . . . . . . . . . Z . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . S . . . . . . . . . . . . . . . . . .
                                                                                                                                                Data Raw:72 55 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 04 00 00 00 00 00 00 7e 78 00 00 00 00 00 00 7f 00 00 00 00 00 00 00 00 1a 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 03 00 10 00 00 00 00 00 00 00 00 00 02 00 00 00 00 00 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 0c 00
                                                                                                                                                Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_3, File Type: data, Stream Size: 206
                                                                                                                                                General
                                                                                                                                                Stream Path:_VBA_PROJECT_CUR/VBA/__SRP_3
                                                                                                                                                File Type:data
                                                                                                                                                Stream Size:206
                                                                                                                                                Entropy:1.75287863305
                                                                                                                                                Base64 Encoded:False
                                                                                                                                                Data ASCII:r U @ . . . . . . . . . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 . . . . . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 . q . . . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . b . . . . . . . . . . . . . . .
                                                                                                                                                Data Raw:72 55 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1a 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 02 00 ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 10 00 00 00 08 00 38 00 f1 00 00 00 00 00 00 00 00 00 02 00 00 00 00 60 00 00 fd ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00
                                                                                                                                                Stream Path: _VBA_PROJECT_CUR/VBA/dir, File Type: data, Stream Size: 1075
                                                                                                                                                General
                                                                                                                                                Stream Path:_VBA_PROJECT_CUR/VBA/dir
                                                                                                                                                File Type:data
                                                                                                                                                Stream Size:1075
                                                                                                                                                Entropy:6.6867836299
                                                                                                                                                Base64 Encoded:True
                                                                                                                                                Data ASCII:. / . . . . . . . . . . 0 . J . . . . H . . H . . . . . . H . . . d . . . . . . . . V B A P r @ o j e c t . . . . T . @ . . . . . = . . . + . r . . . . . . . . . . . R c . . . . J < . . . . . . 9 s t d o l . e > . . s . t . d . . o . l . e . . . . h . % ^ . . * \\ G . { 0 0 0 2 0 4 3 . 0 - . . . . C . . . . . . . 0 0 4 6 } # 2 . . 0 # 0 # C : \\ W . i n d o w s \\ S . y s t e m 3 2 \\ . . e 2 . t l b # O . L E A u t o m . a t i o n . 0 . . . E O f f i c . E O . . f . . i . c . E . . . . . . . . E 2 D F 8 D
                                                                                                                                                Data Raw:01 2f b4 80 01 00 04 00 00 00 03 00 30 aa 4a 02 90 02 00 48 02 02 48 09 00 c0 12 14 06 48 03 00 01 64 e3 04 04 04 00 0a 00 84 56 42 41 50 72 40 6f 6a 65 63 74 05 00 1a 00 54 00 40 02 0a 06 02 0a 3d 02 0a 07 2b 02 72 01 14 08 06 12 09 02 12 bd 98 a0 52 63 01 00 0c 02 4a 3c 02 0a 04 16 00 01 39 73 74 64 6f 6c 04 65 3e 02 19 73 00 74 00 64 00 00 6f 00 6c 00 65 00 0d 14 00 68 00 25 5e

                                                                                                                                                Network Behavior

                                                                                                                                                Snort IDS Alerts

                                                                                                                                                TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                                                                                10/08/21-22:31:07.677315ICMP399ICMP Destination Unreachable Host Unreachable186.148.101.114192.168.2.22
                                                                                                                                                10/08/21-22:31:11.677211ICMP399ICMP Destination Unreachable Host Unreachable186.148.101.114192.168.2.22
                                                                                                                                                10/08/21-22:31:19.027109ICMP399ICMP Destination Unreachable Host Unreachable186.148.101.114192.168.2.22
                                                                                                                                                10/08/21-22:31:29.867071ICMP399ICMP Destination Unreachable Host Unreachable186.148.101.114192.168.2.22
                                                                                                                                                10/08/21-22:31:34.047252ICMP399ICMP Destination Unreachable Host Unreachable186.148.101.114192.168.2.22
                                                                                                                                                10/08/21-22:31:40.057139ICMP399ICMP Destination Unreachable Host Unreachable186.148.101.114192.168.2.22

                                                                                                                                                Network Port Distribution

                                                                                                                                                TCP Packets

                                                                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                Oct 8, 2021 22:38:36.511486053 CEST4976280192.168.2.4190.14.37.165
                                                                                                                                                Oct 8, 2021 22:38:39.518912077 CEST4976280192.168.2.4190.14.37.165
                                                                                                                                                Oct 8, 2021 22:38:45.534962893 CEST4976280192.168.2.4190.14.37.165
                                                                                                                                                Oct 8, 2021 22:38:57.577377081 CEST4977480192.168.2.45.196.247.11
                                                                                                                                                Oct 8, 2021 22:39:00.583188057 CEST4977480192.168.2.45.196.247.11
                                                                                                                                                Oct 8, 2021 22:39:06.583734989 CEST4977480192.168.2.45.196.247.11
                                                                                                                                                Oct 8, 2021 22:39:18.595699072 CEST4979180192.168.2.4188.119.113.3
                                                                                                                                                Oct 8, 2021 22:39:21.600589991 CEST4979180192.168.2.4188.119.113.3
                                                                                                                                                Oct 8, 2021 22:39:27.616877079 CEST4979180192.168.2.4188.119.113.3

                                                                                                                                                DNS Answers

                                                                                                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                                                                Oct 8, 2021 22:38:49.388036966 CEST8.8.8.8192.168.2.40x52b2No error (0)a-0019.a.dns.azurefd.neta-0019.standard.a-msedge.netCNAME (Canonical name)IN (0x0001)

                                                                                                                                                Code Manipulations

                                                                                                                                                Statistics

                                                                                                                                                Behavior

                                                                                                                                                Click to jump to process

                                                                                                                                                System Behavior

                                                                                                                                                General

                                                                                                                                                Start time:22:38:30
                                                                                                                                                Start date:08/10/2021
                                                                                                                                                Path:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                Commandline:'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding
                                                                                                                                                Imagebase:0x140000
                                                                                                                                                File size:27110184 bytes
                                                                                                                                                MD5 hash:5D6638F2C8F8571C593999C58866007E
                                                                                                                                                Has elevated privileges:true
                                                                                                                                                Has administrator privileges:true
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Reputation:high

                                                                                                                                                General

                                                                                                                                                Start time:22:39:38
                                                                                                                                                Start date:08/10/2021
                                                                                                                                                Path:C:\Windows\SysWOW64\regsvr32.exe
                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                Commandline:regsvr32 -silent ..\Celod.wac
                                                                                                                                                Imagebase:0x110000
                                                                                                                                                File size:20992 bytes
                                                                                                                                                MD5 hash:426E7499F6A7346F0410DEAD0805586B
                                                                                                                                                Has elevated privileges:true
                                                                                                                                                Has administrator privileges:true
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Reputation:high

                                                                                                                                                General

                                                                                                                                                Start time:22:39:39
                                                                                                                                                Start date:08/10/2021
                                                                                                                                                Path:C:\Windows\SysWOW64\regsvr32.exe
                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                Commandline:regsvr32 -silent ..\Celod.wac1
                                                                                                                                                Imagebase:0x110000
                                                                                                                                                File size:20992 bytes
                                                                                                                                                MD5 hash:426E7499F6A7346F0410DEAD0805586B
                                                                                                                                                Has elevated privileges:true
                                                                                                                                                Has administrator privileges:true
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Reputation:high

                                                                                                                                                General

                                                                                                                                                Start time:22:39:39
                                                                                                                                                Start date:08/10/2021
                                                                                                                                                Path:C:\Windows\SysWOW64\regsvr32.exe
                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                Commandline:regsvr32 -silent ..\Celod.wac2
                                                                                                                                                Imagebase:0x110000
                                                                                                                                                File size:20992 bytes
                                                                                                                                                MD5 hash:426E7499F6A7346F0410DEAD0805586B
                                                                                                                                                Has elevated privileges:true
                                                                                                                                                Has administrator privileges:true
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Reputation:high

                                                                                                                                                Disassembly

                                                                                                                                                Code Analysis

                                                                                                                                                Reset < >